08/02/2001S. Felix Wu and Dan Massey1 iTrace Probability: 1/20,000 For routers closer to the victim, useful iTrace messages will be produced very frequently.

Slides:



Advertisements
Similar presentations
Network II.5 simulator ..
Advertisements

Dynamic Source Routing (DSR) algorithm is simple and best suited for high mobility nodes in wireless ad hoc networks. Due to high mobility in ad-hoc network,
IPv6 – IPv4 Network Address, Port & Protocol Translation & Multithreaded DNS Gateway Navpreet Singh, Abhinav Singh, Udit Gupta, Vinay Bajpai, Toshu Malhotra.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
IPv4 and IPv6 Mobility Support Using MPLS and MP-BGP draft-berzin-malis-mpls-mobility-00 Oleg Berzin, Andy Malis {oleg.berzin,
02/15/2007ecs2361 Tracing & Traceability S. Felix Wu UC Davis
SDN and Openflow.
© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.
Emulatore di Protocolli di Routing per reti Ad-hoc Alessandra Giovanardi DI – Università di Ferrara Pattern Project Area 3: Problematiche di instradamento.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
ITINERANT: TCP Socket Migration Titus Winters Dan Berger CS 202: Spring ‘03.
© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Bgpmon BGP Monitoring System Dave Matthews Yan Chen He Yan Dan Massey Colorado State University.
04/22/2001ecs289K: Intention Driven iTrace1 ecs298k Intention-Driven iTrace lecture #6 Dr. S. Felix Wu Computer Science Department University of California,
03/19/2001ICMP Traceback Working Group, IETF'50, Minneapolis, MN 1 Intention-Driven iTrace S. Felix “Last Minutes” Wu UC Davis
COS 338 Day DAY 16 Agenda Capstone Proposals Overdue 3 accepted, 3 in mediation Capstone progress reports still overdue I forgot to mark in calendar.
A DoS-limiting Network Architecture ~Offense~ Alberto Gonzalez Keven Tan.
04/12/2001ecs289k, spring ecs298k Distributed Denial of Services lecture #5 Dr. S. Felix Wu Computer Science Department University of California,
04/05/20011 ecs298k: Routing in General... lecture #2 Dr. S. Felix Wu Computer Science Department University of California, Davis
Delivery, Forwarding, and Routing
1.1 Operating System Concepts Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles David K.Y. Yau John C.S. Lu CS Dept, Purdue.
Router modeling using Ptolemy Xuanming Dong and Amit Mahajan May 15, 2002 EE290N.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University
Intrusion Detection Systems Francis Chang Systems Software Lab OGI.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
TCP/IP Illustracted Vol1. 제목 : IP Routing ( 수 ) 한 민 규
IP Forwarding.
Design and Implementation of a Multi-Channel Multi-Interface Network Chandrakanth Chereddi Pradeep Kyasanur Nitin H. Vaidya University of Illinois at Urbana-Champaign.
1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.
08/02/01S. Felix Wu --UCCS Visit1 Distributed Denial of Services the Problem, its Solutions, and their Problems Dr. S. Felix Wu Computer Science Department.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Fast NetServ Data Path: OpenFlow integration Emanuele Maccherani Visitor PhD Student DIEI - University of Perugia, Italy IRT - Columbia University, USA.
ICOM 6115©Manuel Rodriguez-Martinez ICOM 6115 – Computer Networks and the WWW Manuel Rodriguez-Martinez, Ph.D. Lecture 13.
The Design and Implementation of Firewall, NAT, Traffic Shaper on FreeBSD.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Basic Routing Principles V1.2. Objectives Understand the function of router Know the basic conception in routing Know the working principle of router.
CS492b Project #3-2 KIP router KAIST Dept. of CS NC Lab.
1 Defense Strategies for DDoS Attacks Steven M. Bellovin
Hash-Based IP Traceback Alex C. Snoeren †, Craig Partridge, Luis A. Sanchez, Christine E. Jones, Fabrice Tchakountio, Stephen T. Kent, W. Timothy Strayer.
New Client Puzzle Outsourcing Techniques for DoS Resistance Brent Waters, Ari Juels, J. Alex Halderman and Edward W. Felten.
1.4 Open source implement. Open source implement Open vs. Closed Software Architecture in Linux Systems Linux Kernel Clients and Daemon Servers Interface.
SIMULATION OF MULTIPROCESSOR SYSTEM AND NETWORK Manish Patel Nov 8 th 2004 Advisor: Dr. Chung-E-Wang Department of Computer Science California State University,
Chapter 7 – Confidentiality Using Symmetric Encryption.
Improving Fault Tolerance in AODV Matthew J. Miller Jungmin So.
1 Monitoring: from research to operations Christophe Diot and the IP Sprintlabs ipmon.sprintlabs.com.
ANCP Network Anti-Attack Updates draft-fan-ancp-network-anti-attack-01 IETF 78 th, July , 2010 Bo Wu Liang Fan.
1 K. Salah Module 5.1: Internet Protocol TCP/IP Suite IP Addressing ARP RARP DHCP.
DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.
S URVIVABILITY A NALYSIS OF AD HOC NETWORK UNDER ATTACK Project Members S.Karthiga G.Asha J.Anusha Guided By Mrs. P.Prittopaul.
Cooperative Caching in Wireless P2P Networks: Design, Implementation And Evaluation.
Behrouz A. Forouzan TCP/IP Protocol Suite, 3rd Ed.
Chapter 6 Delivery & Forwarding of IP Packets
The Taming of The Shrew: Mitigating Low-Rate TCP-targeted Attack
Error and Control Messages in the Internet Protocol
6TSCH Webex 06/21/2013.
Defending Against DDoS
Encapsulation/Decapsulation
ECE 544 Protocol Design Project 2016
Defending Against DDoS
The Router Plugins system architecture
CSE 313 Data Communication
DDoS Attack and Its Defense
Figure 6.11 Configuration for Example 4
Mobile IP Neil Tang 11/12/2008 CS440 Computer Networks.
Presentation transcript:

08/02/2001S. Felix Wu and Dan Massey1 iTrace Probability: 1/20,000 For routers closer to the victim, useful iTrace messages will be produced very frequently. But, for routers closer to a slave with a low packet rate, it can take a long time, statistically, for the “right” iTrace messages to be generated. A high-rate attack flow from the slave: A low-rate attack flow from the slave: Aggregation of lower-rate flows at routers near the victims:

08/02/2001S. Felix Wu and Dan Massey2 Intention-driven iTrace Different destination hosts, networks, domains/ASs have different “intention levels” in receiving iTrace packets. –We propose to add one “iTrace-intention” bit. –Some of them might not care about iTrace, and some of them might not be under DDoS attacks, for example.

08/02/2001S. Felix Wu and Dan Massey3 packet- forwarding table Intention selection module iTrace generation module BGP routing table copy iTrace intention bits Intention-Driven iTrace architecture (draft-wu-itrace-intention-01.txt) 1/20K iTrace selection intention iTrace trigger?? P% intention iTrace trigger copy iTrace Execution bit User (firmware) Kernel (hardware)

08/02/2001S. Felix Wu and Dan Massey4 Processing Overhead Processing for each data packet: 1. if the iTrace Execution bit is 1, (1). Copy this packet to the iTrace daemon. (2). reset the iTrace Execution bit to 0. 1/20K iTrace message trigger occurs: 1. Select and Set one iTrace Intention bit from the BGP table.

08/02/2001S. Felix Wu and Dan Massey5 Differences from the 00 draft P iit for probabilistically controlling normal versus intention iTrace The difference between iib (iTrace intention bits in the BGP routing table) and ieb (iTrace execution bit in the forwarding table).

08/02/2001S. Felix Wu and Dan Massey6 Comments Received The confusion of “statistics”. –Each packet will have a constant probability to be traced (1/20K). –Packet flows with higher rate will statistically get iTraced faster. Maliciously sending “intentions” to grab all the iTrace resources. –Using P iit to keep some normal iTrace. Hard to add one extra bit to the forwarding table. –Looking for ways to implement intention iTrace without modifying the packet forwarding process.

08/02/2001S. Felix Wu and Dan Massey7 Relationship with “iTrace” Add iib, ieb and the mechanism for processing “iTrace triggers”. The proposed architecture will be identical to the original iTrace architecture if P iit = 0. Need to worry about the “ probability element (TAG = 0x0A) ” when P iit > 0.

08/02/2001S. Felix Wu and Dan Massey8 Status Simulation results for draft-00 to appear in ICCCN’2001. Simulation and prototype implementation (in Linux) for draft-01 in progress. Probability analysis (for the probability element, TAG=0x0A ) for intention iTrace just started.