Chapter 3 Thesis Statement
3.2 Problem Definition
Figure 3-2 Proxy Network as Mediator
Proxy networks are an attractive approach to building mediators for DoS resistance (see Figure 3-2). In the proxy network scheme, a proxy network runs on a large resource pool of Internet hosts. Applications are hidden behind the proxy network and
User Application Server
Edge proxies
all traffic to and from the application goes through the proxy network. A select set of nodes known as edge proxies publish their IP addresses, providing public access to users of the applications. To ensure that the proxy network is the only public interface for the application, the application either has a secret IP address or resides behind a distributed set of filters which blocks all packets except for those coming from the application proxies.
Proxy networks are an attractive approach to building mediators for DoS defense [25-29, 35], for the following reasons. First, the application is protected by a series of proxy indirections, all of which must be compromised by attackers to expose the application to direct attacks. Since the number of indirections can be adjusted by reconfiguring the proxy network, proxy networks provide a flexible structure for resisting an attackers’ penetration and, therefore, protecting the application from direct attacks. Second, the edge proxies can be widely dispersed, making it difficult for attackers to saturate them and, thereby, interrupt application service. This allows proxy networks to tolerate DoS attacks by dispersing attack traffic. By mediating application access to prevent direct attacks and by providing a DoS-resilient front-end for the application to dilute the impact of DoS attacks, a proxy network can protect the application from infrastructure-level DoS attacks.
However, to understand whether or not proxy networks can be a viable DoS defense, we need to understand their resistance to possible attacks. We assume that attackers cannot attack a proxy unless they know its IP address, and that attackers cannot concurrently attack all of the resource pool. In this case, the three important
classes of technical attacks on proxy networks are penetration attacks, proxy depletion attacks, and infrastructure-level DoS attacks. Penetration attacks attempt to compromise proxies along a path in a proxy network towards the application, in order to penetrate the proxy network and expose the application to direct attacks. Proxy depletion attacks compromise proxies along the proxy network topology in order to control all the proxies, and thus disable the proxy network. Infrastructure-level DoS attacks flood the infrastructure around edge proxies with network traffic to saturate them, and thereby prevent the proxy network from mediating the communication between users and the application. Studying proxy networks’ resistance to these attacks provides a deeper understanding of the viability of the proxy network-based DoS resistance scheme. In this dissertation, we explore the following research questions.
• Can a proxy network resist penetration attacks?
Penetration attacks are a key threat to the proxy network scheme because, if successful, they can expose the application to direct DoS attacks. Therefore, a basic question for proxy network-based DoS defense is whether proxy networks are capable of resisting penetration attacks. Specifically, we ask the basic feasibility questions: How much time is required to penetrate a proxy network? Can the proxy indirections alone resist penetration attacks, or are some other defensive mechanisms required, and if so what are they?
• Can a proxy network resist proxy depletion attacks?
Proxy depletion attacks are another threat to the proxy network scheme because, if successful, all proxies in the proxy network are under the attackers’ control, and thus
make the proxy network dysfunctional. A proxy network must be able to resist such attacks, in order to provide a stable defense for the applications. Specifically, we ask the following question: can a proxy network recover all the compromised proxies regardless of how many proxies are compromised at the beginning?
• Can proxy networks resist infrastructure-level DoS attacks and shield applications? To protect applications from infrastructure-level DoS attacks, proxy networks themselves must be capable of resisting such attacks, so that attackers cannot deny application service by attacking the proxy network. Specifically, we ask critical questions about the effectiveness and scalability of proxy networks’ resilience to DoS attacks. How well can proxy networks tolerate infrastructure-level DoS attacks and keep applications accessible to their users? Can a proxy network’s resistance to DoS attacks be increased by increasing the size of the proxy network? Can this resistance be used to resist stronger DoS attacks?
3.3 THESIS STATEMENT My thesis is stated as follows:
By hiding applications from penetration attacks and providing a stable and DoS- resilient front-end, proxy networks can effectively protect an application from a range of infrastructure-level DoS attacks. Specifically, a proxy network can be used as an application mediator that forms a barrier against penetration attacks, and thereby protects an application from direct attacks. Moreover, a proxy network can effectively resist proxy depletion attacks by removing the impact of attack, thereby providing a stable defense. Furthermore, a proxy network can effectively resist infrastructure-level
DoS attacks by dispersing the attack traffic among a distributed front-end and diffusing the impact of DoS attacks, thereby enabling continued application service.
The thesis addresses the fundamental properties of the proxy network scheme in protecting Internet service applications from DoS attacks. The thesis addresses three important classes of attacks: penetration attacks, proxy depletion attacks, and infrastructure-level DoS attacks. Resisting these attacks allows a proxy network to effectively protect applications from DoS attacks.
A) Resistance to Penetration Attacks
To prove that proxy networks can resist penetration attacks, we build a generic framework and a stochastic model to describe the proxy network system and characterize system dynamics, modeling the progress of attacks and defenses as stochastic processes. Based on our stochastic model, we use analysis and Monte Carlo simulations to show that proactive mechanisms, such as proxy migration, enable a proxy network to defend penetration attacks effectively. With such a defense, an attacker’s penetration requires a significant amount of time, which grows exponentially with the proxy network depth. For example, in realistic settings, penetrating a proxy network of depth five can take hundreds of years on average, and a proxy network of depth six would take thousands of years on average. Practically, this means that a proxy network of a modest size can be made effectively impenetrable.
B) Resistance to Proxy Depletion Attacks
To prove that proxy networks can resist proxy depletion attacks, we use a generic framework and a stochastic model to describe the proxy network system and
characterize system dynamics, modeling the progress of proxy depletion attacks and defenses as stochastic processes. Based on this model, we characterize analytically the circumstances under which a proxy network can resist proxy depletion attacks effectively. Specifically, the analysis shows that an appropriate topology can enable a proxy network to remove compromised proxies completely regardless of how many proxies are compromised initially. We then apply these results to a range of popular proxy network topologies to identify favorable ones which enable effective defense against proxy depletion attacks.
C) Resilience to Infrastructure-level DoS attacks on Proxy Networks
We take two steps to study the DoS-resilience of proxy networks. First, by simulation, we demonstrate that in a large resource pool (hosts and network), a proxy network can continue to deliver application service during DoS attacks. These results are then confirmed over a range of attack magnitudes and distributions. Second, to show that proxy networks cannot simply be overwhelmed, we show that the magnitude of DoS attacks that a proxy network can resist may be increased by using a larger proxy network. In fact, the magnitude of DoS attacks that can be resisted grows linearly to the proxy network size. These two results together show that proxy networks can be both effective and scalable DoS-resilient mediators.
Our experiments are performed using a large-scale online simulator – MicroGrid [37, 41] which enables packet-level accurate simulation of large-scale network environments with up to 10,000 routers and 40 ASes. These network sizes are comparable to a large ISP network. Furthermore, Microgrid supports direct execution
of unmodified application binaries, allowing us to use real applications and a real proxy network implementation in the simulation. In our study, we use a DDoS zombie network of 100 nodes with a real DoS attack toolkit, and use the zombies to generate attack traffic. The total attack traffic intensities up to 6.4Gbps and a wide range of DoS attack scenarios are explored. This experimental configuration is large enough to capture key properties of the Internet environment, such as router queues, as well as networking and routing protocol dynamics, which are critical to the application behavior and performance under various DoS attack scenarios. These tools enable a realistic study of the proxy network-based scheme.
In summary, to prove the thesis, our study explores proxy network resistance against three important attacks: penetration, proxy depletion, and infrastructure-level DoS attacks. We first prove that proxy networks can resist penetration attacks effectively, and then show how proxy network can be designed to resist proxy depletion attacks effectively. Next, to show that proxy networks can provide both effective and scalable resilience against DoS attacks, we use simulation to demonstrate that, in a large resource pool, a proxy network can continue to deliver application service during DoS attacks. These simulations also show that the magnitude of DoS attacks that a proxy network can resist may be increased linearly by increasing proxy network size. These results together prove that proxy networks can resist penetration attacks, proxy depletion attacks, and DoS attacks effectively, thereby providing a viable DoS defense for Internet service applications. Furthermore, study of these problems also develops a deeper understanding of the fundamental capabilities of proxy networks, and provides guidelines for proxy network design in support of DoS resistance.