1、Internet Cache Pollution Attacks and Countermeasures,Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen,Electrical Engineering and Computer Science Department Northwestern University,2,Outline,Motivation Pollution Attacks Evaluation of Pollution Effects Counter-Pollution Techniques & Evaluati
2、on Conclusion,3,Motivation,Caching has been widely applied in the Internet Decrease the amount of requests in server side Reduce the amount of traffic in the network Improve the client-perceived latency Open proxy caches are used for various abuse-related activities Proxy caches themselves become vi
3、ctims Little attention given to such attacks Existing pollution attacks mostly on content pollutions on P2P systems,4,Contributions,Propose a class of pollution attacks targeted against Internet proxy caches Locality-disruption (LD) attacks False-locality (FL) attacks Analyze the resilience of the c
4、urrent cache replacement algorithms to pollution attacks Propose two cache pollution detection mechanisms Detect LD, FL attacks, and their combination Leverage data streaming computation techniques,5,Outline,Motivation Pollution Attacks Evaluation of Pollution Effects Counter-Pollution Techniques &
5、Evaluation Conclusion,6,Pollution Attack Scenarios (I),Attacking a web cache,Attacking an ISP cache,7,Pollution Attack Scenarios (II),Pollution attack against a local DNS server,8,Pollution Attack: Locality Disruption,Cache,Cache,Before attack,After attack,Popular files,New unpopular files,Goal: deg
6、rade cache efficiency by ruining its file locality Activities: continuously generate requests for new unpopular files,9,Pollution Attack: False Locality,Cache,Cache,Before attack,After attack,Popular files,Bogus popular files,Goal: degrade the hit ratio by creating false file locality Activities: re
7、peatedly request the same set of unpopular files,10,Outline,Motivation Pollution Attacks Evaluation of Pollution Effects Counter-Pollution Techniques & Evaluation Conclusion,11,Evaluation Methodology,Discrete-event simulator Multiple DoS behaviors Multiple workload characterizing behaviors Effects o
8、f access and local network capacities Workloads P2P K. Gummadi et al. ACM SOSP 03 Web F. Smith et al. SIGMETRICS 01 NAT effects,12,Cache Replacement Algorithms,Least Recently Used (LRU) algorithm Evict the least recently accessed document first Least Frequently Used (LFU) algorithm Evict the least f
9、requently accessed document first Greedy Dual-Sized Frequency (GDSF) algorithm Consider the frequency of the documents Allow smaller document to be cached first Use dynamic aging policy,13,Baseline Experiments,Locality-disruption attacks,Small percent of malicious requests can significantly degrade
10、the overall hit ratio,Total hit ratio =,Including attackers requests and regular users requests,Stealthy! (4%),14,Baseline Experiments,False-locality attacks,Total hit ratio is not a good indicator for attacks,15,BHR(n)byte hit ratio of regular clients without attacks BHR(a)byte hit ratio of regular
11、 clients with attacks,Byte damage ratio =,16,Replacement Algorithms,Locality-disruption attacks,LRU and LFU are more resilient to attacks, but still can not protect cache from pollution,17,Outline,Motivation Pollution Attacks Evaluation of Pollution Effects Counter-Pollution Techniques & Evaluation
12、Conclusion,18,Detecting Locality Disruption Attacks,Observations: Low total hit ratio Short average life-time of all cached files Design: Detection: compute the average durations for all files in the cache Mitigation: recognize the attackers,19,Detecting False Locality Attacks,Observations: Clients
13、who request a similar set of files residing in the cache The repeated requests from the same IP to cached files Design: Large number of repeated requests Large percent of repeated requestsScalability: Attacker-based detection: Bloom filter Object-based detection: Probabilistic Counting with Stochast
14、ic Averaging (PCSA),20,Evaluation of Pollution Detection,Results for false-locality attacks, more in paper,For attackers file detection: True positive ratio =,21,Realize the counter-pollution mechanismsCode and more detailshttp:/networks.cs.northwestern.edu/AE/,Implementation,22,Conclusions,Propose
15、and evaluate two classes of attacks: locality-disruption and false-locality attacks Show that pollution attacks are stealthy, but powerful, and different replacement algorithms have different resiliency Propose and evaluate a set of scalable and effective counter-pollution mechanisms,23,Thank You !,Questions?,
