Exposing and Eliminating
Vulnerabilities to Denial of
Service Attacks in Secure
Gossip-Based Multicast
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
1
Agenda
• Overview of gossip-based multicast
• The problem
• Proposed solution
• Analysis and simulations
• Implementation and measurements
• Conclusions
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
2
Multicast
• A group of members
• At least one member is a source –
generates messages
• Messages should arrive to all of the group
members in a timely fashion
• Network level vs. application level (ALM)
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
3
Tree-Based Multicast
• Use a spanning tree – most common solution
• No duplicates (optimal BW when network-level)
• Single points of failure Source
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
4
Gossip-Based Multicast
• Progresses in rounds
• Every round
– Choose random partners (view )
– Send or receive messages
– Discard old msgs from buffer
• Probabilistic reliability
• Trades latency and BW for redundancy
• Two methods
– Push
– Pull
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
5
Push
Source
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
6
Pull
Source
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
7
Hostility over the Internet
• Forgery/spoofing
• Penetration
• Denial of Service (DoS)
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
8
Denial of Service
• Unavailability of service
• Methods
– Exploiting bugs
– Exhausting resources
• Remote attacks
– Network level
– Application level
• Got little attention
• No quantitative analysis of impact on application
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
9
Dollar Amount of Losses by Type
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
10
Remote Application-Level DoS
No Attack
DoS Attack
Valid Request
Prof. Mort Anvari
Bogus Request
Strayer University at Arlington, VA
August 2004
11
Effects of DoS on Gossip
• Reasonable to assume that source is
attacked
• Surprisingly, we show that naïve gossip is
vulnerable to DoS attacks
• Attacking a process in pull-based gossip
may prevent it from sending messages
• Attacking a process in push-based gossip
may prevent it from receiving messages
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
12
Our Solution
• Drum – a new gossip-based ALM protocol
• Utilizes DoS-mitigation techniques
– Separating and bounding resources
– Combining both push and pull
– Using random one-time ports to communicate
• Proven robust using formal analysis and
quantitative evaluation
– Provides general methods for analyzing and
quantitatively evaluating resistance to DoS-attacks
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
13
Bounding Resources
• Motivation: prevent resource exhaustion
• Each round process a random subset of
the arriving messages and discard the rest
Round Duration
Valid Request
Prof. Mort Anvari
Bogus Request
Strayer University at Arlington, VA
August 2004
14
Combining Push and Pull
• Attacking push cannot prevent receiving
messages via pull (random ports)
• Attacking pull cannot prevent sending via
push
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
15
Random Ports
• Any request necessitating a reply contains
a random port number
– “Invisible” to the attacker (e.g., encrypted)
• The reply is sent to that random port
• Assumption: attacking other ports does
not affect the random port’s queue (i.e.,
there is no BW exhaustion)
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
16
Drum’s Push Mechanism
• Alice sends Bob a push-offer
• Bob replies with a digest of messages he
has already received
• Alice only sends Bob messages missing
from his digest
• Random ports
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
17
Evaluation Methodology
• Compare 3 protocols
– Push (push-based with bounded resources)
– Pull (pull-based with bounded resources)
– Drum
• Under various DoS attacks
– Fixed strength
– Increasing strength
• Source is always attacked
• Evaluates combination of Push and Pull
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
18
Evaluation Methodology (cont.)
• Measure propagation time – expected
number of rounds it takes a message to
reach all of the correct processes
– 99% in the simulations and actual
measurements
• Use real implementation to measure actual
latency and throughput
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
19
Analysis/Simulation Assumptions
• Static group with complete connectivity
• Processes have complete group knowledge
• Propagation of a single message M
•
•
•
•
– But simulate situation where all procs have msgs to send
M is never purged from local buffers
Rounds are synchronized
All round operations complete within the same round
All processes are correct (analysis) or 10% of them
perform a DoS attack (simulation)
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
20
Validating Known Results
• The propagation time of gossip-based
multicast protocols is O(log n) [P87,
KSSV00]
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
21
Expected Propagation Time
10
9
# rounds
8
Push
Pull
Drum
7
6
5
4
3
2
1
2
10
Prof. Mort Anvari
3
# processes (log scale)
Strayer University at Arlington, VA
10
August 2004
22
Validating Known Results (cont.)
• The performance of gossip-based
multicast protocols degrades gracefully as
failures amount [LMM00, GvRB01]
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
23
Expected Propagation Time, n = 1000
30
Push
Pull
Drum
# rounds
25
20
15
10
5
0
0
10
20
30
40
50
60
70
80
90
% failed processes
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
24
Definitions
• n – number of processes in the group
• F – size of view, and max # of requests to
process in a round (F = 4 )
•  – percentage of attacked processes
• x – number of bogus messages an
attacked process receives in a round
• B – total attack strength (B = nx )
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
25
Analysis – Increasing Strength
• Lemma 1: Fix  and n. Drum’s
propagation time is bounded from above
by a constant independent of x
• Proof idea
– Define effective fan-in and effective fan-out
– Both have an element independent of x
– When x   this element is dominant
– The effective fans are bounded from below
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
26
Analysis – Increasing Strength
• Lemma 2: Fix  and n. The propagation time of
Push grows at least linearly with x
• Proof idea
– Assume all non-attacked processes already have the
message (and so does the source)
– Bound the expected number of processes having M
at round k from above
– Find the minimal k in which all processes have M
– Reaching all attacked processes takes at least a time
linear in x
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
27
Analysis – Increasing Strength
• Lemma 3: Fix  and n. The propagation time of
Pull grows at least linearly with x
• Proof idea
– Denote by p the probability that the source reads a
valid pull request in a round
– # of rounds for M to leave the source is
geometrically distributed with p
– The expectation is 1/p
– 1/p is at least linear in x
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
28
Expected Propagation Time,  = 10%
30
Push, n = 1000
Push, n = 120
Pull, n = 1000
Pull, n = 120
Drum, n = 1000
Drum, n = 120
# rounds
25
20
15
10
5
0
0
20
40
60
80
100
120
140
x
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
29
Expected Propagation Time, x = 128
80
70
# rounds
60
50
Push, 1000
Push, 120
Pull, 1000
Pull, 120
Drum, 1000
Drum, 120
40
30
20
10
0
10
Prof. Mort Anvari
20
30
40

50
Strayer University at Arlington, VA
60
70
August 2004
80
30
Analysis – Fixed Strength
• Define c = B/nF (total attack strength
divided by total system capacity)
• Lemma 4: For c > 5, Drum’s expected
propagation time is monotonically
increasing with 
• Proof idea
– Effective fan-in and effective fan-out are
monotonically decreasing with 
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
31
Expected Propagation Time, B = 7.2n (c = 2)
30
Push, n = 120
Push, n = 500
Pull, n = 120
Pull, n = 500
Drum, n = 120
Drum, n = 500
# rounds
25
20
15
10
5
0
0
Prof. Mort Anvari
10
20
30
40

50
60
Strayer University at Arlington, VA
70
80
August 2004
90
32
Implementation and Measurements
•
•
•
•
•
•
•
Uses the Java programming language
Multithreaded processes
Operations are not synchronized
Rounds are not synchronized among processes
50 machines on a 100Mbit LAN (Emulab)
One process per machine
5 processes (10%) perform a DoS attack
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
33
Validating the Simulations
• Evaluate the protocols in the same
scenarios tested by simulation
• High correlation shows that the simplifying
assumptions have little effect on the
results
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
34
Expected Propagation Time,  = 10%, n = 50
25
Push measurements
Push simulation
Pull measurements
Pull simulation
Drum measurements
Drum simulation
# rounds
20
15
10
5
0
0
20
40
60
80
100
120
140
x
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
35
Expected Propagation Time, x = 128, n = 50
80
70
# rounds
60
50
Push measurements
Push simulation
Pull measurements
Pull simulation
Drum measurements
Drum simulation
40
30
20
10
0
10
Prof. Mort Anvari
20
30
40

50
Strayer University at Arlington, VA
60
70
August 2004
80
36
High-Throughput Experiments
•
•
•
•
•
•
•
Single source
Creates 40 messages (50 bytes long) per second
Total of 10,000 messages
Round duration = 1 second
Messages are purged after 10 rounds
Each process sends at most 80 data messages
to another process in a round
Throughput and latency are measured at the 44
correct receiving processes
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
37
Average Throughput (msgs/sec)
Average Received Throughput,  = 10%, n = 50
45
40
35
30
Drum
Push
Pull
25
20
15
10
5
0
20
40
60
80
100
120
140
x
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
38
Average Throughput (msgs/sec)
Average Received Throughput, x = 128, n = 50
45
Drum
Push
Pull
40
35
30
25
20
15
10
5
0
0
Prof. Mort Anvari
10
20
30
40

50
Strayer University at Arlington, VA
60
70
August 2004
80
39
CDF: Average Latency of Received Messages, x = 128,  = 40%, n = 50
# of Correct Processes (Normalized)
1
0.9
Drum
Push
Pull
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
10000
Average Latency (msecs)
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
40
Conclusions
• DoS attacks are a real problem
• Gossip-based protocols have no single points of failure
• However, naïve gossip-based protocols are vulnerable to
•
•
•
•
•
targeted DoS attacks
Drum uses simple techniques to mitigate the effects of
DoS attacks
Evaluations show Drum’s resistance to DoS
The most effective attack against Drum is a broad one
General DoS-mitigation techniques: random ports and
neighbor-selection
Analysis and quantitative evaluation techniques may be
applicable to other systems as well
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
41
Prof. Mort Anvari
Strayer University at Arlington, VA
August 2004
42