Comparing Chord, CAN, and Pastry Overlay Networks for Resistance to DoS Attacks Hakem Beitollahi Hakem.Beitollahi@esat.kuleuven.be Geert Deconinck Geert.Deconinck@esat.kuleuven.be Katholieke Universiteit Leuven Electrical Engineering Kasteelpark Arenberg 0, Leuven, Belgium Abstract Overlay networks enable applications to communicate with users without disclosing their IP addresses; hence overlay networks are used to protect applications against DoS attacks by hiding an application s location. This paper analyzes three popular overlay networks (Chord, CAN, and Pastry) by simulation to answer to this question: which topology is more favorable for location-hiding and resisting against DoS attacks? Simulation results show that a CAN overlay network has a better topology structure for location-hiding and resistance against DoS attacks than Chord and Pastry. Simulation results also show the topologies with low average vertex degree are favorable for location-hiding techniques. Introduction Denial-of-Service (DoS) attack is a major security threat against availability in the Internet [4, 6]. In a DoS attack, attackers consume resources, on which either the applications or accesses to the applications depend, making the applications unavailable to users [6]. Location-hiding is an active area to resist DoS attacks [3, 2, 5, 4]. By this technique, application sites can hide their locations (IP addresses) and thereby prevent DoS attacks. Overlay networks enable applications to communicate with users without disclosing their IP addresses; hence overlay networks are used to protect applications against DoS attacks by hiding an application s location. An overlay network is used to mediate all communications between application sites and users. As long as the mediation can be enforced, the overlay Acknowledgements: This project is partially supported by the K.U.Leuven Research Council (project GOA/2007/09) and by the European Commission (projects IST-4-2753 CRUTIAL and IST-4-026923 GRID). network is the only public interface for reaching an application site, and the application site cannot be directly attacked. Many works [5, 9, 4] have employed overlay networks for hide location as a technique for resisting DoS attack. For example Secure Overlay Services (SOS) [5] protects applications against flooding DoS attacks by installing filters around applications and only allowing traffic from secret servlets. SOS uses Chord to mediate communication between users and application sites. Mayday [] and Internet Indirection Infrastructure (i3) [0] are other examples that use overlay networks for location-hiding. A question that may be posed is that which overlay network topology is better for location-hiding? However, the effectiveness of location-hiding scheme surely relies on overlay network topology. Paper [4] based on an analytical model shows that overlay networks with low average degrees and balanced distribution of connectivity are in general good candidates for location-hiding; because they are reasonably easy to become robust and they do not have vulnerable regions to harbor attacker s impact. Furthermore [4] compares Chord [] and CAN [7] by a analytical model and show CAN is better than Chord for locationhiding. The contribution of this paper: it evaluates the performance of topologies of Chord, CAN, and Pastry [8] for location-hiding scheme by simulation. It confirms results of [4] by simulation (simulation and analytical model have same result) and shows the topologies with low average vertex degree are favorable for location-hiding technique. This paper shows by both simulation and analytical model that CAN, Chord and Pastry are better respectively. This paper also by simulation shows overlay networks have impressive role for location-hiding against DoS attacks. The rest of this paper is structured as follows. Section 2 studies location-hiding technique by overlay networks. Section 3 compares Chord, CAN, and Pastry by the analytical model. Section 4 compares Chord, CAN, and Pastry by
simulation model. Finally, section 5 summarize our paper. 2 Location-Hiding Technique via Overlay Networks Location-hiding technique is an important component of a complete solution to DoS attacks. It gives application sites the capability to hide their locations and thereby preventing DoS attacks, which depend on the knowledge of their victim s IP addresses. Overlay networks have been proposed as a means for location-hiding [5, 9, 4]. Figure shows generic overlay scheme to hide application location from DoS attack. We assume that an application is reachable only via the overlay network. As you can see an overlay network is used to mediate all communications among application sites. As long as the mediation can be enforced, the overlay network is the only public interface for reaching an application site, and the application site cannot be directly attacked. In this scheme, application sites do not publish their IP addresses and hide themselves behind an overlay network. The overlay network is run on a resource pool of Internet hosts. The overlay network also hides the IP addresses of their internal nodes and only edge nodes of the overlay publish their IPs to the public. Overlay nodes communicate via routing algorithm of the overlay protocol that based on a hash function of IP addresses; hence the IP addresses of internal nodes are kept secret. Users can only access the application by contacting these edge proxies. No one can easily disclose IP addresses of applications and overlay internal nodes, thereby preventing DoS attacks. If the overlay nodes are attacked, the overlay can reconfigure itself thereby removing the impact of attackers. By reconfiguration we mean that the overlay can dynamically change the location of edge and internal nodes or change its structure because the overlay has enough resource pool of Internet hosts. In this paper we use this generic model of overlay networks to compare Chord, CAN, and Pastry and try to understand which topology is the better candidate for location-hiding. 3 Comparing Chord, CAN, and Pastry by an Analytical Model An analytical model [4]: suppose that G is the graph of overlay network. The model is represented by M(G,α,β, γ). At any time t every vertex in G is in one of three states- intact, exposed, and compromised. The vertices in graph G may simultaneously change their abilities: α is the probability that an exposed vertex will be changed to the compromised state, i.e., a node successfully attacked during the item step. β is the probability a compromised Internet Overlay Network Application : Overlay node : Edge node : Internet Host :user Resource Pool (IP Network) : Attacker : Malicious traffic Figure. Location-Hiding Technique by Overlay Networks vertex will be changed into the intact state, i.e., a successful overlay network reconfiguration during a time step. γ is the probability an exposed vertex will be changed into the intact state. It represents the level of coordination among the attackers and the amount ability of the attackers. Graph G is robust if all nodes in G can be changed into the intact state after a long run. Graph G is vulnerable if there always exists a significant number of compromised nodes in G at any time. By a mathematically analysis: given parameters α, β, and γ characterize the class of graphs G that are robust and the class that are vulnerable. Two approved theorems in [4] are used to solve above mathematically analysis. Theorem : for the model M(G,α,β, γ), let σ be the largest eigenvalue of the adjacency matrix of G, then the graph G is robust if β(α + γ)/α σ () Theorem 2: for the model M(G, α, β, γ), let λ = max i 0 λ i, where λ i is the Laplacian spectrum of
N Diameter σ /λ 2 28 4 3.086 256 4 5 0.859 52 5 7 0.70 024 5 9 0.604 2048 6 2 0.526 4096 6 23 0.465 Table. Topological Properties of Chord [4] N Diameter σ /λ 2 28 4 26 2.33 256 6 30.58 52 8 33.489 024 20 37.22 2048 22 4 0.988 4096 24 45 0.88 Table 3. Topological Properties of Pastry N Diameter σ /λ 2 28 8 6 0 256 0 6 0 52 2 6 0 024 6 6 0 2048 9 6 0 4096 24 6 0 Table 2. Topological Properties of CAN [4] G, then the graph G is vulnerable if β/α < /λ 2 (2) The σ is an important property of a graph, characterizing graph connectivity. Informally, σ is the average vertex degree of the graph [2]. The Laplacian spectrum λ is another important property to characterize graph connectivity [2]. In summary [4] based on these two mathematically theorems exploits two important design principles for comparing overlay networks in hide location point of view:. Topologies with low average vertex degrees (small σ) are favorable. 2. Topologies with balance distribution of connectivity (small /λ 2 ) are favorable Chord topology is a regular graph with degree 2log 2 N, where N is the number of vertices in the graph. CAN topology is a regular d-dimensional Cartesian graph with degree of 2d. Pastry topology is a regular graph with degree (2 b )log 2 bn, where N is the number of vertices in the graph and b is the configuration parameter with typically value 4. Tables, 2 and 3 show topological properties based on these two theorems for Chord, CAN, and Pastry. Mathematically theorems show CAN, Chord, and Pastry have better performance respectively. 4 Comparing Chord, CAN, and Pastry by Simulation In this section we compare Chord, CAN, and Pastry by simulation to understand which topology is the better can- didate for location-hiding. We implement a simulator that is composed of two main procedures: the overlay network and the attack toolkit. Implementation of the overlay network is the basic framework for simulation. To do this we implement Chord, CAN, and Pastry in C++ based on [], [7], and [8] respectively. To implement an attack toolkit, we program the basic structure of Trinoo [3] to generate both DoS and DDoS attacks by C++. In fact we implement two basic sub-procedures for attack toolkit procedure: daemon and master sub-procedures. We have several daemon sub-procedures that are controlled by master sub-procedure. Daemon procedures simply send malicious traffic to the targets at the given start time that determined by master procedure. However, there are some assumptions: Attackers only know the IP addresses of edge nodes of overlay network. If an edge overlay node was attacked, the neighbor nodes of that edge node are compromised and can be attacked by attackers. In DDoS attack, attackers have bound and fixed amount of bandwidth to attack the architecture. For instance, attackers can attack maximum X edge nodes (X < N, N is the total number of edge nodes) simultaneously. We suppose in any experiment we have enough resource pool Internet hosts. For accessing an application, users connect to edge nodes and then can access the application via the overlay routing protocol. In our simulation model any user has a uniform random deadline (expected response time) to access an application. If an edge node is attacked, the overlay reconfigures itself and switches the users of that edge node to another random edge node. However, it is possible that several edge nodes are attacked in DDoS scenario simultaneously or several edge nodes may be attacked successively in short period. Also in case of attack against any edge node, however it is possible some other internal nodes (the neighbor nodes of that edge node) are attacked randomly.
In this case if request deadline of a user passed, the simulator registers successful attack. So our simulation determines the probability of successful attack during attacks on system. Our mean of successful attack is that the overlay cannot connect a user to the requested application before the user s deadline. Experiments are done in two cases: overlay without repair and overlay with repair. In the former one, if a node (edge or internal) is attacked, the overlay just simply exist the node and switches the users of the attacked edge node to another random edge node. In fact the overlay have no action toward repairing the attacked node and the attacked node never comes back the overlay. However in the latter one the attacked node (edge or internal) can come back to the overlay after termination the attack. The scenario of overlay with repair is that when the overlay identifies an attacked node, that node is removed from the overlay. When an attacker identifies that a node it is attacking no longer resides in the overlay, it redirects its attack towards a node that does still reside in the overlay. When the attacked node was removed, the attack against that node terminates and the node comes back to the overlay after D r delay. D r is a repair delay for reconfiguration. Also, there is an attack delay, D a, that equals the difference in time between when an attacked node is removed from the overlay to the time when the attacker (realizing the node it is attacking has been removed) redirects the attack toward a new node in the overlay. We assume both D a and D r are exponentially distributed random variables with respective rates λ and µ. The first experiment compares Chord, CAN, and Pastry in the first case, the overlay without repair. The experiment is done for N=200 (N is the total number of overlay nodes), n g = 32 and n g = 64 (n g is the total number of edge nodes). Figure 2 shows the probability of successful attack when the number of attacked edge nodes varies along the x-axis. By the first observation of this figure you can see CAN is better than Chord, while Chord is better than Pastry. For the overlay with 32 edge nodes the likelihood of an attack successfully terminating communication between a user and an application is negligible when the number of attacked edge nodes is less than half in all case studies: Chord, CAN, and Pastry. However, when about 85% edge nodes are attacked, the probability of successful attack for CAN is about 0.3 while for Chord and Pastry are about 0.45 and 0.70 respectively. As the average vertex degree of CAN is less than Chord and Pastry, the nodes that can be attacked in CAN is less than both others because edge nodes of CAN have less neighbor nodes related to both others (same analysis for Chord and Pastry). For the overlay with 64 edge nodes we have same story. However in this case (overlay without repair), when all edge nodes are attacked there is no public nodes for users to connect the overlay, thereby the probability of successful attack is one. We did simulation for DDoS attack in this case (overlay without repair), but there is no more chance for successful search in DDoS attack against overlay without repair, hence we ignore it here. The second and third experiments compare Chord, CAN, and Pastry in the second case, the overlay with repair, for both DoS and DDoS scenarios respectively. Figure 3 shows the probability of successful attack when ρ = λ/µ varies along x-axis. probability of successful attack 0. 0.0 0.00 0.000 0.0 0. 0 00 Chord CAN Pastry probability of successful search 0. 0.0 0.00 0.000 0.0000 0.00000 0 6 32 48 64 number of attacked edge nodes ng=32, Chord ng=32, CAN ng=32, Pastry ng=64, Chord ng=64, CAN ng=64, Pastry Figure 2. Probability of successful attack in DoS scenario for overlay without repair Figure 3. Probability of successful attack in DoS scenario for overlay with repair In the second experiment (figure 3), as the overlay takes repair action the chance of attackers to successfully deny the user access to an application is quite negligible, especially when repair speed is more than attack speed (ρ ). In fact when ρ the probability of successful attack is around zero. However, again we can see CAN is better than Chord and Pastry. Figure 4 shows the probability of successful attack when ρ = λ/µ varies along x-axis for DDoS scenario. In this experiment N = 200 (N is the total number of overlay nodes) and n g = 00 (n g the total number of edge nodes) are con-
probability of successful attack 0.8 0.6 0.4 0.2 0 0.0 0. 0 00 2 na=50, Chord na=50, CAN na=50, Pastry na=90, Chord na=90, CAN na=90, Pastry Figure 4. Probability of successful attack in DDoS scenario for overlay with repair stant, while n a (the maximum ability of attackers that can attack edge nodes simultaneously) is variable. By the first observation of this figure, it is clear that CAN is better than Chord against DDoS attack, and Chord is better than Pastry (main contribution of this paper). This figure also shows when an attack is distributed (DDoS), the fraction of time for which the attack is successful can be significant when a large fraction of edge nodes in the overlay is attacked, even when ρ. From this figure we can understand although DDoS attack is harder for tolerating than DoS attack, for n a n g /2 it can be tolerated. For instance, when n a 50 and ρ 0 the probability of successful attack is less than 20%. In summary these experiments confirm both theorems of the analytical model of [4] and also confirm topologies with low average vertex degree (CAN related to Chord and Pastry) are favorable for location-hiding technique. 5 Conclusion This paper compares Chord, CAN, and Pastry overlay networks against DoS attacks for location-hiding technique via simulation approach. Simulation results show CAN, Chord, and Pastry have better structure topologies against DoS attacks respectively. Simulation results also confirm the analytical model of [4] and show the topologies with low average vertex degree (CAN related to Chord and Pastry) are favorable for location-hiding technique. Simulation results show overlay networks have impressive role as a location-hiding against DoS attacks. References [] D.G. Andersen. Mayday:distributed filtering for internet services. In Proceedings of 4th Usenix Symposium on Internet Technologies and Systems, 2003. [2] F. Chung. Spectral Graph Theory. ACM publications, 997. [3] D. Dittrich. The DoS project s trinoo distributed denial of service attack toll. University of Washington, 999. [4] L. Gordon and et al. CSI/FBI Computer Crime and Security Survey. Computer Security Inst., http://i.cmpnet.com/gocsi/db area/pdfs/fbi/fbi2004.pdf, 2004. [5] A.D. Keromytis, V. Misra, and D. Rubenstein. Sos: Secure overlay services. In Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIG- COMM 02), August 2002. [6] D. Moore, G.M. Voelker, and S. Savage. Inferring internet denial-of-service activity. In Proceedings of the USENIX Security Symposium. USENIX Association, 200. [7] S. Ratnasamy, P. Francis, M. Haudley, R. Karp, and S. Shenker. A scalable content addressable network. In Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM 0), pages 27 3, 200. [8] A. Rowstron and P. Druschel. Pastry: scalable, decentralized object location and routing for large-scale peer-to-peer systems. In Proceedings of the 8th IFIP/ACM International Conference on Distributed Systems Platforms (Middleware 0), November 200. [9] A. Stavrou and et al. Websos: An overlay-based system for protecting web servers from denial of service attacks. the International Journal of Computer and Telecommunications Networking, 48(5):78 807, August 2005. [0] I. Stoica, D. Adkins, S. Zhuang, S. Shenker, and S. Surana. Internet indirection infrastructure. In Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM 02), 2002. [] I. Stoica, R. Morris, D. Karger, F. Kaashoek, and H. Balakrishnan. Chord: A scalable peer-to-peer lookup service for internet applications. In Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer communications (SIGCOMM 0), pages 49 60, 200. [2] J. Wang and A.A. Chien. Using overlay networks to resist denial-of-service attacks. Technical report, CSE department, university of california, San Diego, 2003.
[3] J. Wang and A.A. Chien. Understanding when location-hiding using overlay networks is feasible. Elsevier Journal of Computer Networks, special issue on overlay distribution structures and their applications, 2005. [4] J. Wang, L. Lu, and A. Chien. Tolerating denialof-service attacks using overlay networks-impact of topology. In Proceedings of the ACM Workshop on Survivable and Self-Regenerative Systems, 2003.