Random Flow Network Modeling and Simulations for DDoS Attack Mitigation Jiejun Kong, Mansoor Mirza, James Shu, Christian Yoedhana, Mario Gerla, Songwu.

Slides:

Advertisements

Similar presentations

Quiz 1 Posted on DEN 8 multiple-choice questions

Advertisements

 Liang Guo  Ibrahim Matta  Computer Science Department  Boston University  Presented by:  Chris Gianfrancesco and Rick Skowyra.

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

XCP: Congestion Control for High Bandwidth-Delay Product Network Dina Katabi, Mark Handley and Charlie Rohrs Presented by Ao-Jan Su.

Small-world Overlay P2P Network

Distributed Algorithms for Secure Multipath Routing

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP

You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.

Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.

A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.

Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.

Enhancing TCP Fairness in Ad Hoc Wireless Networks Using Neighborhood RED Kaixin Xu, Mario Gerla University of California, Los Angeles {xkx,

A DoS Limiting Network Architecture An Overview by - Amit Mondal.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Tradeoffs in CDN Designs for Throughput Oriented Traffic Minlan Yu University of Southern California 1 Joint work with Wenjie Jiang, Haoyuan Li, and Ion.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Sample Research Defenses Packetscore Pushback Traceback SOS Proof-of-work systems Human behavior modeling SENSS.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University

Pi : A Path Identification Mechanism to Defend against DDos Attacks.

Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.

Integrated Dynamic IP and Wavelength Routing in IP over WDM Networks Murali Kodialam and T. V. Lakshman Bell Laboratories Lucent Technologies IEEE INFOCOM.

1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

Enhancing TCP Fairness in Ad Hoc Wireless Networks using Neighborhood RED Kaixin Xu, Mario Gerla UCLA Computer Science Department

Enhancing TCP Fairness in Ad Hoc Wireless Networks Using Neighborhood RED Kaixin Xu, Mario Gerla University of California, Los Angeles {xkx,

Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.

Higashino Lab. Maximizing User Gain in Multi-flow Multicast Streaming on Overlay Networks Y.Nakamura, H.Yamaguchi and T.Higashino Graduate School of Information.

Sharing Information across Congestion Windows CSE222A Project Presentation March 15, 2005 Apurva Sharma.

SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.

Mobile Traffic Sensor Network versus Motion-MIX: Tracing and Protecting Mobile Wireless Nodes JieJun Kong Dapeng Wu Xiaoyan Hong and Mario Gerla.

Maximization of Network Survivability against Intelligent and Malicious Attacks (Cont’d) Presented by Erion Lin.

Korea Advanced Institute of Science and Technology Network Systems Lab. 1 Dual-resource TCP/AQM for processing-constrained networks INFOCOM 2006, Barcelona,

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Large-Scale IP Traceback in High-Speed Internet : Practical Techniques and Theoretical Foundation Jun (Jim) Xu Networking & Telecommunications Group College.

Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Paper by: Bryan Parno et al. (CMU) Presented by: Ionut Trestian Gergely Biczók.

Data Communications and Networking Chapter 11 Routing in Switched Networks References: Book Chapters 12.1, 12.3 Data and Computer Communications, 8th edition.

Distributed Denial of Service Attacks

Tiered Incentives for Integrity Based Queuing Fariba Khan, Carl A. Gunter University of Illinois at Urbana-Champaign.

Trajectory Sampling for Direct Traffic Oberservation N.G. Duffield and Matthias Grossglauser IEEE/ACM Transactions on Networking, Vol. 9, No. 3 June 2001.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Packet-Marking Scheme for DDoS Attack Prevention

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

1 An Arc-Path Model for OSPF Weight Setting Problem Dr.Jeffery Kennington Anusha Madhavan.

DoS/DDoS attack and defense

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.

Power-Aware Topology Control for Wireless Ad-Hoc Networks Wonseok Baek and C.-C. Jay Kuo Department of Electrical Engineering University of Southern California.

Problem: Internet diagnostics and forensics

Pi: A Path Identification Mechanism to Defend Against DDoS Attacks

A Study of Group-Tree Matching in Large Scale Group Communications

Defending Against DDoS

Defending Against DDoS

Preventing Internet Denial-of-Service with Capabilities

EE 122: Lecture 18 (Differentiated Services)

DDoS Attack and Its Defense

EE 122: Differentiated Services

Presentation transcript:

Random Flow Network Modeling and Simulations for DDoS Attack Mitigation Jiejun Kong, Mansoor Mirza, James Shu, Christian Yoedhana, Mario Gerla, Songwu Lu Computer Science Department University of California, Los Angeles

Outline Problem Current countermeasures Our model Simulation & conclusions

Problem Statement Distributed clients “maliciously” send data packets to a service site, and regular service requests are starved due to congestion –Connection bandwidth is defined as the bottleneck link bandwidth en route. DDoS is effective if this metric approaches zero –“Maliciousness”: junk traffic, source address spoofing

Countermeasure: Source Traceback An indirect counterattack against IP spoofing, a common trick used by DDoS attackers Probabilistic Packet Marking ( PPM, Sigcomm 2000 ) –X: # of marked packets needed d: # of hops p: marking probability –Expected # of packets needed Hash-based traceable logging ( SPIE, Sigcomm 2001 ) –Use collision-resistant hash functions to generate and record checksum of data packets –Path verification upon victim’s call

Countermeasure: Filtering “Malicious” Traffic Effective means to decrease # of those sources using “wrong” source address Ingress filtering ( RFC2267, RFC2867 ) –Effective in access networks only Distributed Packet Filter ( DPF, Sigcomm 2001 ) –Effective in core networks and when topological update is negligible Source Address Validity Enforcement ( SAVE, Infocom 2002 ) –Extends ingress filtering to core networks

Countermeasure: Rate Control Reduce DDoS to a congestion control problem Pushback ( NDSS 2002 ) –Aggregate-based Congestion Control (ACC) –Aggregate: a subset of traffic with an identifiable property –Identify aggregates responsible for congestion, and preferentially drop them at routers Router throttle ( IWQoS 2002 ) –Achieving max-min fairness [L S,U S ] by (de)activating the throttles at upstream routers

Our Observations Lack of general modeling so far –Smart punches and maneuvers exchanged between attackers and network designers No clear boundary between DDoS and service availability –Large amount of clients  service availability –Large amount of “malicious” clients  DDoS –But many aspects of “maliciousness” are subjective notions without clear definition Many countermeasures violate the end-to- end argument, thus cannot be realized in the near future

Modeling: Random Flow Network Supersink Supersource

Modeling: Problem Statement Max-flow min-cut –Maximum flow from S to T determines a min-cut (X,X) Updates in SourceNet and SinkNet incur changes in the min-cut –(X, X)  (X’, X’) The DDCP (DDoS Countermeasure Problem) is to minimize the sum cost of 3 positive functions –Source cost function f(-  S) –Sink cost function g(+  T) –Partition penalty function h(S,T) in particular, h(X, X)-h(X’, X’) X T X ( SinkNet T embedded ) X S X ( SourceNet S embedded )

DDCP is a hard integer programming problem DDCP is a very complex integer programming with large number of variates –Theoretic answer hard to obtain –In practice, all the cost modeled can be obtained “post-mortem” after an attack (but assuming ubiquitous traffic logging) For effective countermeasures, we require the sum C to be at least negative

The Necessity of Simulation Function f and g depend on out-of-band issues not addressable in this work Theoretic answers not available At least we can use simulations to evaluate the partition penalty cost (i.e., the portion with h function)

Simulation Illustration: Internet-like Random Flow Networks A random network generated by Michigan’s INET generator –Server in red –Clients in cyan Conforming to Internet power- law constraints

Simulation Setup NS2 Clients/servers using HTTP Regular clients follows Pareto model in transmission –Pareto model (  =1.4) is empirically observed as the Internet application transmission model Malicious attackers pump traffic without intermittence # of malicious attackers increases from 0 to 40% of all nodes

Simulation Results X-axis: sink size –ie.# of servers Y-axis: source size –# of attackers Z-axis: normalized goodput –100% when # of server is 1 and # of attackers is zero

Simulation Results 2 (Trivia) When source size increases from 0 to 40% of all senders, goodput decreases to  70% When sink size increases from 0 to  10, goodput comes back to  100% for all sink sizes simulated –This means the partition penalty cost is 0  DDoS is neutralized by service availability

Simulation Results 3 (Implications) Both source size decrement and sink size increment are effective countermeasures In a network topology, deploying a limited number of middlewares or proxies is effective against DDoS –Middlewares/proxies are particularly necessary to address single point of failure ( with respect to DDoS ) –When sink size is greater than a threshold, no clear boundary between DDoS and service availability

Sinknet Example: Pushback Router (Ioannidis & Bellovin, NDSS’02) The victim being attacked is the supersink A successful pushback to a pushback router means adding the router into the sinknet Expected to be an effective countermeasure in a power-law network like the Internet

Conclusions Besides SourceNet decrement, SinkNet increment is also critical to resist DDoS attacks –It verifies the effectiveness of pro-sink countermeasures ( e.g., pushback router, content delivery network, network middlewares ) –May not need to differentiate DDoS attack and service availability: e.g., service middlewares solve both problems