1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:

Slides:



Advertisements
Similar presentations
Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China 1.
Advertisements

Detecting Evasion Attacks at High Speeds without Reassembly Detecting Evasion Attacks at High Speeds without Reassembly George Varghese J. Andrew Fingerhut.
Introduction to TCP A first look at the sockets API for ‘connection-oriented’ client/server application programs.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
TCP & UDP - Protocol Details Yen-Cheng Chen
1 Reading Log Files. 2 Segment Format
CP476 Internet Computing TCP/IP 1 Lecture 3. TCP / IP Objective: A in-step look at TCP/IP Purposes and operations Header specifications Implementations.
IDPS (Intrusion Detection & Prevention System )
 TCP connection set up  TCP connection tear-down  Sliding window revisited  Triggering transmission.
Firewalls and Intrusion Detection Systems
1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Transport Layer Problems with network layer services
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
1 DRES:Dynamic Range Encoding Scheme for TCAM Coprocessors Authors: Hao Che, Zhijun Wang, Kai Zheng and Bin Liu Publisher: IEEE Transactions on Computers,
Lecture 23: Network Primer 7/15/2003 CSCE 590 Summer 2003.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Application of NetFPGA in Network Security Hao Chen 2/25/2011.
CSCE 515: Computer Network Programming TCP Details Wenyuan Xu Department of Computer Science and Engineering.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
S. Mandayam/ CompArch2/ECE Dept./Rowan University Computer Architecture II: Specialized /02 Fall 2001 John L. Schmalzel Shreekanth Mandayam.
WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Transmission Control Protocol Internet Protocol TCP/IP.
FIREWALL Mạng máy tính nâng cao-V1.
TCP/IP Vulnerabilities. Outline Security Vulnerabilities Denial of Service Worms Countermeasures: Firewalls/IDS.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
DoS Seminar 2 Spoofed Packet Attacks and Detection Methods By Prateek Arora.
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Authors: Yi Wang, Tian Pan, Zhian Mi, Huichen Dai, Xiaoyu Guo, Ting Zhang, Bin Liu, and Qunfeng Dong Publisher: INFOCOM 2013 mini Presenter: Chai-Yi Chu.
Network Architecture Models: Layered Communications School of Business Eastern Illinois University © Abdou Illia, Fall 2015 (September 14, 2015 ) Encapsulation.
Author: Haoyu Song, Fang Hao, Murali Kodialam, T.V. Lakshman Publisher: IEEE INFOCOM 2009 Presenter: Chin-Chung Pan Date: 2009/12/09.
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
TCP Transport Control Protocol Information management 2 Groep T Leuven – Information department 2/35 Introduction UDP provides the connection.
ECE 526 – Network Processing Systems Design Networking: protocols and packet format Chapter 3: D. E. Comer Fall 2008.
Firewall – Survey Purpose of a Firewall – To allow ‘proper’ traffic and discard all other traffic Characteristic of a firewall – All traffic must go through.
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Author : Guangdeng Liao, Heeyeol Yu, Laxmi Bhuyan Publisher : Publisher : DAC'10 Presenter : Jo-Ning Yu Date : 2010/10/06.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
Open-Eye Georgios Androulidakis National Technical University of Athens.
Packet-Marking Scheme for DDoS Attack Prevention
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Slide #1 CIT 380: Securing Computer Systems TCP/IP.
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
VersionIHLTotal Length FlagsIdentificationFragment Offset Time To Live Destination Address OptionsPadding Protocol = 6 Type of Service IP Header TCP Destination.
DDoS flooding attack detection through a step-by-step investigation
Data Transfer Case Study: TCP  Go-back N ARQ  32-bit sequence # indicates byte number in stream  transfers a byte stream, not fixed size user blocks.
What's a Firewall? A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using.
1 Computer Communication & Networks Lecture 23 & 24 Transport Layer: UDP and TCP Waleed Ejaz
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
DRES: Dynamic Range Encoding Scheme for TCAM Coprocessors 2008 YU-ANTL Lab Seminar June 11, 2008 JeongKi Park Advanced Networking Technology Lab. (YU-ANTL)
1 Transmission Control Protocol (TCP) RFC: Introduction The TCP is intended to provide a reliable process-to-process communication service in a.
Two Transport Protocols Available Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Provides unreliable transfer Requires minimal – Overhead.
Firewalls.
Computer Data Security & Privacy
Space and Speed Tradeoffs in TCAM Hierarchical Packet Classification
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Net 221D : Computer Networks Fundamentals
Introduction to Networking
Firewalls Purpose of a Firewall Characteristic of a firewall
Statistical based IDS background introduction
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher: Computer Communications 2009 Presenter: Hsin-Mao Chen Date:2009/9/30

2 Outline Introduction Background Architecture Data Structures Packet Processing Performance

3 Introduction Distributed Denial of Service (DDoS) attacks are the major threats to the Internet. The TCP-base DDoS attacks using spoofed source IP address are detected in the edge router through two-dimensional matching.

4 Background Two-dimensional(2D) matching A normal TCP flow generated from one end host to another should have a corresponding flow from the other direction.

5 Background

6 TCP Packet Header Source Port Number(16)Destination Port Number(16) Sequence number(32) Head len(4) Unused (6) URGURG ACKACK PSHPSH RSTRST SYNSYN FINFIN Window Size(16) HeaderData (bit)

7 Background Three Way Handshake ClientServer Time FIN FIN+ACK ACK

8 Architecture

9 Data Structures Format of action code (0)Policy Filter Rule (1)Flow Identity (0)Not Pass to the local CPU (1)Pass to the local CPU Forwarding ActionFlow index in the flow table located in the local CPU Free bits

10 Data Structures Format of flow table in the local CPU (00)Empty Entry (01)Unmatched existing flow (10)Excepted flow (11)Matching existing flow FIN and ACK bits are used to terminate a pair of completed flows Flow location in the TCAM rule table Timer: T alm, T idl, T rmv

11 Packet Processing Packet in new flow TCAM table Flow table

12 Packet Processing Packet in expected flow TCAM table

13 Packet Processing Packet in matched flow TCAM table

14 Packet Processing Packet with FIN and/or ACK bit set TCAM table FIN FIN+ACK ACK

15 Performance False alarm probability P false =(1-p) n-1 p

16 Performance Average time an attack to be monitored Trace 1Trace 2

17 Performance Number of falsely alarmed flows per second

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.