Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.

Slides:

Advertisements

Similar presentations

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Advertisements

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Congestion Control Algorithms

FIREWALLS Chapter 11.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Doc.: IEEE /0604r1 Submission May 2014 Slide 1 Modeling and Evaluating Variable Bit rate Video Steaming for ax Date: Authors:

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

System and Network Security Practices COEN 351 E-Commerce Security.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

A DoS-limiting Network Architecture ~Offense~ Alberto Gonzalez Keven Tan.

Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.

Web server security Dr Jim Briggs WEBP security1.

A DoS Limiting Network Architecture An Overview by - Amit Mondal.

Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Computer Networks IGCSE ICT Section 4.

Web Proxy Server Anagh Pathak Jesus Cervantes Henry Tjhen Luis Luna.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

A User Experience-based Cloud Service Redeployment Mechanism KANG Yu.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

BitTorrent Presentation by: NANO Surmi Chatterjee Nagakalyani Padakanti Sajitha Iqbal Reetu Sinha Fatemeh Marashi.

Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)

1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

1 CMPT 471 Networking II DHCP Failover and multiple servers © Janice Regan,

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.

Security at NCAR David Mitchell February 20th, 2007.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

CPT 123 Internet Skills Class Notes Internet Security Session A.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

Scenario: Internet Attack Eunice Huang. What is DDoS? A denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to.

Load-Balancing Routing in Multichannel Hybrid Wireless Networks With Single Network Interface So, J.; Vaidya, N. H.; Vehicular Technology, IEEE Transactions.

Firewall Security.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.

JELENA MIRKOVIC (USC) PETER REIHER (UCLA) Building Accountability into the Future Internet In Proc. IEEE NPSec, 2009 Speaker: Yun Liaw.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Chapter 6: Securing the Local Area Network

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

DoS/DDoS attack and defense

Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.

MIPv6Security: Dimension Of Danger Unauthorized creation (or deletion) of the Binding Cache Entry (BCE).

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

DOC Use Case Analysis Client to server use cases 1.

Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.

TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).

Deployable Filtering Architectures Against Denial-of-Service Attacks Department of Computer Science University College London Telephone: +44 (0)

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

2018 Huawei H Real Questions Killtest

Preventing Internet Denial-of-Service with Capabilities

On Scalability of In-Situ OAM draft-song-ippm-ioam-scalability-01

Presentation transcript:

Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha

What is a DoS attack? “An incident in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is the inability of a particular network service, such as , to be available or the temporary loss of all network connectivity and services”

Fundamental Idea of the Proposal  A destination can grant as much incoming traffic as it wants.  By being able to control the rate of incoming traffics, DoS at the destination can be prevented.

RTS Servers vulnerable to DoS E B C A D DoS requires: X compromised hosts to choke bandwidth W BW = W Mbps BW = (z% * W)/k Mbps DoS requires: Y compromised hosts to choke bandwidth (z% * W) / k << W => X >> Y FG A B C GF

Distributed DoS attack  Even if the number of hosts behind an RTS (nodes in an AS) is too small to choke RTS bandwidth, distributed attacks are possible from other RTS servers. Compromise d clients

Effect of DoS attack on RTS servers  Even though the data channel is free no new connections are allowed since the RTS channel is choked up.

RTS-Server attacks only affect new flows?  Yes, but how long can existing flows last? –Example: A Web server Most clients are unknown & untrusted => Should only grant limited bandwidth for a short time (i.e. short hash chains), on the order of minutes After RTS servers are attacked, existing clients can only serve the web for 20 minutes. All new requests are denied.

What data rate should a destination grant each client?  Is traffic rate determined per hash chain? Or each key of all chains have the same values, only changed by BGP advertisements? –Not clear from the paper  If rate is changed by BGP advertisements –Too slow to keep up with dynamic traffic loads  If rate is determined per hash chain –Duration of each chain for each client can still make rate adjustment too slow

Other (minor) problems Not all clocks run at the same rate: => VP might decides that a token expires before the client thinks so. Even small packets have to carry 64-bit overhead

Unnecessary requirement  Why does the paper assume that an attacker cannot snoop the values sent to the source? –If the attacker is not on the same network with the source, then it cannot spoof packets because of ingress/egress filtering. –If the attacker is on the same network as the source, then it can launch other more effective DoS against that client.  If the assumption is valid, then how do you achieve that? –Encrypt packets? – Too expensive, not scalable

Policy management problem  Where are the policies maintained? –RTS servers? Too many server applications (millions) to manage. Problems with updating policies –Each application? Applications (client & server) need to be changed.

Backup slides

RTS Servers vulnerable to DoS Nodes in the Internet Nodes in an AS 30x 100x Attackers need to compromise lesser percent of nodes in the “node pool” to compromise RTS servers Compromised Uncompromised