Protecting Web Servers from Content Request Floods

Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob

CSAIL –MIT

The Attack

GET LargeFile.zip

DO LongDBQuery

www.foo.com

Hard to detect or counter because malicious requests look normal!

Want to protect DB and disk bandwidth, socket buffers, processes, …

User Filter

A Fairness Problem – Filters

Humans

Machines

Server Resources

Solution – Ensure that each human gets equal share

Problem – Each machine gets equal share

●●●

Establishing Fairness Use Reverse Turing Test

Suspected attack! To access www.foo.com enter the above letters:

Under attack. Come back later.

Give Me www.foo.com

Establishing Fairness Use Reverse Turing Test

Suspected attack! To access www.foo.com enter the above letters:

Under attack. Come back later.

BTW, can solve test BTW, can solve test to access now.to access now.

Existing SolsOur Solution

2 Modes

Common case:

Server behavior unchangedNormalNormal

UnderUnderAttackAttack

Solution Overview

Verify SYN Cookie

SYN Cookie

Ignore!

SYN

HTTP Request

SYNACKACK

SYN Cookie

TCP RST

Send Test

ServerUnchanged Client

Other Characteristics: One test per session Tests generated offline Test expires

Replay attacks are harmless

Each answer grants up to 4 TCPs

Can’t attack by duplicating answers

No connection until test answered

Solution Overview

SYN RECV State

Establish Connection

SYNACKACK

HTTP Request

HTTP Response

SYNACK

SYN

Client ServerN/W Stack App Server

Vulnerable to SYN Floods

Solution Overview

Create Cookie

Establish Connection

SYNACKACK

HTTP Request

HTTP Response

SYN Cookie

SYN

Client ServerN/W Stack App Server

Common Case

Verify Cookie

RST

SYNACKACK

HTTP Request

Send Test

SYN Cookie

SYN

Create Cookie

Ignore

ServerN/W Stack App Server

Client

Send out a test from memory

Solution Overview

Create Cookie

Establish Connection

SYNACKACK

HTTP Request

HTTP Response

SYN Cookie

SYN

Client ServerN/W Stack App Server

Verify Cookie & Answer

SYNACKACK

Test Answer

SYN Cookie

SYN

Create Cookie

Ignore

Client ServerN/W Stack App Server

HTTP Response

Common Case Grant access if answer is correct

Tests are generated offline

Verify Cookie

RST

SYNACKACK

HTTP Request

Send Test

SYN Cookie

SYN

Solution Overview

Server behavior unchanged

(Common case)

Create session after a correct answer Up to 4 TCP connections per answer

One test per browsing session Tests generated offline

Create Cookie

Ignore

Client ServerN/W Stack App Server

Solution Overview

Server behavior unchanged

(Common case)

Create session after a correct answer Up to 4 TCP connections per answer

One test per browsing session Tests generated offline

Verify Cookie & Answer

SYNACKACK

Test Answer

SYN Cookie

SYN

Create Cookie

Ignore

Client ServerN/W Stack App Server

HTTP Response

Extra – What If?

User doesn’t want to solve the test?

Attacker distributes a few answers to all worms?Each test allows access to limited resources

Give Mewww.foo.com

Under attack. Come back later.

BTW, solve the test to access now.

Under attack. Come back later.

Establishing Fairness Use Reverse Turing Test

Suspected attack! To access www.foo.com enter the above letters:

Different from Prior Work Crypto puzzles are easy since computation power is cheap Yahoo! only protects disk space during account creation We want to receive requests, deliver puzzles, validate answers before establishing a TCP connection

Establishing Fairness Use Reverse Turing Test

Suspected attack! To access www.foo.com

enter the above letters:

Give Me www.foo.com

Under attack. Come back later. BTW, solve the test BTW, solve the test

to access now.to access now.

Users who Solve a Test can access the server

Under attack. Come back later.

Yahoo uses RTT to protect disk space

We receive requests, serve tests, validate answers

before establishing a TCP connection