Chapter 4 Approach
4.5 Resilience to DoS Attacks on Proxy Network
DoS attacks are another important class of attacks on proxy networks. As shown in Figure 4-10, attackers can use infrastructure-level DoS attacks to saturate the edge
proxies by flooding the infrastructure around edge proxies with network traffic, thereby causing Denial-of-Service for users.
Figure 4-10 Denial of Service attacks
In order to study the use of proxy networks for DoS defense, we need to understand how well a proxy network can keep applications accessible and maintain good performance for users under DoS attacks. In particular, we use the user experienced application performance delivered by a proxy network under DoS attacks as a metric to evaluate a proxy network’s resilience to DoS attacks. A proxy network can resist a DoS attack effectively, if the majority of the users (e.g. >90%) do not experience significant performance degradation during the attack. Using this metric, we study whether a proxy network can resist DoS attacks effectively for a variety of attack scenarios and proxy network configurations.
There are two major challenges to perform this study. First, for realistic studies we need to capture detailed network dynamics and behavior of applications and attacks, since they greatly affect application and proxy network performance under DoS attacks. Second, we need to study the problem in a large-scale network environment, because it is a key aspect of the DoS problem for Internet applications.
Application Server Edge proxies
DoS Attack
Theoretical analysis and small-scale simulation cannot meet these challenges because they cannot capture detailed network behavior in large networks, such as router queues, packet drops, and dynamic behavior of network and application protocols. All these factors are critical to application performance and DoS behavior. On the other hand, experiments on large testbeds such as PlanetLab [109] cannot meet the challenges either because such testbeds are shared infrastructure; DoS experiments may disrupt other testbed users by flooding the infrastructure. Thus, the scale, intensity, and range of attack scenarios that can be studied using an open testbed are very limited.
To address these challenges, we take an experimental approach based on online simulation. The element is the use of a large-scale packet-level online network simulation tool, MicroGrid [37, 41], that supports direct execution of real applications and can model detailed network dynamics, real temporal and feedback behavior of network protocols correctly. Furthermore, MicroGrid also supports simulation of large networks (size comparable to tier-1 ISP networks [37]). These capabilities of MicroGrid meet the challenges stated above. In our empirical study, we use the following components to construct our experiments.
• a large-scale, high-fidelity packet-level online network simulator – MicroGrid – to simulate a large-scale realistic network environment, which has up to 10,000 routers and 40 ASes, comparable to the size of a Tier-1 ISP network,
• a real proxy network implementation and real applications deployed in the simulation environment, and
• a zombie network and a real distributed DDoS toolkit to create attack scenarios. Attack traffic intensities up to 6.4 Gbps and a wide range of different attack scenarios are explored.
Using these experiments, we take two steps to study how well proxy networks can resist DoS attacks. First, we demonstrate that in a large resource pool (hosts and network), a proxy network maintain good performance for most users during DoS attacks. These results are then confirmed over a range of varied attack magnitude and distribution. Second, to show that proxy networks cannot be overwhelmed by simply increasing the volume of DoS attack, we show that the magnitude of DoS attacks that a proxy network can resist may be increased by using a larger proxy network. These results together show that proxy networks can be both effective and scalable DoS- resilient mediators.
Our simulation-based approach has several advantages. First, the direct execution of real applications enables use of a real implementation of the proxy network, real applications, and real attacks in our study to correctly capture all their complex dynamics and performance behavior. Second, correct modeling of the detailed network and protocol dynamics enables correct characterization of application and proxy network performance under DoS attacks. Third, simulation of large-scale networks enables study of the DoS problem in a large-scale network environment. Fourth, the use of a simulator enables study of a wide range of attack scenarios of various scales and intensities. These advantages are the key to enable large-scale realistic study.
4.6 SUMMARY
In summary, to study the use of proxy networks for DoS defense, we explore the capability of proxy networks against three important attacks: penetration attacks, proxy depletion attacks, and DoS attacks. To study penetration attacks and proxy depletion attacks, we develop a generic framework to capture a wide range of proxy network- based DoS defense and build stochastic models for attack and defense processes to characterize system dynamics. Using the stochastic models, we combine analysis with Monte Carlo simulation to study when stable defense against penetration attacks is feasible. We then use graph-theoretical analysis based on the stochastic models to study when a proxy network can resist proxy depletion attacks effectively. On the other hand, we study DoS attacks empirically based on online simulation. In particular, we use a large-scale online packet-level network simulator to simulate a large network environment and deploy a real software implementation for the proxy network, applications, and DoS attackers. By using full applications and network protocol stacks in a realistic detailed packet-level simulation environment, we can model the full complexity of the network behavior needed to reproduce DoS dynamics accurately. With this leverage, we study the resilience to DoS attacks for a range of proxy network structures and attack scenarios.
The analysis and experiments are presented in the next three chapters. Chapter 5 studies whether proxy networks can resist penetration attacks effectively, and characterizes the key requirements for effective defense against penetration attacks. Chapter 6 studies proxy networks’ ability to resist proxy depletion attacks and shows
how to design proxy networks for effective resistance to proxy depletion attacks. Chapter 7 studies proxy networks’ resilience to DoS attacks by empirical exploration of application performance under DoS attacks for a range of attack parameters and proxy network configurations.
Chapter 5 RESISTING PENETRATION ATTACKS
Penetration attacks are a key threat for the proxy network-based DoS defense. By compromising a chain of proxies towards the application, such attacks penetrate a proxy network and defeat the proxy network-based scheme by exposing the application to direct DoS attacks. In this chapter, we study proxy networks’ ability to resist penetration attacks and characterize the requirements for successful resistance.5.1 INTRODUCTION
We study proxy networks’ ability to resist penetration attacks. In particular, we study the following questions. How long can a proxy network resist a penetration attack and hide an application’s location? How do the defense properties affect a proxy network’s resistance to penetration attacks, and what factors make resistance feasible?
To study these problems, we develop a stochastic model for the generic framework (defined in Chapter 4) to characterize the dynamics of system components. In particular, our stochastic model describes quantitatively how attacks, defenses, and correlated host vulnerabilities affect changes in the state of system components. With the stochastic model, we combine analysis and Monte-Carlo simulation to analyze behavior of proxy network systems under penetration attacks, characterizing when their resistance to penetration attacks is feasible.
We consider correlated vulnerabilities among hosts, which can greatly affect the behavior of penetration attacks. This is because the low-level mechanisms for penetration attacks – host compromises – depend on the exploitation of host
vulnerabilities, and correlated vulnerabilities among hosts affect the speed of host compromises, thereby affecting the progress of penetration attacks. Since correlated host vulnerabilities complicate the analysis, our approach has two steps.
First, we study a system with uncorrelated host vulnerabilities and analytically characterize the system behavior. In particular, we characterize quantitatively the expected time for attackers to expose an application’s location as a function of system parameters. We prove two theorems which characterize dynamic system behavior, and show that, with appropriate defense, proxy networks can resist penetration attacks effectively. We use these theorems to study the questions described above.
Second, we use a Monte Carlo simulation to study a system with correlated host vulnerabilities. In particular, we study how correlation in host vulnerabilities affects a proxy network’s ability to resist penetration attacks. We show that correlated vulnerabilities can jeopardize a proxy network’s ability to resist attacks. We also demonstrate that, by exploiting limited host diversity and intelligent proxy network construction, we can compensate for the negative impact of correlated host vulnerabilities and build a proxy network which can resist penetration attacks successfully.
Combining both the correlated and uncorrelated host vulnerability cases, we prove that, in general, proxy networks can be designed to resist penetration attacks effectively. The remainder of the chapter is structured as follows. Section 5.2 describes our stochastic model. Section 5.4 and Section 5.5 present the results of our analysis and
Monte Carlo Simulation respectively. We conclude in Section 5.6 with a brief summary.