Internet Cache Pollution Attacks and Countermeasures

Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen

Electrical Engineering and Computer Science Department

Northwestern University

2

Outline

• Motivation• Pollution Attacks• Evaluation of Pollution Effects• Counter-Pollution Techniques &

Evaluation• Conclusion

3

Motivation• Caching has been widely applied in the

Internet– Decrease the amount of requests in server side– Reduce the amount of traffic in the network– Improve the client-perceived latency

• Open proxy caches are used for various abuse-related activities

• Proxy caches themselves become victims– Little attention given to such attacks– Existing pollution attacks mostly on content

pollutions on P2P systems

4

Contributions• Propose a class of pollution attacks targeted

against Internet proxy caches– Locality-disruption (LD) attacks – False-locality (FL) attacks

• Analyze the resilience of the current cache replacement algorithms to pollution attacks

• Propose two cache pollution detection mechanisms– Detect LD, FL attacks, and their combination– Leverage data streaming computation techniques

5

Outline

• Motivation• Pollution Attacks• Evaluation of Pollution Effects• Counter-Pollution Techniques &

Evaluation• Conclusion

6

Pollution Attack Scenarios (I)

Campus networkInternet

CacheCache

ISP1 ISP2

Downloaded traffic

Content Server

C lient

Requests

Attacking a web cache Attacking an ISP cache

7

Pollution Attack Scenarios (II)

L o ca l D N S S erv er

R o o t D N S S erv er

T L D D N S S erv er

A u th o rita tiv eD N S S erv er

P o llu tio n A tta ck

E n d U ser

......

①

② ③ ④

⑤

⑥

⑦

⑧

Pollution attack against a local DNS server

8

Pollution Attack: Locality Disruption

…...

. …...

.

Cache

…...

. …...

.

Cache

Before attack After attack

Popular filesNew

unpopular files

• Goal: degrade cache efficiency by ruining its file locality

• Activities: continuously generate requests for new unpopular files

9

Pollution Attack: False Locality

…...

. …...

.

Cache

…...

. …...

.

Cache

Before attack After attack

Popular filesBogus

popular files

• Goal: degrade the hit ratio by creating false file locality

• Activities: repeatedly request the same set of unpopular files

10

Outline

• Motivation• Pollution Attacks• Evaluation of Pollution Effects• Counter-Pollution Techniques &

Evaluation• Conclusion

11

Evaluation Methodology

• Discrete-event simulator – Multiple DoS behaviors– Multiple workload characterizing behaviors– Effects of access and local network capacities

• Workloads– P2P [K. Gummadi et al. ACM SOSP 03]– Web [F. Smith et al. SIGMETRICS 01]– NAT effects

12

Cache Replacement Algorithms

• Least Recently Used (LRU) algorithm – Evict the least recently accessed document first

• Least Frequently Used (LFU) algorithm – Evict the least frequently accessed document first

• Greedy Dual-Sized Frequency (GDSF) algorithm– Consider the frequency of the documents– Allow smaller document to be cached first– Use dynamic aging policy

13

Baseline Experiments• Locality-disruption attacks

Small percent of malicious requests can significantly degrade the overall hit ratio

Total hit ratio = requests_total#

requests_hit#

Including attackers’ requests and regular users’ requests

Stealthy! (4%)

14

Baseline Experiments• False-locality attacks

Total hit ratio is not a good indicator for attacks

15

BHR(n)BHR(a)BHR(n)

BHR(n)—byte hit ratio of regular clients without attacks

BHR(a)—byte hit ratio of regular clients with attacks

Byte damage ratio =

16

Replacement Algorithms • Locality-disruption attacks

LRU and LFU are more resilient to attacks, but still can not protect cache from pollution

17

Outline

• Motivation• Pollution Attacks• Evaluation of Pollution Effects• Counter-Pollution Techniques &

Evaluation• Conclusion

18

Detecting Locality Disruption Attacks

• Observations:

– Low total hit ratio

– Short average life-time of all cached files

• Design:

– Detection: compute the average durations for all files in the cache

– Mitigation: recognize the attackers

19

Detecting False Locality Attacks• Observations:

– Clients who request a similar set of files residing in the cache

– The repeated requests from the same IP to cached files

• Design:– Large number of repeated requests– Large percent of repeated requests

• Scalability:– Attacker-based detection: Bloom filter– Object-based detection: Probabilistic Counting with

Stochastic Averaging (PCSA)

cachetheinhitsrequeststotalrequestsrepeated

20

Evaluation of Pollution Detection• Results for false-locality attacks, more in paper

For attacker’s file detection:

True positive ratio =

filessker'attactotal#methodourbyecteddetfilesker'attac#

21

• Realize the counter-pollution mechanisms

• Code and more details

http://networks.cs.northwestern.edu/AE/

Implementation

22

Conclusions

• Propose and evaluate two classes of attacks: locality-disruption and false-locality attacks

• Show that pollution attacks are stealthy, but powerful, and different replacement algorithms have different resiliency

• Propose and evaluate a set of scalable and effective counter-pollution mechanisms