Preventing Internet Denial-of-Service with Capabilities

Slides:



Advertisements
Similar presentations
COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Advertisements

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.
FIREWALLS Chapter 11.
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Firewalls and Intrusion Detection Systems
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
A DoS-limiting Network Architecture CSCE 715: Fall’06 Presentation by: Amit Jain Shantnu Chaturvedi.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff
Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Department Of Computer Engineering
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
“To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Botnets ” Xin Liu, Xiaowei Yang, Yanbin Lu Department of Computer Science,
FIREWALL Mạng máy tính nâng cao-V1.
Security in MobileIP Fahd Ahmad Saeed. Wireless Domain Problem Wireless domain insecure Data gets broadcasted to everyone, and anyone hearing this can.
Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
BGP Man in the Middle Attack Jason Froehlich December 10, 2008.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
SOS: Secure Overlay Services A.Keromytis, V. Misra, and D. Rubenstein Presented by Tsirbas Rafail.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
Packet-Marking Scheme for DDoS Attack Prevention
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
JELENA MIRKOVIC (USC) PETER REIHER (UCLA) Building Accountability into the Future Internet In Proc. IEEE NPSec, 2009 Speaker: Yun Liaw.
Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.
What's a Firewall? A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using.
Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.
Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.
Network Devices and Firewalls Lesson 14. It applies to our class…
Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.
Instructor Materials Chapter 7 Network Security
“Practical Network Support for IP Traceback”
Connecting Network Components
Distributed Denial of Service (DDoS) Attacks
Computer Data Security & Privacy
Defending Against DDoS
Introduction to Networking
A DoS-limiting Network Architecture
Defending Against DDoS
COS 561: Advanced Computer Networks
DDoS Attack Detection under SDN Context
Network Support For IP Traceback
IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where.
IIT Indore © Neminath Hubballi
COS 561: Advanced Computer Networks
Detect and Prevent Rogue Traffic in Mobile Ad Hoc Networks
BGP Security Jennifer Rexford Fall 2018 (TTh 1:30-2:50 in Friend 006)
DDoS Attack and Its Defense
Intrusion Detection and Hackers Exploits IP Spoofing Attack
Outline The spoofing problem Approaches to handle spoofing
Session 20 INST 346 Technologies, Infrastructure and Architecture
Distributed Denial of Service (DDoS) Attacks
Presentation transcript:

Preventing Internet Denial-of-Service with Capabilities Tom Anderson, David Wetherall Univ. of Washington Timothy Roscoe Intel Research at Berkeley 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 Paper Summary An approach to prevent DoS attacks Nodes obtain “permission to send” from destination Capabilities Verification points enforce capabilities Suitable for incremental deployment 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 Overview Motivation Related work Proposed solution Conclusion 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 Motivation DoS – flooding limited resource CPU/Memory on hosts, routers, firewalls Anomaly detection Automated response – often shutdown New applications likely to be anomalous “Normal” traffic could be an attack CodeRed virus 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 Related Work 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Source Address Filtering At network ingress and egress points Prevents spoofing attacks However… Addresses with same n/w prefix can be spoofed Attacks often consist of legitimate packets – hosts under a virus attack 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 IP Traceback Traces the source of the attack Detection rather than prevention Can do post-mortem traceback Marking of IP packets 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 IP Traceback (contd.) A1 A2 A3 R4 R5 R6 R2 R3 R1 V 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 Pushback Pushback daemon Monitors traffic pattern Rules to indicate DoS attack Communicates with upstream routers (pushback) Upstream routers drop packets 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 Anomaly Detection Rule-based or statistical techniques Classify traffic as friendly/malicious Malicious traffic detection Install network filters Emails to network administrators Legitimate applications may trigger alerts Application level end-to-end decision making is required 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 Overlay Filtering Traffic rerouted through special nodes Sophisticated analysis and filtering Traffic passed through overlay Adds a secret to the packets Downstream routers check for the secret Similar to capability-based filtering which adds nonce tokens in the capabilities 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 Proposed Solution 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 System’s components Request To Send (RTS) server Used by sources to get tokens to send (capabilities) Verification Points (VP) Perform access control by verifying the existence of a token in the packet VPs are coupled with RTS servers, both co-located with BGP speakers 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Obtaining permission to send Autonomous Systems (AS) advertise they want their inbound traffic filtered Augment BGP advertisement Give the address of their RTS server Any AS along the way may add its RTS to the BGP advertisement Source can discover a chain of RTS servers through which it can send its request 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Token Generation and passing Destination generates a hash chain 64-bit one way hash values h1,h2…hk Destination sends hk back to the source through RTS servers RTS servers and VPs remember the token and associates it with the flow 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Sending with capabilities Token (capability) allows source to send n packets in t seconds Source includes token in packets VPs along the path validates the token If token found and is valid, increment usage count Else drop packet 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Acquiring new capabilities (in band) Could explicitly request new token Bad performance (overhead) Destination sends hk-1 ( new capability) after receiving nearly n packets Source switches to use hk-1 for the next n packets VPs switch to hk-1. They figure hk-1 as hk = hash(hk-1) (hash chain) 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 Security issues RTS servers control RTS pkt rates to destinations RTS servers are protected against flood Only accessed by nodes on the same AS or another RTS servers Tokens are difficult to guess If you can sniff then you can disrupt the communication anyway 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 Conclusions Explicit authorization scheme to address DoS Paper argued that the scheme other than it solves the DoS problem, it is: Feasible Incrementally deployable No experiments, so no sense of added overhead 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Anupam Chanda, Khaled Elmeleegy. Comp 629 Questions ? 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.