1 SENSS Security Service for the Internet Jelena Mirkovic (USC/ISI), Minlan Yu (USC), Ying Zhang (HP Labs), Sivaram Ramanathan (USC)

Slides:



Advertisements
Similar presentations
Ethernet Switch Features Important to EtherNet/IP
Advertisements

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Akamai DNS Offerings RSA © Conference ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
SDN and Openflow.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Security Awareness: Applying Practical Security in Your World
SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Deployment of the VoIP Servers BY: Syed khaja Najmuddin Ahmed Anil Kumar Marikukala.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Sample Research Defenses Packetscore Pushback Traceback SOS Proof-of-work systems Human behavior modeling SENSS.
Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.
Network Topologies.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
A LIGHT-WEIGHT DISTRIBUTED SCHEME FOR DETECTING IP PREFIX HIJACKS IN REAL TIME Changxi Zheng, Lusheng Ji, Dan Pei, Jia Wang and Paul Francis. Cornell University,
Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,
Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
Web Application Firewall (WAF) RSA ® Conference 2013.
October 8, 2015 University of Tulsa - Center for Information Security Microsoft Windows 2000 DNS October 8, 2015.
1 SENSS Security Service for the Internet Jelena Mirkovic USC Information Sciences Institute Joint work with Minlan Yu (USC), Ying Zhang.
--Harish Reddy Vemula Distributed Denial of Service.
Slide title 70 pt CAPITALS Slide subtitle minimum 30 pt SENSS: Software-defined Security Service Minlan Yu, Ying Zhang*, Jelena Mirkovic, Abdulla Alwabel.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
BGP Man in the Middle Attack Jason Froehlich December 10, 2008.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Distributed Denial of Service Attacks
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
Tiered Incentives for Integrity Based Queuing Fariba Khan, Carl A. Gunter University of Illinois at Urbana-Champaign.
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
Routing and Routing Protocols
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)
Securing Access to Data Using IPsec Josh Jones Cosc352.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco Public Presentation_ID 1 Security Requirements of NVO3 draft-hartman-nvo3-security-requirements-00.
Multicast in Information-Centric Networking March 2012.
Presentation on ip spoofing BY
Denial of Service detection and mitigation on GENI
NET 536 Network Security Firewalls and VPN
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
BGP Multiple Origin AS (MOAS) Conflict Analysis
COS 561: Advanced Computer Networks
Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
FIRST How can MANRS actions prevent incidents .
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Presentation transcript:

1 SENSS Security Service for the Internet Jelena Mirkovic (USC/ISI), Minlan Yu (USC), Ying Zhang (HP Labs), Sivaram Ramanathan (USC)

Motivation and Insights 2

Growing DDoS Attacks* 3 2/3 rd of respondents have experienced at least one DDoS attack 400, 602, 750 Gbps attacks Frequent and large *source Arbor Networks

Growing BGP Prefix Hijacking* In 2013, hijacking affected 1,500 prefixes, in 150 cities Live interception attacks are on for more than 60 days Traffic from major companies, govs, ISPs diverted 4 *source Renesys

Attack Variants DDoS BGP prefix hijacking – Attacker announces victim’s prefix (origin) or short AS path to the victim (closeness) – Blackholing (drop traffic) or interception (sniff or modify then forward to victim) 5 Direct floodReflectorCrossfire

Attack Mitigation Today DDoS – Local device does traffic analysis, sometimes DPI (low- volume and application attacks; cannot handle high- volume or reflected traffic) – Cloud-based defense, traffic goes to cloud for scrubbing (high-volume attacks; takes time to set up, expensive, redirects traffic, special handling for encrypted traffic) BGP prefix hijacking – BGP anycast (distributes prefix presence; takes time to set up, expensive, needs content replication too) Most solutions focus on resource replication and withstand attacks 6

SENSS Enables the Victim to … observe own traffic – Going to the victim’ prefixes – Carrying sources from the victim’s prefixes … observe own routes – For the victim’s prefixes … control own traffic – Filter, allow, request bw guarantee … control own routes – Demote a route that may contain a hijacker or correct it 7 In any willing ISP (even non-neighbor)! Aligns control with ownership of traffic/routes Remote ISP must be able to verify the requestor’s authority for a prefix

SENSS 8

Operation ISPs run SENSS servers Victim identifies ISPs to interact with using public SENSS directory – Sends to each a query – ISPs authenticate prefix ownership, process query, charge the victim and return replies Victim decides which control actions to apply and where – Sends messages about this to chosen ISPs – ISPs authenticate prefix ownership, charge the victim, implement requested actions 9

SENSS APIs at ISPs Exposed as Web services – Leverage existing functionalities for robustness (replication), security (HTTPS), charging (e-commerce) Message authentication: Proof of authority for a prefix – Signed proof that owner of a given public key is authorized to speak for a set of prefixes in the SENSS messages – RPKI, extension of SSL certs, … – … or manually populate a DB of known customers and prefixes TLS for communication security Victim can delegate a proxy if it cannot communicate itself 10 neighbor’s AS number (+ geolocation) TypeFieldsAction/Reply Traffic queryFlow, dir, obs_timeList of Traffic filter/allowFlow, dir, tag, durationDeploy filter/allow actions Route queryPrefixList of best paths to prefix Route demotePrefix, segment, durationDemote routes with given segment

Example: Isolated Deployment 11 V  A: traffic_query A  V: 1 (D-A), 0.5 (E-A), 5 (F-A), 0.5 (C-A) V  A: traffic_filter(tag=F-A, dest=V) V  A: traffic_allow(dest=VN, sport=53, dport=(1000,2000)) V  A: traffic_filter(dest=V, sport=53) V NATs all DNS traffic through VN, ports Direct flood Reflector

Example: ISP-Only Deployment 12 S periodically collects traffic reports from A,B,C,D,E,F,G,H Analyzes traffic Detects attack on V Identifies E as ingress router, which sends most of the attack to V Deploys blackholing at E for destination V

Example: Sparse Deployment 13 V  A, D, G, J, L: traffic_query Assemble the traffic tree from replies V  L: traffic_filter(tag=S2-L, dest=V)

Deploying SENSS in an ISP 14

What SENSS Can Do For You? Help you defend your customers from DDoS with existing infrastructure Automate DDoS handling within your ISP Help detect and diagnose attacks (separate module) 15

Integrating SENSS With Your ISP SENSS is a Web application, which can be ran on any Web server within your ISP: – Admin account requires 2-factor authentication – Use RPKI or set up DB for proof of authority for a prefix – Supply IP addresses of switches SENSS needs traffic/route observation and filtering: – For traffic observation: SDN or SNMP – For traffic filtering: SDN or Flowspec or ACLs – For route observation/filtering: interact with router software (Quagga) 16

Deploying SENSS at a customer 17

What SENSS Can Do For You? Help you engage your ISP in attack mitigation in an automated fashion Help detect and diagnose attacks (separate module) 18

Integrating SENSS With Your Network SENSS client is a stand-alone Python program, which can be ran on any node within your ISP – Admin account requires 2-factor authentication – The node which runs SENSS must have adequate proof of authority for your prefixes – Supply IP address of your ISP’s SENSS server (in isolated deployment) 19

Performance 20

Simulation On AS topology: – Legitimate traffic patterns from Edgecast and random attacker distributions Findings: – Early adopters can mitigate 100% of direct floods and reflector attacks for their customers – As adoption grows, protection grows for everyone. Higher range of attacks mitigated and higher effectiveness – Deployment at any tier helps. But deployment at Tier 1 and Tier 2 is especially effective – Most attacks can be mitigated with deployment at just 1–2% of all ISPs, with under 10 sec delay 21

Emulation On Deterlab testbed ( with topologies from Topology Zoowww.deterlab.net – 186 switches (OpenVSwitch+Quagga) – 1 SDN controller (RYU) – 1 SENSS server – concurrent SENSS clients Response time (including RPKI validation): – Up to 4.32 sec for 100 concurrent SENSS queries – Up to sec for 100 concurrent SENSS control msgs – Most attacks are handled within 10 seconds 22

Conclusions 23

Conclusions Distributed attacks not handled well today – Redundancy to sustain attacks. Cost is still high and attack traffic still clogs the Internet – Smaller businesses can be affected for days SENSS enables inter-ISP collaboration to detect and mitigate distributed attacks – Useful in a variety of settings – Complements other solutions Test-drive it on Deterlab or in your network –

Thanks for coming! Reach out if interested Jelena MirkovicMinlan YuYing Zhang Sivaram Ramanathan

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.