Image:
DoS attacks are one of the largest threats to information security on the modern Internet. There are dozens of botnets that attackers rent out to carry out such attacks.
Scientists from the University of San Diego the extent to which the use of proxies helps to reduce the negative effect of DoS attacks - we present to your attention the main theses of this work.
Introduction: Proxy as a DoS Fighting Tool
Similar experiments are periodically carried out by researchers from different countries, but their common problem is the lack of resources to simulate attacks that are close to reality. Tests on small benches do not allow answering questions about how successfully proxies will resist an attack in complex networks, what parameters play a key role in the ability to minimize damage, etc.
For the experiment, the scientists created a model of a typical web application - for example, an e-commerce service. It works with the help of a cluster of servers, users are distributed in different geographical locations and use the Internet to access the service. In this model, the Internet serves as a means of communication between the service and users - this is how web services work from search engines to online banking tools.
DoS attacks make normal interaction between the service and users impossible. There are two types of DoS: application layer attacks and infrastructure layer attacks. In the latter case, attackers directly attack the network and the hosts on which the service is running (for example, they flood the entire network bandwidth with flood traffic). In the case of an application-level attack, the attacker's target is the user interaction interface - for this they send a huge number of requests in order to cause the application to crash. The described experiment concerned attacks at the infrastructure level.
Proxy networks are one of the tools to minimize damage from DoS attacks. In the case of using a proxy, all requests from the user to the service and responses to them are not transmitted directly, but through intermediate servers. Both the user and the application "do not see" each other directly, only proxy addresses are available to them. As a result, it is impossible to attack the application directly. At the edge of the network there are so-called edge proxies - external proxies with available IP addresses, the connection goes first to them.
In order to successfully resist a DoS attack, a proxy network must have two key capabilities. Firstly, such an intermediate network should play the role of an intermediary, that is, you can βget throughβ to the application only through it. This will eliminate the possibility of a direct attack on the service. Second, the proxy network must be able to allow users to still interact with the application, even during the attack.
Experiment infrastructure
The study used four key components:
- implementation of a proxy network;
- Apache web server
- web testing tool ;
- attack tool .
The simulation was carried out in the MicroGrid environment - it can be used to simulate networks with 20 thousand routers, which is comparable to the networks of Tier-1 operators.
A typical Trinoo network consists of a set of compromised hosts running the program's daemon. There is also monitoring software to control the network and direct DoS attacks. Given a list of IP addresses, the Trinoo daemon sends UDP packets to the targets at the specified time.
During the experiment, two clusters were used. The MicroGrid simulator ran on a Xeon Linux cluster of 16 nodes (2.4GHz servers with 1GB of memory per machine) connected via a 1Gbps Ethernet hub. Other software components were located in a cluster of 24 nodes (450MHz PII Linux-cthdths with 1 GB of memory per machine) connected by a 100Mbps Ethernet hub. Two clusters were connected by a 1Gbps channel.
The proxy network is hosted in a pool of 1000 hosts. Edge proxies are evenly distributed throughout the resource pool. Proxies for working with the application are located on hosts that are closer to its infrastructure. The rest of the proxies are evenly distributed between the edge proxies and the application proxies.
Network for simulation
To study the effectiveness of a proxy as a tool to counter a DoS attack, the researchers measured the productivity of the application under different scenarios of external influences. In total, there were 192 proxies in the proxy network (64 of them were border ones). To carry out the attack, a Trinoo network was created, including 100 demons. Each of the daemons had a 100Mbps channel. This corresponds to a botnet of 10 home routers.
The impact of a DoS attack on the application and the proxy network was measured. In the experimental configuration, the application had an Internet channel of 250Mbps, and each border proxy had 100 Mbps.
Experiment results
According to the results of the analysis, it turned out that an attack on 250Mbps significantly increases the response time of the application (about ten times), as a result of which it becomes impossible to use it. However, when using a proxy network, the attack does not have a significant impact on performance and does not degrade the user experience. This is because edge proxies dilute the effect of the attack, and the total resources of the proxy network are higher than those of the application itself.
According to statistics, if the attack power does not exceed 6.0Gbps (despite the fact that the total bandwidth of the border proxy channels is only 6.4Gbps), then 95% of users do not experience a noticeable performance degradation. At the same time, in the case of a very powerful attack exceeding 6.4Gbps, even the use of a proxy network would not allow to avoid degradation of the level of service for end users.
In the case of concentrated attacks, when their power is concentrated on a random set of edge proxies. In this case, the attack clogs part of the proxy network, so a significant portion of users will notice a drop in performance.
Conclusions
The results of the experiment suggest that proxy networks can improve the performance of TCP applications and provide a familiar level of service for users, even in the event of DoS attacks. According to the data obtained, network proxies are an effective way to minimize the consequences of attacks, more than 90% of users during the experiment did not feel a decrease in the quality of the service. In addition, the researchers found that as the size of the proxy network increases, the scale of DoS attacks that it can endure increases almost linearly. Therefore, the larger the network, the more effectively it will deal with DoS.
Useful links and materials from :
Source: www.habr.com