Embed Size (px)
Citation preview
Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds
Srikanth Kandula, Dina Katabi, Matthias Jacob, and Arthur Berger
Awarded Best Student Paper! (NSDI-2005)
Defense by Manan Sanghi
Flash Crowd
DDOS
Botz-4-Sale
request
Botz-4-Sale
Reverse Turing test
Botz-4-Sale
Solution
Botz-4-Sale
Welcome!
HTTP cookie• Allows at most 8 simultaneous connections• Valid for 30 minutes
Botz-4-Sale
request
Botz-4-Sale
Reverse Turing test
Botz-4-Sale
request
Botz-4-Sale
System is Busy, either solve puzzle or try later
Botz-4-Sale
request
Botz-4-Sale
Reverse Turing test
Botz-4-Sale
request
Botz-4-Sale
System is Busy, either solve puzzle or try later
Botz-4-Sale
RequestRequestRequest…
Botz-4-Sale
Kill-Bots Overview
Graphical Puzzles served during Stage 1
Example
Normal Load 40%
K1=70% K2=50%
Time out (5 minutes) unauthenticated users
Two stages in Suspected Attack Mode Stage 1: CAPTCHA based Authentication
No state maintenance before authentication HTTP cookie Cryptographic support
Stage 2: Authenticating users who do not answer CAPTCHA No more reverse Turing tests Bloom filters to filter out over-zealous zombies
Resource Allocation and Admission Control
Tradeoff Authenticate new clients Serve already authenticated clients
Adaptive Admission Control
Cute Queuing Theory type analysis
Security Analysis Socially-engineered Attacks
Copy Attacks Including IP address in one-way hash does not deal well with
proxies and mobile users
Replay Attacks Time information in the cookie hash
DoS attacks on the authentication mechanism No connection state for unauthenticated clients
In-kernel HTTP header processing HTTP headers not parsed Pattern match arguments to GET and Cookie fields Cost : less than 8 s
System Architecture
System Architecture
Evaluation – Experimental Setup
Evaluation
Evaluation - Microbenchmarks
Evaluation- CyberSlam attacks
Evaluation- CyberSlam attacks
Evaluation – Flash Crowds
Evaluation – Flash Crowds
On Admission Control
Authentication is not sufficient Good performance requires admission
control
Threat Model
Bandwidth floods, DNS entries, routing entries not considered
Attacker cannot sniff legitimate users’ packets
Attacker cannot access server’s local network Zombies are not as smart as humans Attacker does not have a large number of
humans aiding his evil plans
