Max-Breadth Limiting Amplification Attack Damage Controlling the Impact of a Request on the Network draft-sparks-sipping-max-breadth-00 Robert Sparks Estacado.

Slides:



Advertisements
Similar presentations
© 2005 by Prentice Hall Appendix 3 Object-Oriented Analysis and Design Modern Systems Analysis and Design Fourth Edition Jeffrey A. Hoffer Joey F. George.
Advertisements

Giving Feedback. The right and the wrong. >> giving feedback
Jecho and Donatus Depth First and Breadth First Search.
Collaboration Mechanisms in SOA based MANETs. Introduction Collaboration implies the cooperation between the nodes to support the proper functioning of.
Non-INVITE Transaction Issues Robert Sparks dynamicsoft.
WP 2 Usability Attributes Affected by Software Architecture Deliverable D2 – Usability Patterns Presenter: Robert Chatley - ICSTM.
Depth-First Search1 Part-H2 Depth-First Search DB A C E.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Session-Independent Policies draft-ietf-sipping-session-indep-policy-01 Volker Hilt Gonzalo Camarillo
Optimal Rectangle Packing: A Meta-CSP Approach Chris Reeson Advanced Constraint Processing Fall 2009 By Michael D. Moffitt and Martha E. Pollack, AAAI.
24+ Advanced Learning Loans Unionlearn reps survey: August 2013.
IETF 91 DISPATCH draft-jesske-dispatch-forking- answer-correlation-02 Roland Jesske.
© 2006 ITT Educational Services Inc. SE350 System Analysis for Software Engineers: Unit 9 Slide 1 Appendix 3 Object-Oriented Analysis and Design.
Chapter 10: Iterative Improvement The Maximum Flow Problem The Design and Analysis of Algorithms.
Requirements for Resource Priority Mechanisms for the Session Initiation Protocol draft-ietf-ieprep-sip-reqs-01 Henning Schulzrinne Columbia University.
John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff
Session Initiation Protocol (SIP) Event Package for the Common Alerting Protocol (CAP) B. Rosen, H. Schulzrinne, H. Tschofenig.
Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.
Proposed Fix to HERFP* (Heterogeneous Error Response Forking Problem) Rohan Mahy * for INVITE transactions.
1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri
Chapter 3 Data Models.
Security Mechanisms for a Cooperative Firewall 12/02/14 February 2014 Hammad Kabir Supervisor: Prof. Raimo Kantola Instructor: Jose Costa-Requena.
SafeZone® patent pending 1 Detect. Inform. Prevent. NERC Physical Security Standards and Guidelines SafeZone® Detect. Inform. Prevent.
SIP working group status Keith Drage, Dean Willis.
Copyright 2002 Prentice-Hall, Inc. Modern Systems Analysis and Design Third Edition Jeffrey A. Hoffer Joey F. George Joseph S. Valacich Chapter 20 Object-Oriented.
Explicit Subscriptions for REFER draft-sparks-sipcore-refer-explicit-subscription-00 SIPCORE – IETF90 Robert Sparks.
Ken Youssefi Mechanical Engineering department 1 Design Process Concurrent Engineering.
Planning and Community Development Department Housing Element City Council February 03, 2014.
IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.
Architectural pattern: Interceptor Source: POSA II pp 109 – 140POSA II Environment: developing frameworks that can be extended transparently Recurring.
Search by partial solutions.  nodes are partial or complete states  graphs are DAGs (may be trees) source (root) is empty state sinks (leaves) are complete.
LISP Deployment Scenarios Darrel Lewis and Margaret Wasserman IETF 76, Hiroshima, Japan.
SIP INFO Event Framework (draft-kaplan-sip-info-events-00) Hadriel Kaplan Christer Holmberg 70th IETF, Vancouver, Canada.
Rfc4474bis-01 IETF 90 (Toronto) STIR WG Jon. First principles (yet again) Separating the work into two buckets: 1) Signaling – What fields are signed,
1 WSPP EC SLIDES FOR AGENDA ITEMS 3 AND 4 WSPP SERVICE SCHEDULE C WSPP Service Schedule C includes a provision allowing interruption “to meet Seller’s.
ECRIT - Getting Certain URIs, and Alternatives to Getting Emergency Dialstring(s) draft-polk-ecrit-lost-server-uri-00 draft-polk-dhc-ecrit-uri-psap-esrp-00.
ConEx Concepts and Abstract Mechanism draft-ietf-conex-abstract-mech-01.txt draft-ietf-conex-abstract-mech-01.txt Matt Mathis, Google Bob Briscoe, BT IETF-80.
Computer Use Vista Middle School My Expectations When you return to your seat Open and check the computer for damage Do report any damage to the.
Overload Design Team Status Jonathan Rosenberg Cisco.
RFC3261 (Almost) Robert Sparks. SIPiT 10 2 Status of the New SIP RFC Passed IETF Last Call In the RFC Editor queue Author’s 48 hours review imminent IMPORTANT:
GRUU Jonathan Rosenberg Cisco Systems. Changes in -06 Editorial as a result of RFC-ED early copy experiment.
Advancing the SIP Standards -Tracking- Robert Sparks Estacado Systems.
SIP Event Lists Adam Roach 3/17/2003. Major Changes No longer a template; now simply an extension (using Supported/Require). Arbitrary nesting of lists.
Indication of Terminated Dialog draft-holmberg-sipping txt Christer Holmberg NomadicLab Ericsson.
Location Conveyance in SIP draft-ietf-sip-location-conveyance-01 James M. Polk Brian Rosen 2 nd Aug 05.
SIP Overload Control draft-hilt-sipping-overload-00 Volker Hilt Daryl Malas Indra Widjaja
From narrowed topic to question To get from a narrowed topic to a researchable question, engage in a process known as “questioning your topic.” During.
J. Halpern (Ericsson), C. Pignataro (Cisco)
© Bobby L. Brett/500px
Design Process Concurrent Engineering
Jonathan Rosenberg Volker Hilt Daryl Malas
Request History Capability – Requirements & Solution
PSAP Callback Identifier
Finding a Path With Largest Smallest Edge
Business System Development
DNA Replication.
Structural graph parameters Part 2: A hierarchy of parameters
Critical Path Method Farrokh Alemi, Ph.D.
IETF 101 (London) STIR WG Mar2018
Nodes, Branches, and Loops
draft-rocky-sipping-calling-party-category-01 Report
IP Interconnection Profile
Planning and Scheduling
This is… 2 DOUBLES 4→10 EARLY NUMBER SENSE.
Strategic Coordination Group 2007 Reporting Guidance on Monitoring
Appendix 3 Object-Oriented Analysis and Design
Operational Requirements for Secured BGP
SIP Session Timer Glare Handling
This is… 7 DOUBLES 12→20 EARLY NUMBER SENSE.
Монголын даатгалын зах зээлийн бодлогын асуудлууд
Presentation transcript:

Max-Breadth Limiting Amplification Attack Damage Controlling the Impact of a Request on the Network draft-sparks-sipping-max-breadth-00 Robert Sparks Estacado Systems

Max-Breadth Discussed in depth at SIPit 17. Concept explored in maxforward- problems by apportioning remaining Max-Forwards values among branches –Feedback: would break existing deployments New proposal: A separate, complementary mechanism to Max- Forwards

Max-Breadth Mechanism New Max-Breadth header carries # of concurrent branches that can be added downstream from recipient. Value apportioned among branches –As branches finish, their value can be reclaimed and applied to new branches –Small values push forking towards serial (1==serial) where that makes sense –For applications where restricting the branching this way doesn’t make sense, an element would return a new 4xx Max-Breadth exceeded response

Impact of Mechanism Requests generally traverse the same graph, but only a bounded number of edges are active (each edge is a SIP transaction) at any given time. In existing and currently anticipated deployments, mechanism would not perturb processing at all unless something was going wrong.

Why is this important? The loop-detection fix to the known amplification attack helps, but isn’t perfect. –With loop-detection, attack reduces to O(2^M) where M is the number of AORs involved. Minor changes render O(2^MlogM) amplification Depletion of Max-Breadth can be monitored, providing early warning and better diagnostics for emerging problems.

Going Forward List discussion –Before SIPit is better Analyze the mechanism –Can we identify a concrete application where this approach causes harm? If not, this should be passed to SIP soon.