Denial Of Service Flooding Detection In Anonymity Networks
1. MonAM 2007
LAAS-CNRS,
Toulouse,
Toulouse France
5. November 2007
Denial-of-Service Flooding Detection
g
in Anonymity Networks
Jens Oberender Computer Networks & Communications Group
Melanie Volkamer Institute for IT-Security and Security Law
Hermann de Meer University of Passau
Germany y
Network of Excellence: Design and Engineering
of the Future Generation Internet
(
(IST-028022) )
Performance Measurement and Management for Two-Level Optimization
of Networks and Peer-to-Peer Applications (GR/S69009/01)
2. Attacks in Anonymity Networks
Chaum’s Mixer
A sender remains anonymous,
if an adversary catches no evidence on sender identity
d t h id d id tit
Application Attacks
Transport
p
Network
Data Link
DoS
Sender G t
Gateway Detection
D t ti i
Receiver
R
jens.oberen
j
Anonymity Network
nder@uni-p
How to protect receivers
from anonymous flooding attacks?
1. Enable traffic flow detection DoS attack detection
passau.de
1
2. Prevent anonymity breach protect sender identity
Message Tagging
g gg g
07.11.2007 DoS Flooding Detection in Anonymity Networks 2
3. Linkability Continuum
Two messages are linkable by an adversary,
if evidence on their relation can be provided.
1 ∞ # Messages per Profile
None Limited Lifelong Message Linkability
Pseudonyms
– Adversary links all messages malicious profiling
U b
Unobservability
bilit
jens.oberen
j
+ Observer cannot link any messages together
Limited Linkability
ed ab y
nder@uni-p
Restricted number of linkable messages
Enables traffic flow clustering
passau.de
07.11.2007 DoS Flooding Detection in Anonymity Networks 3
4. Attacker Model
Assumptions Privacy Adversary
Anonymity Network unbroken • Aim: disclose sender anonymity
y y
Access Control Entity trusted • Observe incoming tags
by sender & receivers • Collude with other DoS engines
Access DoS
Adversary
Control Mitigation
Access
j
jens.oberen
Attacker Anonymity Network Adversary Receiver
Control
Access
Control Adversary Receiver
nder@uni-p
Message Flooding Attacker Security Objectives
1. Limited linkabilit
linkability
passau.de
• Aim: Denial-of-Service
• Exhausts victim resources 2. Linkability resistant
to malicious influence
07.11.2007 DoS Flooding Detection in Anonymity Networks 4
5. Message tagging
Fast, local traffic flow cluster criteria
Hash from characteristic strings (key derivation function)
Values not comparable with fresh salt
Linkability control
Tag properties
Sender differentiate senders
j
jens.oberen
nder@uni-p
Receiver disables cross-server profiling
passau.de
Time Frame disables lifelong linkability
07.11.2007 DoS Flooding Detection in Anonymity Networks 5
6. Internal vs. External Tags
Anonymity Attack using external tags
Collude to learn anonymous paths
Proposed internal Message Tagging
j
jens.oberen
h(SenderX, Receiver, )
Tags reside within encrypted channel
nder@uni-passau.de
p
07.11.2007 DoS Flooding Detection in Anonymity Networks 6
7. Clustering of Anonymous Traffic Flows
Anonymous Messages
Header data stripped off, application level analysis needed
Regular Use
Message Tag
e
Flooding
jens.oberen
j
t t t Time
at Access Control Entity
Message tags enable flow clustering
nder@uni-p
h(SenderX, Receiver, )
Clusters of [ Sender,
, ] at Engine
g
passau.de
Detection frames cluster partial message flows
Arrival rate
07.11.2007 DoS Flooding Detection in Anonymity Networks 7
8. Clustering of time-based Tags
j
jens.oberender@uni-passau.de
n p
07.11.2007 DoS Flooding Detection in Anonymity Networks 8
9. Scalability Issues
Clock skew in distributed systems misuse degrades linkability
Access control entity
Counts messages
jens.oberen
j
nt
u
essage Tag
...
per sender co
Logarithm
oga
nder@uni-p
Me
effects
on tag
passau.de
Traffic flow classification
Arrival rate per message tag
Activity profiling
07.11.2007 DoS Flooding Detection in Anonymity Networks 9
10. Sender Linkability
Scales with message volume
Depends on arrival rate towards each receiver
Message tags collisions
Access Control Entity 1 Entity 2
DoS Offset
Detection Flooding
Time
Flow splitting increases linkability
jens.oberen
j
Incentive mechanism
nder@uni-p
Strategic players’ goal: maximize privacy
Inoffensive communication encouraged
passau.de
07.11.2007 DoS Flooding Detection in Anonymity Networks 10
11. Multiple sender identities
Equivalent to DDoS
No defense against attacks from different sender identities,
but…
b t
Example BotNets
p
Anonymity for attacker only
Proxy functionality
Yet these d ’t spy SMTP authentication
Y t th don’t th ti ti
j
jens.oberen
Anonymity networks
o y y e o s
nder@uni-p
No need to operate a BotNet
Anonymous attacks using real identity
Hard-to-detect without add-ons
d d
passau.de
Benefits the privacy of the broad public!
07.11.2007 DoS Flooding Detection in Anonymity Networks 11
12. Conclusions
Partial traffic flows
Ability to detect Anonymous DoS Flooding Attacks
state-of-the-art
state of the art techniques applicable
Sender Anonymity maintained
Sender Privacy
Defense of cross-server profiling
Restricted amount of message linkable
Arrival Rate Linkability
jens.oberen
j nder@uni-passau.de
p
Jens Oberender <jens.oberender@uni-passau.de>
j @
07.11.2007 DoS Flooding Detection in Anonymity Networks 12