The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.05 - May (2013 vol.62)
pp: 1031-1043
U. Ben-Porat , Comput. Eng. & Networks Lab. (TIK), ETH Zurich, Zurich, Switzerland
A. Bremler-Barr , Efi Arazi Sch. of Comput. Sci., Dept. of Comput. Sci., Interdiscipl. Center, Herzliya, Israel
H. Levy , Dept. of Comput. Sci., Tel-Aviv Univ., Tel-Aviv, Israel
ABSTRACT
In recent years, we have experienced a wave of DDoS attacks threatening the welfare of the internet. These are launched by malicious users whose only incentive is to degrade the performance of other, innocent, users. The traditional systems turn out to be quite vulnerable to these attacks. The objective of this work is to take a first step to close this fundamental gap, aiming at laying a foundation that can be used in future computer/network designs taking into account the malicious users. Our approach is based on proposing a metric that evaluates the vulnerability of a system. We then use our vulnerability metric to evaluate a data structure which is commonly used in network mechanisms-the Hash table data structure. We show that Closed Hash is much more vulnerable to DDoS attacks than Open Hash, even though the two systems are considered to be equivalent by traditional performance evaluation. We also apply the metric to queuing mechanisms common to computer and communications systems. Furthermore, we apply it to the practical case of a hash table whose requests are controlled by a queue, showing that even after the attack has ended, the regular users still suffer from performance degradation or even a total denial of service.
INDEX TERMS
Internet, computer network security, cryptography, Distributed Denial of Service attacks, network mechanism vulnerability, DDoS attacks, Internet, computer-network designs, malicious users, vulnerability metric, hash table data structure, closed hash, open hash, queuing mechanisms, Computer crime, Measurement, Degradation, Complexity theory, Data structures, Servers, Bandwidth, metric, Computer crime, Measurement, Degradation, Complexity theory, Data structures, Servers, Bandwidth, malicious, DDoS, hash, queue, vulnerability
CITATION
U. Ben-Porat, A. Bremler-Barr, H. Levy, "Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks", IEEE Transactions on Computers, vol.62, no. 5, pp. 1031-1043, May 2013, doi:10.1109/TC.2012.49
REFERENCES
[1] C. Labovitz, D. McPherson, and F. Jahanian, "Infrastructure Attack Detection and Mitigation," Proc. ACM SIGCOMM Conf. Applications, Aug. 2005.
[2] TCP SYN Flooding and IP Spoofing Attacks, CERT, http://www.cert.org/advisoriesCA-1996-21.html , Sept. 1996.
[3] S.A. Crosby and D.S. Wallach, "Denial of Service via Algorithmic Complexity Attacks," Proc. USENIX Security Symp., Aug. 2003.
[4] A. Bremler-Barr, H. Levy, and N. Halachmi, "Aggressiveness Protective Fair Queuing for Bursty Applications," Proc. IEEE Int'l Workshop Quality of Service (IWQoS), Jun. 2006.
[5] M. Guirguis, A. Bestavros, and I. Matta, "Exploiting the Transients of Adaptation for RoQ Attacks on Internet Resources," Proc. IEEE Int'l Conf. Network Protocols (ICNP), Mar. 2004.
[6] M. Guirguis, A. Bestavros, I. Matta, and Y. Zhang, "Reduction of Quality (RoQ) Attacks on Internet End-Systems," Proc. IEEE INFOCOM, Mar. 2005.
[7] A. Kuzmanovic and E.W. Knightly, "Low-Rate TCP-Targeted Denial of Service Attacks (The Shrew vs. the Mice and Elephants)," Proc. ACM SIGCOMM Conf. Applications, Aug. 2003.
[8] M. Guirguis, A. Bestavros, I. Matta, and Y. Zhang, "Reduction of Quality (RoQ) Attacks on Dynamic Load Balancers: Vulnerability Assessment and Design Tradeoffs," Proc. IEEE INFOCOM, May 2007.
[9] R. Smith, C. Estan, and S. Jha, "Backtracking Algorithmic Complexity Attacks against a NIDS," Proc. Ann. Computer Security Applications Conf. (ACSAC), Dec. 2006.
[10] A. Jaquith, Security Metrics: Replacing Fear, Uncertainty, and Doubt. Addison-Wesley, 2007.
[11] S. Lippman and S. Stidham, "Individual versus Social Optimization in Exponential Congestion Systems," Operations Research, vol. 25, pp. 233-247, 1997.
[12] U. Ben-Porat, A. Bremler-Barr, and H. Levy, "Evaluating the Vulnerability of Network Mechanisms to Sophisticated DDoS Attacks," Proc. IEEE INFOCOM, Apr. 2008.
[13] Distributed Denial of Service Tools, CERT, http://www.cert.org/incident_notesIN-99-07.html , Dec. 1999.
[14] M.D. McIlroy, "A Killer Adversary for Quicksort," Software-Practice and Experience, vol. 29, pp. 341-344, 1999.
[15] T. Peters, "Algorithmic Complexity Attack on Python," http://mail.python.org/pipermail/python-dev/ 2003-May035916.html, May 2003.
[16] M. Fisk and G. Varghese, "Fast Content-Based Packet Handling for Intrusion Detection," technical report, Univ. of California at San Diego (UCSD) La Jolla, CA, USA, 2001.
[17] F. Weimer, "Algorithmic Complexity Attacks and the Linux Networking Code," http://www.enyo.de/fw/security/noteslinux-dst-cache-dos.html , 2012.
[18] T. Moscibroda and O. Mutlu, "Memory Performance Attacks: Denial of Memory Service in Multi-Core Systems," Proc. USENIX Security Symp., June 2007.
[19] C. Castelluccia, E. Mykletun, and G. Tsudik, "Improving Secure Server Performance by Re-Balancing SSL/TLS Handshakes," Proc. USENIX Security Symp., Apr. 2005.
[20] J. Bellardo and S. Savage, "Abstract 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions," Proc. USENIX Security Symp., June 2003.
[21] U. Ben-Porat, A. Bremler-Barr, H. Levy, and B. Plattner, "On the Vulnerability of the Proportional Fairness Scheduler to Retransmission Attacks," Proc. IEEE INFOCOM, Apr. 2011.
[22] U. Ben-Porat, A. Bremler-Barr, and H. Levy, "On the Exploitation of CDF Based Wireless Scheduling," Proc. IEEE INFOCOM, Apr. 2009.
[23] C.-F. Yu and V.D. Gligor, "A Formal Specification and Verification Method for the Prevention of Denial of Service," Proc. IEEE Symp. Security and Privacy, May 1998.
[24] T.H. Cormen, C.E. Leiserson, R.L. Rivest, and C. Stein, Introduction to Algorithms, second ed. MIT Press and McGraw-Hill, 2001.
[25] J.L. Carter and M.N. Wegman, "Universal Classes of Hash Functions," J. Computer and System Sciences, vol. 18, pp. 143-154, 1979.
[26] N. Bar-Yosef and A. Wool, "Remote Algorithmic Complexity Attacks against Randomized Hash Tables," master's thesis, Tel-Aviv Univ., Tel-Aviv, Israel, 2006.
451 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool