Protecting Web Servers from Content Request Floods
Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob
CSAIL –MIT
The Attack
GET LargeFile.zip
DO LongDBQuery
www.foo.com
Hard to detect or counter because malicious requests look normal!
Want to protect DB and disk bandwidth, socket buffers, processes, …
User Filter
A Fairness Problem – Filters
Humans
Machines
Server Resources
Solution – Ensure that each human gets equal share
Problem – Each machine gets equal share
●●●
Establishing Fairness Use Reverse Turing Test
Suspected attack! To access www.foo.com enter the above letters:
Under attack. Come back later.
Give Me www.foo.com
Establishing Fairness Use Reverse Turing Test
Suspected attack! To access www.foo.com enter the above letters:
Under attack. Come back later.
BTW, can solve test BTW, can solve test to access now.to access now.
Existing SolsOur Solution
Solution Overview
Verify SYN Cookie
SYN Cookie
Ignore!
SYN
HTTP Request
SYNACKACK
SYN Cookie
TCP RST
Send Test
ServerUnchanged Client
Other Characteristics: One test per session Tests generated offline Test expires
Replay attacks are harmless
Each answer grants up to 4 TCPs
Can’t attack by duplicating answers
No connection until test answered
Solution Overview
SYN RECV State
Establish Connection
SYNACKACK
HTTP Request
HTTP Response
SYNACK
SYN
Client ServerN/W Stack App Server
Vulnerable to SYN Floods
Solution Overview
Create Cookie
Establish Connection
SYNACKACK
HTTP Request
HTTP Response
SYN Cookie
SYN
Client ServerN/W Stack App Server
Common Case
Verify Cookie
RST
SYNACKACK
HTTP Request
Send Test
SYN Cookie
SYN
Create Cookie
Ignore
ServerN/W Stack App Server
Client
Send out a test from memory
Solution Overview
Create Cookie
Establish Connection
SYNACKACK
HTTP Request
HTTP Response
SYN Cookie
SYN
Client ServerN/W Stack App Server
Verify Cookie & Answer
SYNACKACK
Test Answer
SYN Cookie
SYN
Create Cookie
Ignore
Client ServerN/W Stack App Server
HTTP Response
Common Case Grant access if answer is correct
Tests are generated offline
Verify Cookie
RST
SYNACKACK
HTTP Request
Send Test
SYN Cookie
SYN
Solution Overview
Server behavior unchanged
(Common case)
Create session after a correct answer Up to 4 TCP connections per answer
One test per browsing session Tests generated offline
Create Cookie
Ignore
Client ServerN/W Stack App Server
Solution Overview
Server behavior unchanged
(Common case)
Create session after a correct answer Up to 4 TCP connections per answer
One test per browsing session Tests generated offline
Verify Cookie & Answer
SYNACKACK
Test Answer
SYN Cookie
SYN
Create Cookie
Ignore
Client ServerN/W Stack App Server
HTTP Response
Extra – What If?
User doesn’t want to solve the test?
Attacker distributes a few answers to all worms?Each test allows access to limited resources
Give Mewww.foo.com
Under attack. Come back later.
BTW, solve the test to access now.
Under attack. Come back later.
Establishing Fairness Use Reverse Turing Test
Suspected attack! To access www.foo.com enter the above letters:
Different from Prior Work Crypto puzzles are easy since computation power is cheap Yahoo! only protects disk space during account creation We want to receive requests, deliver puzzles, validate answers before establishing a TCP connection
Establishing Fairness Use Reverse Turing Test
Suspected attack! To access www.foo.com
enter the above letters:
Give Me www.foo.com
Under attack. Come back later. BTW, solve the test BTW, solve the test
to access now.to access now.
Users who Solve a Test can access the server
Under attack. Come back later.
Yahoo uses RTT to protect disk space
We receive requests, serve tests, validate answers
before establishing a TCP connection