2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Slides:

Advertisements

Similar presentations

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.

Advertisements

Virtual Trunk Protocol

1 Security for Ad Hoc Network Routing. 2 Ad Hoc Networks Properties Mobile Wireless communication Medium to high bandwidth High variability of connection.

1 Vorlesung Informatik 2 Algorithmen und Datenstrukturen (Parallel Algorithms) Robin Pomplun.

ISA 662 IKE Key management for IPSEC Prof. Ravi Sandhu.

Copyright © 2003 Pearson Education, Inc. Slide 1 Computer Systems Organization & Architecture Chapters 8-12 John D. Carpinelli.

Chapter 1 The Study of Body Function Image PowerPoint

Cognitive Radio Communications and Networks: Principles and Practice By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009) 1 Chapter 11 Information.

Cognitive Radio Communications and Networks: Principles and Practice By A. M. Wyglinski, M. Nekovee, Y. T. Hou (Elsevier, December 2009) 1 Chapter 12 Cross-Layer.

1 Copyright © 2013 Elsevier Inc. All rights reserved. Appendix 01.

Properties Use, share, or modify this drill on mathematic properties. There is too much material for a single class, so you’ll have to select for your.

Reconsidering Reliable Transport Protocol in Heterogeneous Wireless Networks Wang Yang Tsinghua University 1.

Security Issues In Mobile IP

Document #07-2I RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) (mod 7/25 & clean-up 8/20) Customer Supplier.

1 Hyades Command Routing Message flow and data translation.

1 Multi-Channel Wireless Networks: Capacity and Protocols Nitin H. Vaidya University of Illinois at Urbana-Champaign Joint work with Pradeep Kyasanur Chandrakanth.

Scalable Routing In Delay Tolerant Networks

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

1 Analysis of the use of Multipliers as a substitute for Set-Asides December 6, 2007 Presentation at FPSC Staff Workshop on RPS Bob McGee, Marketing Services.

FACTORING ax2 + bx + c Think “unfoil” Work down, Show all steps.

Year 6 mental test 5 second questions

Year 6 mental test 10 second questions

Communicating over the Network

Protocol layers and Wireshark Rahul Hiran TDTS11:Computer Networks and Internet Protocols 1 Note: T he slides are adapted and modified based on slides.

Streaming Video over the Internet

REVIEW: Arthropod ID. 1. Name the subphylum. 2. Name the subphylum. 3. Name the order.

Chapter 1: Introduction to Scaling Networks

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Subnetting IP Networks Network Fundamentals.

Mobile IP: Multicast Service Reference: Multicast routing protocol in mobile networks; Hee- Sook Shin; Young-Joo Suh;, Proc. IEEE International Conference.

1 Improving TCP Performance over Mobile Networks HALA ELAARAG Stetson University Speaker : Aron ACM Computing Surveys 2002.

IP Multicast Information management 2 Groep T Leuven – Information department 2/14 Agenda •Why IP Multicast ? •Multicast fundamentals •Intradomain.

Defending Against Denial of Service Attacks Presented By: Jordan Deveroux 1.

1 Developing a Predictive Model for Internet Video Quality-of-Experience Athula Balachandran, Vyas Sekar, Aditya Akella, Srinivasan Seshan, Ion Stoica,

Factor P 16 8(8-5ab) 4(d² + 4) 3rs(2r – s) 15cd(1 + 2cd) 8(4a² + 3b²)

Basel-ICU-Journal Challenge18/20/ Basel-ICU-Journal Challenge8/20/2014.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 EN0129 PC AND NETWORK TECHNOLOGY I IP ADDRESSING AND SUBNETS Derived From CCNA Network Fundamentals.

1 Wireless and Mobile Networks Part 2 November 25, 2008 Department of Electrical and Computer Engineering University of Western Ontario ECE 436a Networking:

© 2012 National Heart Foundation of Australia. Slide 2.

1 Introduction to Network Layer Lesson 09 NETS2150/2850 School of Information Technologies.

1 © 2004, Cisco Systems, Inc. All rights reserved. CCNA 1 v3.1 Module 2 Networking Fundamentals.

Understanding Generalist Practice, 5e, Kirst-Ashman/Hull

Executional Architecture

1 A Study on SYN Flooding Student: Tao-Wei Huang Advisor: Prof. Wen-Nung Tasi 2001/06/13.

Chapter 9: Subnetting IP Networks

25 seconds left…...

H to shape fully developed personality to shape fully developed personality for successful application in life for successful.

Januar MDMDFSSMDMDFSSS

Chapter 10: The Traditional Approach to Design

Systems Analysis and Design in a Changing World, Fifth Edition

IDMP-based Fast Handoffs and Paging in IP-based Cellular Networks IEEE 3G Wireless Conference, 2001 李威廷 11/22/2001 Telcordia.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

©Brooks/Cole, 2001 Chapter 12 Derived Types-- Enumerated, Structure and Union.

PSSA Preparation.

VPN AND REMOTE ACCESS Mohammad S. Hasan 1 VPN and Remote Access.

Essential Cell Biology

User Security for e-Post Applications Dr Chandana Gamage University of Moratuwa.

TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.

Where Are You From? Confusing Location Distinction Using Virtual Multipath Camouflage Song Fang, Yao Liu Wenbo Shen, Haojin Zhu 1.

New Opportunities for Load Balancing in Network-Wide Intrusion Detection Systems Victor Heorhiadi, Michael K. Reiter, Vyas Sekar UNC Chapel Hill UNC Chapel.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Hiral Chhaya CDA 6133.

Presentation transcript:

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang

Overview Background Problem formulation Architecture Implementation Evaluation

DDoS Attack Distributed Denial of Service An attacker is able to recruit a number of hosts (zombies) throughout the Internet to simultaneously or in a coordinated fashion launch an attack upon the target. Typical DDoS: SYN flood attack, ICMP attack

DDoS Attack-Direct

DDoS Attack-Indirect

Overlay Network Overlay network :A computer network which is built on top of another network. Node: in the overlay can be thought of as being connected by virtual or logical links, each of which corresponds to a path, perhaps through many physical links, in the underlying network

IP network as an overlay network

Overlay network & Benefits Purpose: To implement a network service that is not available in the existing network --Routing, Addressing, Security, Multicast, Mobility Benefits: 1. Do not have to deploy new equipment, or modify existing software/protocols 2. Do not have to deploy at every node

Overview Background Problem formulation Architecture Implementation Evaluation

Traditional ION Traditional Indirection-based overlay network methods (like SOS,MayDay) make two assumptions: Attack on fixed and bounded set of overlay nodes can only affect a small fraction of users Attacker could not eavesdrop on link inside the network

Problem Traditional ION has weakness: Target attack: Attacker can follow the client s connection and bring down the nodes which client tries to connect to. Sweep attack: Degrade the connection by bringing down a portion of the overlay nodes at a time

Related work SOS (Keromytis et al) --Suggested using an overlay network to route traffic from legitimate users to a secret node Stateless flow filter (Xuan et al) --By adding capabilities to packets Ticket mechanism (Gligor ) -- Clients must obtain tickets before they are allowed to access protected service

Overview Background Problem formulation Architecture Implementation Evaluation

Spread-spectrum Electromagnetic energy generated in a particular bandwidth is deliberately spread in the frequency domain, resulting in a signal with a wider bandwidth. CDMA is a typical spread spectrum communication

Intuitive To prevent following attack: By adopting spread spectrum approach, the client spreads its packets randomly across all access points. To verify the authenticity: Using a token, at the expense of bandwidth

Attack models Sweep attack: Without internal knowledge of system, blindly sweep all nodes ---TCP SYN, ICMP flooding etc ----Like radio jamming in all channels Targeted attack: Know which overlay node a client is using. More sophisticated ----Like eavesdrop and jam target frequency

Traffic spreading issues Spread the packets from clients across all overlay nodes in a pesudo-random manner Randomly attack will only cause a fraction of packets loss Duplicate the packets or using forward error correction to recover the loss

Traffic Spreading

Key and ticket establishment Protocol Randomly redirect the authentication The client sends packet to a random overlay The receiving node forward the request to another random overlay node The attacker cold not determine which nodes to target

Key and ticket establishment Protocol One round-trip only use first and last connection (from A to D) Two round-trip guarantees the liveness

Client-Overlay communication protocol

Key and ticket establishment Protocol To avoid reuse of the same ticket by multiple DDoS zombies, the range of valid sequence numbers for the ticket is kept relatively small (e.g., 500 packets) The ticket is bound to the client s IP,

Overview Background Problem formulation Architecture Implementation Evaluation

Implementation Connection Establishment Phase -- As described in the protocol part -- Establish session key and ticket -- Usually two round-trip

Implementation Packet Transmission Phase the client computes the index in the sorted list of IPs as: index = UMAC(Ku XOR sequence number) mod(n) Ticket Renewal Phase When valid tickets are about to expire, the overlay node issues a new ticket with the same session key but larger max sequence number.

Overview Background Problem formulation Architecture Implementation Evaluation

Evaluation Impact of Sweeping attack with a modest amount of packet replication and striping at the client, the proposed method can handle even massive DoS attacks against the overlay General ION attack resistance

Performance evaluation Throughput under attack Only 33% in the worst case scenario Increase the replication rate, the throughput get closer to the direct connection

Performance evaluation As the replication factor is increased, and for larger networks, we get better average latency results. In the worst-case scenario, we get a 2.5 increase in latency,

Performance evaluation The attack happens on a random fraction of the overlay nodes. Packet replication helps us achieve higher network resilience.

Performance evaluation Latency V.S. Node failures

Summary Proposed the first non-trivial attack model: both the simple types of flooding attacks, as well as more sophisticated attackers that can eavesdrop the victim s communication link Proposed the use of a spread-spectrum-like paradigm to create per-packet path diversity.