Experiment: Is it possible to reduce the negative effects of DoS-attacks using a proxy

Image: Unsplash

DoS-attacks - one of the largest threats to information security in the modern Internet. There are dozens of botnets that attackers rent to conduct such attacks.
')
Scientists from the University of San Diego conducted a study on how the use of proxies helps to reduce the negative effect of DoS attacks - we present to your attention the main points of this work.

Introduction: Proxy as a tool to combat DoS

Such experiments are periodically conducted by researchers from different countries, but their common problem is the lack of resources for modeling attacks that are close to reality. Tests on small stands do not allow answering questions about how successfully proxies will counteract an attack in complex networks, which parameters play a key role in the ability to minimize damage, etc.

For the experiment, scientists have created a model of a typical web application - for example, an e-commerce service. It works using a cluster of servers, users are distributed in different geographic locations and are used to access the Internet service. In this model, the Internet serves as a means of communication services and users - this is how web services work from search engines to online banking tools.



DoS-attacks make it impossible for normal interaction between the service and users. There are two types of DoS: attacks at the application level and at the infrastructure level. In the latter case, the attackers attack the network directly and the hosts on which the service is running (for example, flood-flood all network bandwidth). In the case of an attack at the application level, the attacker's goal is the user interface - for this, they send a huge number of requests to make the application crash. The described experiment concerned attacks at the level of infrastructure.

Proxy networks are one of the tools to minimize damage from DoS attacks. In the case of using a proxy, all requests from the user to the service and responses to them are transmitted not directly, but through intermediate servers. Both the user and the application “do not see” each other directly, only proxy addresses are available to them. As a result, it is impossible to attack the application directly. On the edge of the network are the so-called edge proxy - external proxies with available IP-addresses, the connection goes first to them.



In order to successfully counter a DoS attack, a proxy network must have two key capabilities. First, such an intermediate network should play the role of an intermediary, that is, you can “reach” the application only through it. This will eliminate the possibility of a direct attack on the service. Secondly, the proxy network must be able to provide users with the ability to continue to interact with the application, even during an attack.

Experimental infrastructure

The study used four key components:

• implementation of the proxy network;
• Apache web server;
• web testing tool Siege ;
• Trinoo Attack Tool .

The simulation was carried out in the MicroGrid environment - it can be used for simulations of networks with 20,000 routers, which is comparable to the networks of Tier-1 operators.

A typical Trinoo network consists of a set of compromised hosts running a program daemon. There is also a monitoring software to control the network and the direction of DoS-attacks. After receiving a list of IP addresses, the Trinoo daemon sends UDP packets to the targets at a specified time.

During the experiment, two clusters were used. The MicroGrid simulator worked in a Xeon Linux cluster of 16 nodes (2.4GHz servers with 1 gigabyte of memory on each machine) connected via a 1 Gbps Ethernet hub. Other software components were located in a cluster of 24 nodes (450MHz PII Linux-cthdths with 1 GB of memory on each machine), combined by a 100Mbps Ethernet hub. Two clusters were connected by a 1Gbps channel.

The proxy network is located in a pool of 1000 hosts. Edge proxies are evenly distributed throughout the resource pool. The proxies for working with the application are placed on hosts that are closer to its infrastructure. The remaining proxies are evenly distributed between the boundary proxies and the proxies for the application.



Simulation network

To study the effectiveness of proxies as a tool to counter a DoS attack, the researchers measured the productivity of the application under various external influences. In total, there were 192 proxies in the proxy network (64 of them are border proxies). A network of 100 demons was created to carry out the attack. Each of the daemons had a channel at 100Mbps. This corresponds to the botnet of 10,000 home routers.

Measured the impact of DoS-attacks on the application and the proxy network. In the experimental configuration, the application had an Internet channel at 250Mbps, and each border proxy - at 100 Mbps.

Experimental results

According to the analysis, it turned out that an attack on 250Mbps significantly increases the response time of the application (approximately ten times), as a result of which it is impossible to use it. However, when using a proxy network, the attack does not have a significant impact on speed and does not impair the user experience. This happens because the border proxies blur the effect of the attack, and the total amount of proxy network resources is higher than that of the application itself.

According to statistics, if the attack power does not exceed 6.0Gbps (despite the fact that the total bandwidth of the border proxies is only 6.4Gbps), then 95% of users do not experience a noticeable decrease in performance. In this case, in the case of a very powerful attack, exceeding 6.4Gbps, even the use of a proxy network would not allow to avoid degradation of the service level for end users.



In the case of concentrated attacks, when their power concentrates on a random set of border proxies. In this case, the attack clogs up part of the proxy network, so a significant portion of users will notice a drop in performance.

findings

The results of the experiment suggest that proxy networks can improve the performance of TCP applications and provide the usual level of service for users, even in the case of DoS attacks. According to the data obtained, proxy networks prove to be an effective way to minimize the effects of attacks; more than 90% of users during the experiment did not experience a decline in the quality of service. In addition, the researchers found that by increasing the size of the proxy network, the scale of DoS attacks, which it is able to withstand, increases almost linearly. Therefore, the larger the network, the more effectively it will fight DoS.

Useful links and materials from Infatica :

• Study: Creating a lock-resistant proxy service using game theory
• The story of the fight against censorship: how does the flash proxy method created by scientists from MIT and Stanford
• How to understand when a proxy is lying: verification of the physical locations of network proxies using an active geolocation algorithm
• How to disguise on the Internet: compare server and resident proxies