Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006.

Slides:



Advertisements
Similar presentations
The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June
Advertisements

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with.
Network Operations Research Nick Feamster
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Slides mostly by Sherif Khattab 1 Denial-of-Service [Gligor, 84] ``A group of otherwise-authorized users of a specific service is said to deny service.
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
NPLA: Network Prefix Level Authentication Ming Li,Yong Cui,Matti Siekkinen,Antti Ylä-Jääski Aalto University, Finland Tsinghua University, China.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
 Unlike other forms of computer attacks, goal isn’t access or theft of information or services  The goal is to stop the service from operating o.
1 Controlling High Bandwidth Aggregates in the Network.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
DoS-resistant Internet - progress Bob Briscoe Jun 2005.
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)
DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
Lecture 15 Denial of Service Attacks
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Sample Research Defenses Packetscore Pushback Traceback SOS Proof-of-work systems Human behavior modeling SENSS.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Introduction to Honeypot, Botnet, and Security Measurement
“To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Botnets ” Xin Liu, Xiaowei Yang, Yanbin Lu Department of Computer Science,
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Steps Towards a DoS-resistant Internet Architecture Mark Handley Adam Greenhalgh CII/University College London.
Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London
Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
Final Introduction ---- Web Security, DDoS, others
MAANAS GODUGUNUR SHASHANK PARAB SAMPADA KARANDIKAR.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Paper by: Bryan Parno et al. (CMU) Presented by: Ionut Trestian Gergely Biczók.
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
Distributed Denial of Service Attacks
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Packet-Marking Scheme for DDoS Attack Prevention
1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Dynamic Web Project Please use it
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Adam Bender, Neil Spring Dave Levin, Bobby Bhattacharjee University of Maryland, College Park In Proc. USENIX SRUTI, 2007 Speaker: Yun Liaw Accountability.
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
Spoofing Prevention Method Srikanth T.S.S. Sri Lakshmi Ramya S.
Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
AP Waseem Iqbal.  DoS is an attack on computer or network that reduces, restricts or prevents legitimate of its resources  In a DoS attack, attackers.
Defending Against DDoS
Defending Against DDoS
Preventing Internet Denial-of-Service with Capabilities
DDoS Attack and Its Defense
Introduction to Internet Worm
Presentation transcript:

Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006

Unwanted Traffic From the end host perspective –(D)DoS on a service –Exploit traffic attacking on end host vulnerabilities –Botnet traffic –Undesirable application data, e.g., spam From the network perspective –Unwanted traffic to end systems + –Attacks on the network service Flooding a link –Attacks to the network operations E.g., BGP prefix spoofing/hijacking, router compromise

The Economy behind Unwanted Traffic Stefan to fill in Botnet/software-flaw economy

General Approaches Stop the known bad Uncover the new bad Filtering as close to the attack source as possible Increase the cost of unwanted The cost of solution should be less than the cost of DoS [Simon et al 06]

End-Host: DDoS on a Service Challenge: DDoS and flash crowd hard to distinguish Detect and eliminate zombie requests –CAPCHA –Pi –Bolts-4-sale (NSDI 2005) –BINDER (Usenix 2005) Same solution as flash crowd –Akamai

End-Host: Exploit Traffic Network intrusion detection systems –Bro, Snort Fast attack signature generation –EarlyBird (OSDI 04), AutoGraph (sUsenix Security 04) Vulnerability-driven filtering –Shield (SIGCOMM 04), BrowserShield (06 under submission) Detecting new vulnerabilities –TaintCheck (NDSS 04), Minos, Vigilante (SOSP 05), HoneyMonkey (NDSS 06) Automatic response to fast-spreading worms –TaintCheck, Vigilante Reduce the attack surface –Off by default! (HotNets 05), separate client/server address space (Handley, et al FDNA 04) Undermining the attacks on end hosts –StackGuard, ASLR, ISR, program shepherding (Usenix Security 02), control flow integrity Attack traffic analysis –Backscatter, Internet background radiation, Witty worm analysis Honeyfarm –Roleplayer, Potemkin, vGround

End-Host: Spam New client Spam filtering –…

EndHost: Outgoing Attack Traffic BINDER Vern to fill out

Network: Unwanted Traffic from End Systems Infer application-unwanted traffic: –Packet Symmetry (HotNets 05) Applications need to be DoS-aware

Network: Bandwidth Attacks First goal: defeat low cost DDoS attacks where a single compromised machine sends many DoS messages Deadlock (Greenhalgh, et al SRUTI 05) –No source address spoofing because of no filtering mechanism –Little deployment of ingress filtering because of no source address spoofing –No automated filtering because attacks could source-address spoof to bypass it Greenhalgh et al SRUTI 05 –Server-net filtering mechanism using routing/tunneling assuming no source spoofing Internet Accountability (Simon et al 06 under submission) –Ingress filtering among “good” ISPs, others’ traffic marked with “evil” bit with worse treatment during peak traffic –Filtering infrastructure

Network: Bandwidth Attacks IP traceback IP pushback New capability infrastructure to the Internet: –SIFF (Oakland 04), Yang et al SIGCOMM 05

Network: Attacks on Operations Securing BGP –SPV (Sigcomm 04)

Acknowledgement This slide deck benefited from discussions with Adam M. Costello, Sharad Agarwal, and Dan Simon.