Source of information: Ïóáëèêàöèÿ â Stevens Institute of Technology Engineering and Science News
Perhaps one of the most compelling problems of the Internet today is the lack a comprehensive and unifying approach to dealing with online service
security and resilience: there exist a lot of mechanisms but no "security and availability architecture" -- no set of policies or standards for how these
mechanisms can be combined to achieve overall good security. My work is aimed at introducing and analyzing mechanisms that boost the security, resilience
and performance of network systems in a manner that is transparent to both the existing infrastructure and the end-users.
In this talk, I will discuss my work on defending against distributed denial of service (DDoS) attacks. Such attacks involve large numbers of
compromised hosts (bots) that send unsolicited traffic toward a target, congesting the network links close to it rendering its services unusable. To
address these issues, I propose a novel almost-stateless spread-spectrum-like paradigm, that exploits per-packet path diversity between each pair of
communicating end-nodes by using a distributed overlay network. I will present an novel overlay architecture, which is based on this spread-packet approach,
focusing on the system design, security and economic analysis, and the novel DoS-resistant authentication protocol used to authenticate end nodes.
I will show analytically that an Akamai-sized overlay can withstand attacks involving millions of "zombie" hosts while providing uninterrupted end-to-end
connectivity. By using packet replication, the system can resist attacks that render up a large fraction of the nodes inoperable. Our experiments on PlanetLab
demonstrate that in many cases end-to-end latency {\em decreases} when packet replication is used. Similarly, even when subjected to a large DDoS attack, a
protected service remains fully operational experiencing only a small performance degradation in the end-to-end throughput. Contrary to most work in DDoS defense,
our system is fully implementable and deployable on the current Internet.
Because our solutions depend on large scale overlay networks, we present a novel mechanism for protecting a wide class of these networks against insider attacks. For overlay networks that exhibit well-defined properties (due to their topology or structure), we demonstrate how to defend such networks against non-conforming (i.e., abnormal) behavior of participating nodes. In particular, we can defend against DoS attacks from within the overlay itself. We use a lightweight distributed detection mechanism that exploits inherent structural invariants of Distributed Hash Tables (DHTs) to ferret out anomalous flow behavior. Upon detection, we invoke a Pushback-like protocol to notify and prompt into action (e.g., throttle the traffic) the predecessor node: the node from which the offending traffic arrives. In addition, we demonstrate how to remain TCP-friendly by using packet spreading and replication techniques with regular TCP connections in addition to our UDP-based techniques. Our experiments show that our system can take advantage of the underlying multi-path link capacity without starving other flows over shared links. For TCP flows, we show that there is no significant throughput or latency degradation when using regular TCP connections.
To demonstrate the applicability of our system for real-time and interactive applications, we introduce Access Assured Mobile desktop computing (A2M), a secure and attackresilient remote desktop computing hosting infrastructure. A2M combines a stateless and secure communication protocol, a single-hop Indirection-based network (IBN) and a remote display architecture to provide mobile users with continuous access to their desktop computing sessions. Our architecture protects both the hosting infrastructure and the client’s connections against a wide range of service disruption attacks. Unlike any other DoS protection system, A2M takes advantage of its low-latency remote display mechanisms and asymmetric traffic characteristics by using multi-path routing to send a small number of of each packet transmitted from client to server. This multi-path packet replication diversifies the client-server communication, boosts system resilience, and reduces end-to-end latency. Through deployment on a planet-lab, a distributed network, we show that A2M significantly increases the hosting infrastructure’s attack resilience. Using current ISP bandwidth data, we can protect against attacks involving millions of bots while providing good performance for multimedia and web applications and basic GUI interactions even when up to 30% and 50%, respectively, of indirection nodes become completely unresponsive.