Exposing and Eliminating
Vulnerabilities to Denial of
Service Attacks in Secure
Gossip-Based Multicast
Gal Badishi, Idit Keidar, Amir Sasson
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Outline
• The problem
• Overview of gossip-based multicast
• Proposed solution - Drum
• Analysis and simulations
• Implementation and measurements
• Summary and general principles
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Denial of Service (DoS)
• Unavailability of service
– Exhausting resources
• Remote attacks
– Network level
• Solutions do not solve all application problems
– Application level
• Got little attention
• Quantitative analysis of impact on application and
identification of vulnerabilities needed
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Challenges
• Quantify the effect of DoS at the
application level
• Expose vulnerabilities
• Find effective DoS-mitigation techniques
– Prove their usefulness using the found metric
• Multicast as an example
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Tree-Based Multicast
• Use a spanning tree – most common solution
• No duplicates (optimal BW when network-level)
• Single points of failure Source
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Gossip-Based Multicast
• Progresses in rounds
• Every round
– Choose random partners (view )
– Send or receive messages
– Discard old msgs from buffer
• Probabilistic reliability
• Uses redundancy to achieve robustness
• Two methods
– Push
– Pull
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Push
Source
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Pull
Source
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Effects of DoS on Gossip
• Surprisingly, we show that naïve gossip is
vulnerable to DoS attacks
• Attacking a process in pull-based gossip
may prevent it from sending messages
• Attacking a process in push-based gossip
may prevent it from receiving messages
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Drum
• A new gossip-based ALM protocol
• Utilizes DoS-mitigation techniques
– Using random one-time ports to communicate
– Combining both push and pull
– Separating and bounding resources
• Eliminates vulnerabilities to DoS
• Proven robust using formal analysis and
quantitative evaluation
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Random Ports
• Any request necessitating a reply contains
a random port number
– “Invisible” to the attacker (e.g., encrypted)
• The reply is sent to that random port
Request
+
on
Wait on
•Wait
Assumption:
Network
withstands
load
wellknown
port
Gal Badishi
random port
number
Faculty of Electrical Engineering, Technion
random
port
DSN 2004
Combining Push and Pull
• Attacking push cannot prevent receiving
messages via pull (random ports)
• Attacking pull cannot prevent sending via
push
• Each process has some control over the
processes it communicates with
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Bounding Resources
• Motivation: prevent resource exhaustion
• Each round process a random subset of
the arriving messages and discard the rest
• Separate resources for orthogonal
operations
Round Duration
Valid Request
Gal Badishi
Bogus Request
Faculty of Electrical Engineering, Technion
DSN 2004
Evaluation: Staged DoS Attacks
• Increasing strength
– shows trend under DoS
• Fixed strength
– exposes vulnerabilities
• Source is always attacked
• Analysis, simulations, measurements
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Analysis – Increasing Strength
• Assume static group, strict subset is attacked
• Lemma 1: Drum’s propagation time is bounded
from above by a constant independent of the
attack rate
• Lemma 2: The propagation time of Push grows
at least linearly with the attack rate
• Lemma 3: The propagation time of Pull grows at
least linearly with the attack rate
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Expected Propagation Time, 10% Attacked
30
Push, n = 1000
Push, n = 120
Pull, n = 1000
Pull, n = 120
Drum, n = 1000
Drum, n = 120
# rounds
25
20
15
10
5
0
0
20
40
60
80
100
120
140
Attack Rate
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Expected Propagation Time, 10% Attacked (of 1000)
30
Drum - Known Ports
Drum - Random Ports
25
# rounds
20
15
10
5
0
0
20
40
60
80
100
120
140
Attack Rate
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Expected Propagation Time, 10% Attacked (of 50)
12
Drum - Shared Bounds
Drum - Separate Bounds
10
# rounds
8
6
4
2
0
0
20
40
60
80
100
120
140
Attack Rate
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Analysis – Fixed Strength
• Lemma 4: For strong enough attacks,
Drum’s expected propagation time is
monotonically increasing as the
percentage of attacked processes
increases
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Expected Propagation Time, Fixed Strength (c = 10)
100
Push, n = 120
Push, n = 500
Pull, n = 120
Pull, n = 500
Drum, n = 120
Drum, n = 500
90
80
# rounds
70
60
50
40
30
20
10
0
0
10
20
30
40
50
60
70
80
90
% attacked processes
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
High-Throughput Experiments
• Multithreaded Java implementation
• Single source creates 40 msgs/sec
• Round duration = 1 second
• Measure throughput and latency at the
receiving processes
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Average Throughput (msgs/sec)
Average Received Throughput, 10% Attacked
45
40
35
30
Drum
Push
Pull
25
20
15
10
5
0
20
40
60
80
100
120
140
Attack Rate
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
CDF: Average Latency of Received Messages, 40% Attacked, Rate = 128
1
0.9
Drum
Push
Pull
% of Correct Processes
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
Average Latency (msecs)
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Summary
• Gossip-based protocols are very robust, but…
– naïve gossip-based protocols are vulnerable to
targeted DoS attacks
• Drum uses simple techniques to mitigate the
•
•
effects of DoS attacks
Evaluations show Drum’s resistance to DoS
The most effective attack against Drum is a
broad one
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
General Principles
• DoS-mitigation techniques:
– random ports
– neighbor-selection by local choices
– separate resource bounds
• Design goal: eliminate vulnerabilities
– The most effective attack is a broad one
• Analysis and quantitative evaluation of
impact of DoS
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004
Gal Badishi
Faculty of Electrical Engineering, Technion
DSN 2004