Mitigating Distributed Denial of Service Attacks Using a Proportional- Integral-Derivative Controller Marcus Tylutki.

Slides:

Advertisements

Similar presentations

Energy-Efficient Congestion Control Opportunistically reduce link capacity to save energy Lingwen Gan 1, Anwar Walid 2, Steven Low 1 1 Caltech, 2 Bell.

Advertisements

FIREWALLS Chapter 11.

SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic CS740 Project Presentation by N. Gupta, S. Kumar, R. Rajamani.

Cloud Control with Distributed Rate Limiting Raghaven et all Presented by: Brian Card CS Fall Kinicki 1.

FLAME: A Flow-level Anomaly Modeling Engine

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Security Firewall Firewall design principle. Firewall Characteristics.

Firewalls and Intrusion Detection Systems

AQM for Congestion Control1 A Study of Active Queue Management for Congestion Control Victor Firoiu Marty Borden.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Security Awareness: Applying Practical Security in Your World

A Poisoning-Resilient TCP Stack Amit Mondal Aleksandar Kuzmanovic Northwestern University

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

1 Emulating AQM from End Hosts Presenters: Syed Zaidi Ivor Rodrigues.

Detecting SYN-Flooding Attacks ＡａｒｏｎＢｅａｃｈＣＳ３９５ＮｅｔｗｏｒｋＳｅｃｕｒｉｔｙＳｐｒｉｎｇ２００４.

Random Early Detection Gateways for Congestion Avoidance

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

1 Proportional differentiations provisioning Packet Scheduling & Buffer Management Yang Chen LANDER CSE Department SUNY at Buffalo.

Design and Implementation of SIP-aware DDoS Attack Detection System.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

Distributed Denial of Service Attack and Prevention Andrew Barkley Quoc Thong Le Gia Matt Dingfield Yashodhan Gokhale.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

FIREWALL Mạng máy tính nâng cao-V1.

Chapter 4: Managing LAN Traffic

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen

Security and QoS Self-Optimization in Mobile Ad Hoc Networks ZhengMing Shen and Johnson P. Thomas Presented by: Sharanpal singh.

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.

INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.

SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.

ACN: RED paper1 Random Early Detection Gateways for Congestion Avoidance Sally Floyd and Van Jacobson, IEEE Transactions on Networking, Vol.1, No. 4, (Aug.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Optimal XOR Hashing for a Linearly Distributed Address Lookup in Computer Networks Christopher Martinez, Wei-Ming Lin, Parimal Patel The University of.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.

Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.

Fighting the DDoS Menace!

A Passive Approach to Sensor Network Localization Rahul Biswas and Sebastian Thrun International Conference on Intelligent Robots and Systems 2004 Presented.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

PID CONTROLLERS By Harshal Inamdar.

ERT 210/4 Process Control Hairul Nazirah bt Abdul Halim Office: CHAPTER 8 Feedback.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

DoS/DDoS attack and defense

DDoS flooding attack detection through a step-by-step investigation

Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

NC STATE UNIVERSITY / MCNC Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu  Fengmin Gong Talk:

© 2002, Cisco Systems, Inc. All rights reserved..

An End-to-End Service Architecture r Provide assured service, premium service, and best effort service (RFC 2638) Assured service: provide reliable service.

1 Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI.

Optimization-based Cross-Layer Design in Networked Control Systems Jia Bai, Emeka P. Eyisi Yuan Xue and Xenofon D. Koutsoukos.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

An Introduction To ARP Spoofing & Other Attacks

Computer Data Security & Privacy

Domain 4 – Communication and Network Security

Defending Against DDoS

SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic

Defending Against DDoS

Detecting Targeted Attacks Using Shadow Honeypots

SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke

Yiannis Andreopoulos et al. IEEE JSAC’06 November 2006

Introduction to Network Security

DDoS Attack and Its Defense

Session 20 INST 346 Technologies, Infrastructure and Architecture

Presentation transcript:

Mitigating Distributed Denial of Service Attacks Using a Proportional- Integral-Derivative Controller Marcus Tylutki

Outline Response to DDoS (Overview) Control Theory Background PID Control Law DDoS response model utilizing PID Control Experimental Results Comparison to existing DDoS response models

Response to DDoS DDoS Examples: –Stacheldraht –Trinoo –Tribal Flood Network Current response utilizes 2 main methods: –IP Traceback –Bandwidth pushback

Classic Control Theory Controller System Desired Value, v d System Changes, s c (Unknown and Known) Disturbances Observed Value, v o

PID Control Law The control signal has 3 components: –Proportional Mode c(t) = K C e(t) + c b –Integral Mode – Compensates error buildup over time c(t) = (K C /  I )  e(t) dt + c b –Derivative Mode – Attempts to match rate change c(t) = K C  D d/dt ( e(t) ) + c b

Using PID Control Law to mitigate DDoS effects Network A Network B Network C Border Router B Border Router A Border Router C Dropped Packets destined for Network C Figure 4.1

Using PID Control Law to mitigate DDoS effects Network A Network B Network C Border Router B Border Router A Border Router C Dropped Packets destined for Network C Figure 4.1

Necessary Assumptions A sensor exists which can determine whether a packet is part of a DDoS attack or legitimate. (probabilistic) –Webscreen WS100 claims to do this for web servers. The flow of packets through any border router headed towards the protected network can be detected. (iTrace) A technique exists for dropping packets heading towards the protected network at the border router. (Traffic shaping) The border router that forwarded a particular DDoS attack packet can be identified. (CEF)

Goals of the Approach Bound the total amount of traffic passing through to the protected network Maximize the percentage of legitimate packets in the flow reaching the protected network Minimize the overall impact of overhead produced by this method

Calculation of PID Control Variables Percent legitimate traffic –x(t) = 1 – (Attack Flow/Total Flow) Error used for future predictions –e(t) = z ideal (t-1) – z(t-1) –e(t) = ( 1 – (Limit / Flow(t-1) ) – z(t-1) Predicted block percentage –z(t) = c(t) + z(t-1)

Calculation of c(t) Proportional Control (P) –c(t) = K C [e(t)] Proportional Derivative Control (PD) –c(t) = K C [e(t) +  D d/dt( e(t) )] –d/dt( e(t) )  ( e(t-1) – e(t-2) ) /  t Proportional Integral Derivative Control (PID) –c(t) = K C [e(t) +  D d/dt( e(t) ) + (1/  I )  e(t) dt ] –  e(t) dt   t  e(i) {i = 1, t}

PID Simulation Results

PID Sim. Results (Cont’d)

Experiment Setup comm. server comm. client PID controller xenobaruntseizzy attacker firewall server

Assumptions of the Experiment Uniform packet weights –Equal impact on protected services One DDoS target Firewall servers in place Limited types of spoofed packets –Can not spoof across foreign networks All DDoS traffic is over TCP/IP*

Assumptions of the Experiment (cont’d) PID control parameters are static Attack packets are easily distinguished. –All packets are examined –100% accuracy All connections* are authenticated using SSL Attacks do not originate from inside the protected network Attacks do not bypass the TCP stack

Experiment Configurations Border router firewall –dummynet –ipfw ipfw pipe 1 config plr.50 Comm. Client, Attacker –Uses a Poisson probability distribution to calculate delay –Transmissions are single characters (SCTs) ‘ A’ for attack packet ‘B’ for legitimate packet –izzy had a majority of attack traffic with some legitimate traffic –baruntse had a majority of legitimate traffic with some attack traffic

PID Control within the Experiment  t = 20 seconds z(t) does not translate from packets to transmissions –z(t) =.60 dropped 95% of connections –z(t) =.05 dropped 39% of connections –z(t) =.01 dropped 8% of connections Maximum block z(t) set to 99%

Results of the Experiment P, PI, and PD Control Time (sec) Results of Proportional, Proportional Integral, and Proportional Derivative Control Traffic (SCTs / second) Limit Baseline Pushback Kc = 1.2 Kc = 1.3, Td =.2 Kc = 1.5, Ti = 10

Results of the Experiment (cont’d)

Benefits of each PID control mode Proportional –Traffic is truly random, yet stabilizes around an average Proportional-Integral –As above, yet includes undetermined errors that can be compensated Proportional-Derivative –Traffic contains some non-linear patterns that shift from time to time Proportional-Integral-Derivative –Traffic that contains patterns and undetermined errors

Future Work Chaotic maps Multidimensional PID control Packet weights Support for non-border routers Commercial PID Controllers Faster, more accurate PID parameter tuning