Towards Survivability of
Application-Level Multicast
Gal Badishi, Idit Keidar, Roie Melamed
G. Badishi & I. Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Outline
• Threats and problems
• Application-level multicast
– Robust gossip - Drum
– Robust overlay - Araneola
• Challenges and future directions
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
The Net as a Warzone
• Crash failures, message loss
• Rapid dynamic changes – churn
– Can cause denial of service
• Denial of Service (DoS)
• Uncooperative users
• Forgery/spoofing
• Penetration
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Denial of Service
• Unavailability of service
– Exhausting resources
• Remote attacks
– Network level
• Solutions do not solve all application problems
– Application level
• Got little attention
• Quantitative analysis of impact on application and
identification of vulnerabilities needed
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
DoS - Challenges
• Quantify the effect of DoS at the
application level
• Expose vulnerabilities
• Find effective DoS-mitigation techniques
– Prove their usefulness using the found metric
• Multicast as an example
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Application-Level Multicast
• Tree-based
– Single points of failure
• Gossip-based
• Overlay networks
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Gossip-Based Multicast
• Progresses in rounds
• Every round
– Choose random partners
– Send (push) or receive (pull) messages
– Discard old msgs from buffer
• Probabilistic reliability
• Uses redundancy to achieve robustness
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Effects of DoS on Gossip
• Surprisingly, we show that naïve gossip is
vulnerable to DoS attacks
• Attacking a process in pull-based gossip
may prevent it from sending messages
• Attacking a process in push-based gossip
may prevent it from receiving messages
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Drum [DSN 04]
• A new gossip-based ALM protocol
• DoS-mitigation techniques:
– Using random one-time ports to communicate
– Combining both push and pull
– Separating and bounding resources
• Eliminates vulnerabilities to DoS
• Proven robust using formal analysis and
empirical measurements
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Random Ports
• Any request necessitating a reply contains
a random port number
– “Invisible” to the attacker (e.g., encrypted)
• The reply is sent to that random port
• Assumption: Network withstands load
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Combining Push and Pull
• Attacking push cannot prevent receiving
messages via pull (random ports)
• Attacking pull cannot prevent sending via
push
• Each process has some control over the
processes it communicates with
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Bounding Resources
• Prevent resource exhaustion
• Separate resources for orthogonal
operations
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Evaluation: Staged DoS Attacks
• Increasing strength
– shows trend under DoS
• Fixed strength
– exposes vulnerabilities
• Source is always attacked
• Analysis, simulations, measurements
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Analysis – Increasing Strength
• Assume static group, strict subset is attacked
• Lemma 1: Drum’s propagation time is bounded
from above by a constant independent of the
attack rate
• Lemma 2: The propagation time of Push grows
at least linearly with the attack rate
• Lemma 3: The propagation time of Pull grows at
least linearly with the attack rate
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Expected Propagation Time, 10% Attacked
30
Push, n = 1000
Push, n = 120
Pull, n = 1000
Pull, n = 120
Drum, n = 1000
Drum, n = 120
# rounds
25
20
15
10
5
0
0
20
40
60
80
100
120
140
Attack Rate
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Expected Propagation Time, 10% Attacked (of 1000)
30
Drum - Known Ports
Drum - Random Ports
25
# rounds
20
15
10
5
0
0
20
40
60
80
100
120
140
Attack Rate
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Expected Propagation Time, 10% Attacked (of 50)
12
Drum - Shared Bounds
Drum - Separate Bounds
10
# rounds
8
6
4
2
0
0
20
40
60
80
100
120
140
Attack Rate
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Analysis – Fixed Strength
• Lemma 4: For strong enough attacks,
Drum’s expected propagation time is
monotonically increasing as the
percentage of attacked processes
increases
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Expected Propagation Time, Fixed Strength (c = 10)
100
Push, n = 120
Push, n = 500
Pull, n = 120
Pull, n = 500
Drum, n = 120
Drum, n = 500
90
80
# rounds
70
60
50
40
30
20
10
0
0
10
20
30
40
50
60
70
80
90
% attacked processes
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
General Principles
• Network-level DoS mitigation necessary but not
•
sufficient: application needs consideration too!
DoS-mitigation techniques:
– random ports
– neighbor-selection by local choices
– separate resource bounds
• Design goal: eliminate vulnerabilities
– The most effective attack is a broad one
• Analysis and quantitative evaluation of impact of
DoS
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Further Challenges
• Not bandwidth-optimized
– Reliability is achieved at the cost of high
redundancy
• Rapid change in communication partners
makes diagnosis of neighbors’ correct
operation difficult
– Hard to incentivize cooperation
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Araneola
• Overlay-based application-level multicast
• Bandwidth efficiency:
– Basic overlay: random links, low degrees for all nodes
– Add local links according to available bandwidth
• Robustness to link & node failures
• Cheap maintenance
– Amortize join/leave costs
– Can handle high churn
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Basic (Random) Overlay
• For k ≥ 3, approximate k-regular random graph:
–
–
–
–
each node has either k or k+1 random neighbors
logarithmic diameter
k-connected
expander, remains highly connected following random
removal of large subsets of edges or nodes
• Cheap maintenance: each join or leave
operation incurs sending only a total of about 3k
messages
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Overhead for Dealing with
Join/Leave Operations
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Impact of Edge Failures
on Connectivity
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Impact of Node Failures
on Connectivity
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Further Challenges
• Does not currently deal with
– DoS
– uncooperative users
– non-random link/node failures
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
Future Directions
• Can we get the best of all worlds?
– BW/latency efficient, churn/DoS resistant, detects
incorrect nodes, overcomes adversarial failures…
• Test neighbors for cooperativeness
– Communicate with same neighbors for long periods
• Can we eliminate well-known ports altogether?
– Use pseudo-random ports instead
– Challenge: agree upon seeds without exposing them
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II
G. Badishi & I.Keidar
Faculty of Electrical Engineering, Technion
FuDiCo II