Transcript Talk
Protecting Web Servers from
Content Request Floods
Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪
Matthias Jacob
CSAIL –MIT
The Attack
GET LargeFile.zip
DO LongDBQuery
www.foo.com
Want to protect DB and disk bandwidth,
socket buffers, processes, …
Hard to detect or counter because
malicious requests look normal!
A Fairness Problem – Filters
Humans
Machines
User Filter
Server Resources
●●●
Problem – Each machine gets equal share
Solution – Ensure that each human gets equal share
Establishing Fairness
Use Reverse
Turing Test
Suspected attack! To access www.foo.com
enter the above letters:
Establishing Fairness
Use Reverse
Turing Test
Suspected attack! To access www.foo.com
enter the above letters:
Give Me
www.foo.com
Under attack. Come
Under
back attack.
later.
BTW,
Come
can
back
solve
later.
test
to access now.
Existing
Our Solution
Sols
2 Modes
Common case:
Server behavior unchanged
Normal
Under
Attack
Solution Overview
Unchanged
Client
Server
Other Characteristics:
SYN
SYN Cookie
SYN Cookie
SYNACKACK
Ignore!
HTTP Request
Send Test
TCP RST
Verify SYN
Cookie
One test per session
Tests generated offline
Test expires
Replay attacks are
harmless
Each answer grants up
to 4 TCPs
Can’t attack by
duplicating answers
No connection until test answered
Solution Overview
SYN
SYN RECV State
SYNACK
SYNACKACK
HTTP Request
Establish Connection
HTTP Response
Client
N/W Stack
App Server
Server
Vulnerable to SYN Floods
Solution Overview
SYN
SYN
Create Cookie
SYN Cookie
Create Cookie
SYN Cookie
SYNACKACK
SYNACKACK
HTTP Request
Establish Connection
HTTP Request
Ignore
Verify Cookie
Send Test
RST
HTTP Response
Client
N/W Stack
App Server
Server
Common Case
Client
N/W Stack
App Server
Server
Send out a test from memory
Solution Overview
SYN
SYN
Create Cookie
SYN Cookie
SYNACKACK
SYNACKACK
HTTP Request
Ignore
Establish Connection
Test Answer
HTTP Response
Client
Create Cookie
SYN Cookie
Verify Cookie & Answer
HTTP Response
N/W Stack
App Server
Server
Common Case
Client
N/W Stack
App Server
Server
Grant access if answer is correct
Tests are generated offline
Solution Overview
SYN
Create Cookie
SYN Cookie
SYNACKACK
HTTP Request
Ignore
Verify Cookie
Create session after a correct answer
Up to 4 TCP connections per answer
One test per browsing session
Tests generated offline
Send Test
RST
Client
Server behavior unchanged
(Common case)
N/W Stack
App Server
Server
Solution Overview
SYN
Create Cookie
SYN Cookie
Server behavior unchanged
(Common case)
SYNACKACK
Ignore
Test Answer
Create session after a correct answer
Up to 4 TCP connections per answer
Verify Cookie & Answer
One test per browsing session
Tests generated offline
HTTP Response
Client
N/W Stack
App Server
Server
Extra – What If?
User doesn’t want to solve the test?
Give Me
www.foo.com
Under attack.
Come
Under
back
attack.
later.
BTW,
Come
solve
backthe
later.
test
to access now.
Attacker distributes a few answers to all worms?
Each test allows access to limited resources
Establishing Fairness
Use Reverse
Turing Test
Suspected attack! To access www.foo.com
enter the above letters:
Different from Prior Work
Crypto puzzles are easy since computation power is cheap
Yahoo! only protects disk space during account creation
We want to receive requests, deliver puzzles, validate
answers before establishing a TCP connection
Establishing Fairness
Use Reverse
Turing Test
Suspected attack! To access www.foo.com
enter the above letters:
Give Me www.foo.com
Under attack. Come back
attack.
later. Under
BTW, solve
the test
Come
back
later.
to access now.
Users who Solve a Test can access the server
Yahoo uses RTT to protect
disk space
We receive requests, serve
tests, validate answers
before establishing a TCP
connection