MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

Slides:



Advertisements
Similar presentations
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Advertisements

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
1 o Two issues in practice – Scale – Administrative autonomy o Autonomous system (AS) or region o Intra autonomous system routing protocol o Gateway routers.
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
MOBILITY SUPPORT IN IPv6
1 Controlling High Bandwidth Aggregates in the Network.
© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)
“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.
DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.
© J. Liebeherr, All rights reserved 1 IP Multicasting.
ROUTING ON THE INTERNET COSC Aug-15. Routing Protocols  routers receive and forward packets  make decisions based on knowledge of topology.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Network Layer Moving datagrams. How do it know? Tom-Tom.
Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University
ICMP (Internet Control Message Protocol) Computer Networks By: Saeedeh Zahmatkesh spring.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
Cisco – Chapter 11 Routers All You Ever Wanted To Know But Were Afraid to Ask.
Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
1 Internet Protocol. 2 Connectionless Network Layers Destination, source, hop count Maybe other stuff –fragmentation –options (e.g., source routing) –error.
CS4550 Computer Networks II IP : internet protocol, part 2 : packet formats, routing, routing tables, ICMP read feit chapter 6.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
© J. Liebeherr, All rights reserved 1 Multicast Routing.
Distributed Denial of Service Attacks
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
COP 5611 Operating Systems Spring 2010 Dan C. Marinescu Office: HEC 439 B Office hours: M-Wd 2:00-3:00 PM.
4/19/20021 TCPSplitter: A Reconfigurable Hardware Based TCP Flow Monitor David V. Schuehler.
Efficient Cache Structures of IP Routers to Provide Policy-Based Services Graduate School of Engineering Osaka City University
ACCESS CONTROL LIST.
1 IP Multicasting Relates to Lab 10. It covers IP multicasting, including multicast addressing, IGMP, and multicast routing.
Network Layer (OSI and TCP/IP) Lecture 9, May 2, 2003 Data Communications and Networks Mr. Greg Vogl Uganda Martyrs University.
1 12-Jan-16 OSI network layer CCNA Exploration Semester 1 Chapter 5.
Inferring Denial of Service Attacks David Moore, Geoffrey Volker and Stefan Savage Presented by Rafail Tsirbas 4/1/20151.
Transport Layer3-1 Network Layer Every man dies. Not every man really lives.
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
Security System for KOREN/APII-Testbed
Multicast Communications
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 OSI network layer CCNA Exploration Semester 1 – Chapter 5.
Network Layer COMPUTER NETWORKS Networking Standards (Network LAYER)
Working at a Small-to-Medium Business or ISP – Chapter 6
Internet Networking recitation #9
Data Streaming in Computer Networking
Pi: A Path Identification Mechanism to Defend Against DDoS Attacks
IP Forwarding Covers the principles of end-to-end datagram delivery in IP networks.
Defending Against DDoS
Filtering Spoofed Packets
IP Forwarding Relates to Lab 3.
Defending Against DDoS
DDoS Attack Detection under SDN Context
IP Forwarding Relates to Lab 3.
Network Core and QoS.
IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where.
Internet Networking recitation #10
Memento: Making Sliding Windows Efficient for Heavy Hitters
IIT Indore © Neminath Hubballi
Working at a Small-to-Medium Business or ISP – Chapter 6
IP Forwarding Relates to Lab 3.
Networking and Network Protocols (Part2)
ITIS 6167/8167: Network and Information Security
Network Core and QoS.
Intelligent Network Services through Active Flow Manipulation
Presentation transcript:

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA Massimiliano Poletto Mazu Networks, Inc., Cambridge, MA, USA

Bandwidth attacks Maliciously generated traffic congests links Traffic is typically ICMP, UDP, or TCP IP spoofing: fake IP source addresses Distribution: multiple hosts pounding one victim

MULTOPS heuristic Drop packets from sources sending disproportionate flows Normal: proportional packet rates router Attack: disproportional packet rates router

Feb 2000: ICMP flood +MULTOPS identifies attackers’ addresses +MULTOPS drops packets from those addresses MULTOPS

Implementation challenges Precise identification of malicious addresses Small memory footprint Minimal impact on forwarding performance

Naive data-structure , to-ratefrom-rate 2 32 entries +Identifies individual attackers -Requires too much memory -Most entries are zero or insignificant -Total packet rate per subnet expensive to calculate

Less naive data-structure / / / / ,876309, ,234528, to-ratefrom-rate 256 entries +Requires little memory -May not detect small attacks -Prefixes very short; risky to use for dropping policy -Impossible to collect finer grained data

MULTOPS /8 subnets /16 subnets /24 subnets IP addresses +Provides packet rates on different aggregation levels +Expands and contracts dynamically +Disregards insignificant subnets and addresses +Memory efficient

Algorithm /8... 2,7462, to-ratefrom-rate... from-rate source: destination: source: destination:

Expansion IP address Update rate for /8 Update rate for /16; exceeds threshold: create child node Update rate for /24 in newly created node Nodes dynamically created to track finer grained packet rates

Contraction MULTOPS could run out of memory Attackers may cause this intentionally Impose absolute memory limit Contract stale parts of the tree periodically contract

Scenario +MULTOPS drops packets with malicious address prefix Collateral damage depends on length of address prefix MULTOPS

MULTOPS dropping decision Drop packet based on 2 criteria Packet rate > 100 packets per second, and Ratio > 1:3 Values determined through experimentation Thomer M. Gil: note: some applications that use non-TCP protocols display proportional behavior, e.g., DNS and NFS Thomer M. Gil: note: some applications that use non-TCP protocols display proportional behavior, e.g., DNS and NFS

Randomized source addresses Impossible to identify attackers’ addresses Easy to identify victim’s address Drop packets based on victim’s address 2 MULTOPS to stop both attack types Source-based MULTOPS: non-randomized attacks Destination-based MULTOPS: randomized attacks

Reverse orientation +MULTOPS drops packets going to victim +Victim’s network relieved from malicious traffic -MULTOPS drops benign packets going to victim MULTOPS

Performance MULTOPS implemented in Click, a modular router Forwarding speed inversely related to size of tree Forwards up to 825,000 packets per second Pentium III, 833MHz PC 256MB main memory, 256KB cache Better performance than reported in paper Simpler mechanism to compute packet rates

Cycles per packet for different attacks 16 MB 8 MB 2 MB

Status Enhanced MULTOPS used by Mazu Networks Has detected TCP floods on commercial networks Identified a single 8-bit malicious address prefix

Future work and problems Different ACK policies change ratio for valid traffic Not all Internet traffic is TCP Asymmetric routes MULTOPS must see traffic in both directions Requires distributed data collection

Related work Ingress/egress filtering (RFC2827) IP Traceback (Savage et al.) CenterTrack (Stone) Pushback (Bellovin et al.) RMON, Netflow (Cisco) MULTOPS is complementary

Conclusion MULTOPS identifies attacker/victim addresses Effectiveness depends on MULTOPS location on network Randomized source address MULTOPS successfully detects and stops attacks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.