Michael Walfish, Mythili Vutukuru, Hari Balakrishanan, David Karger, Scott Shankar DDos Defense by Offense.

Slides:

Advertisements

Similar presentations

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.

Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.

The Mobile Code Paradigm and Its Security Issues Anthony Chan and Michael Lyu September 27, 1999.

DDOS Defense by Offense OFFENSE Presented by: Anup Goyal Aojan Su.

DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by: Boris Kurktchiev and Kimberly.

5/18/2015 Samarpita Hurkute DDoS Defense By Offense 1 DDoS Defense by Offense Michael Walfish,Mythili Vutukuru,Hari Balakrishnan,David Karger,Scott Shenker.

DDoS: Defense by Offense 1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, SIGCOMM ‘06 Presented.

1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, Scott Shenker, SIGCOMM ‘06 Presented by Lianmu Chen DDoS:

Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Sunjun Kim, Donyoung Koo 1DDoS Defense by Offense.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Introduction to Security Computer Networks Computer Networks Term B10.

EECS Presentation Web Tap: Intelligent Intrusion Detection Kevin Borders.

DDoS Defense by Offense Presented by: Matthew C.H. Ma Damon Chan.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Internet Cache Pollution Attacks and Countermeasures Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen Electrical Engineering and Computer Science.

DDoS: Defense by Offense 1 DDoS Defense by Offense Michael Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker, SIGCOMM ‘06 Presented.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.

Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

1 The Good, The Bad and the Ugly: Network Performance in Malicious Environment Udi Ben-Porat ETH Zurich, Switzerland Anat Bremler-Barr IDC Herzliya, Israel.

By Olalekan Kadri & Aqila Dissanayake Prevention and Detection of DoS/DDoS.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Pi : A Path Identification Mechanism to Defend against DDos Attacks.

Michael Sirivianos Xiaowei Yang Stanislaw Jarecki Presented by Vidya Nalan Chakravarthy.

Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.

DELAYED CHAINING: A PRACTICAL P2P SOLUTION FOR VIDEO-ON-DEMAND Speaker : 童耀民 MA1G Authors: Paris, J.-F.Paris, J.-F. ; Amer, A. Computer.

Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.

Micheal Walfish, Mythili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker Presented by Corey White.

Final Introduction ---- Web Security, DDoS, others

DaaS: DDoS Mitigation-as-a-Service 2011 IEEE/IPSJ International Symposium on Applications and the Internet Author: Soon Hin Khor & Akihiro Nakao Speaker:

A Taxonomy of Computer Worms Nicholas Weaver, Vern Paxson, Stuart Staniford, and Robert Cunningham ACM WORM 2003 Speaker: Chang Huan Wu 2008/8/8.

--Harish Reddy Vemula Distributed Denial of Service.

EC-Council Copyright © by EC-Council All Rights reserved. Reproduction is strictly prohibited Security News Source Courtesy:

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.

Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang DDoS Defense by Offense Michael Walfish,

Adaptive Selective Verification Sanjeev Khanna, Santosh Venkatesh, UPenn Omid Fatemieh, Fariba Khan, Carl A. Gunter, UIUC IEEE INFOCOM 2008.

DDoS Defense by Offence Michael Walfish, Mithili Vutukuru, Hari Balakrishnan, David Karger, and Scott Shenker MIT CSAIL, UCB and ICSI ACM SigComm 2006.

Mehmud Abliz, Taieb Znati, ACSAC (Dec., 2009). Outline Introduction Desired properties Basic scheme Improvements to the basic scheme Analysis Related.

Evaluate the Merits of Using Honeypots to Defend against Distributed Denial- of-Service Attacks on Web Servers By Cheow Lip Goh.

Randomized Failover Intrusion- Tolerant Systems (RFITS) Ranga Ramanujan, Maher Kaddoura, Carla Marceau, Clint Sanders, Doug Harper, David Baca Architecture.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.

1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.

Denial of Service Attack 발표자 : 전지훈. What is Denial of Service Attack?  Denial of Service Attack = DoS Attack  Service attacks on a Web server floods.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Hiral Chhaya CDA 6133.

Module  Introduction Introduction  Techniques and tools used to commit computer crimes Techniques and tools used to commit computer crimes.

Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks TCP.

DoS/DDoS attack and defense

Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

Lecture 16 Page 1 CS 239, Spring 2007 Designing Performance Experiments: An Example CS 239 Experimental Methodologies for System Software Peter Reiher.

CS 347Notes081 CS 347: Parallel and Distributed Data Management Notes 08: P2P Systems.

Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

DDoS Defense by Offense1 Walfish, M., Vutukuru, M., Balakrishnan, H., Karger, D., (MIT) and Shenker, S. (UC Berkeley), SIGCOMM ’06 Presented by Ivanka.

Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.

Distributed Denial of Service Yi Zhang April 26, 2016.

Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.

© A10 Networks, Inc. Distributed Prevention of DoS Collaboration is key.

Analyzing Security and Energy Tradeoffs in Autonomic Capacity Management Wei Wu.

Lab 2: TCP IP Attacks ( Indirect)

Presentation transcript:

Michael Walfish, Mythili Vutukuru, Hari Balakrishanan, David Karger, Scott Shankar DDos Defense by Offense

Introduction A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. Goal is to defend servers against application level DDos, a noxious attack in which criminals mimic legitimate client behavior by sending proper looking requests via compromised and commandeered hosts. The attacker forces to spend much of its resources on spurious requests. Examples of such attacks include using bots to attack website by : requesting large files,making queries of search engines and issuing computationally expensive requests.

Taxonomy of defenses Over-provision massively Detect and block Charge all clients in currency Speak up is a currency approach with bandwidth as the currency

Applicability of speak up How much aggregate bandwidth does the legitimate clientele need for speak up to be effective? How much aggregate bandwidth does the legitimate clientele need for speak up to leave them unharmed by an attack? Small websites, if defended by speak up, still be harmed? Because bandwidth is in part a communal resource,doesn’t the encouragement to send more traffic damage the network?

Applicability of speak up For the speak up to defend against the threat model, the following two conditions must hold: Adequate link bandwidth Adequate client bandwidth

Design of speak up Motivated by simple observation about bad clients : they send requests to victimized servers at much higher rates than legitimate clients do.

Illustration Imagine a request response server,where each request is cheap for clients to issue, is expensive to serve, and consumes same quantity of server resources. Suppose that every server has the capacity to handle c requests per second and that the aggregate demand from good clients is g requests per second, g<c If the attackers consume all of their aggregate upload band width B and if B + g > c, then the good clients will receive only a fraction g/( g + B) of the server’s resources. Assuming B>>g,the bulk of the server goes to attacking clients.

Illustration

Design goal and required mechanism Design goal : with our view of bandwidth as currency, our principle goal is to allocate resources to competing clients in proportion to their bandwidths. If the good clients make g requests per second in aggregate and have an aggregate band width of G requests per second to the server, and if the bad clients have a bandwidth of B requests per second, then the server should process good requests at a rate of min(g,G/(G+B)c)

Required mechanisms Practical realization of speak up needs three mechanisms. 1. Limit requests to the server c per second. 2. Speak up must perform encouragement. 3. Given the incoming bandwidths, speak up needs a proportional allocation mechanism to admit clients at rates proportional to their delivered band width

Required Mechanisms Encouragement can take several forms 1) Random drops and Aggressive retries 2) Explicit payment channel

Robustness to cheating Theorem : In a system with regular service intervals, any client that continuously transmits an ε fraction of the average band width received by the thinner gets at least an ε /2 fraction of the service,regard less of how the bad clients time or divide up their band width. This claim remains true regard less of the service rate c, which need not be known to carry out the auction.

Revisiting assumptions Speak up’s effect on network : Speak up would not much increase total traffic. 1) Inflating upload traffic to the level of download traffic would cause an inflation factor of at most two. 2) Only a small fraction of Internet servers is attacked at any one time.

Revisiting assumptions Shared links Provisioning the thinner Attacker’s constraint

Heterogeneous requests Generalize the design to handle the more realistic case when requests are unequal. If a client’s request is made of x chunks, the client must win x auctions for its request to be fully served.

Experimental Evaluation Validating the thinner’s allocation:

Experimental Evaluation

Latency and Byte cost

Experimental Evaluation

Heterogeneous network conditions

Experimental Evaluation

Good and bad clients sharing a bottleneck

Impact of speak up on other traffic

Conclusion This study has sought an answer to two high level questions : 1. Which conditions call for speak up’s peculiar brand of protection ? 2. Does speak up admit a practical design ?

Questions