Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Slides:

Advertisements

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

Advertisements

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Florin Dinu T. S. Eugene Ng Rice University Inferring a Network Congestion Map with Traffic Overhead 0 zero.

CSC 774 Advanced Network Security

CSIT560 Internet Infrastructure: Switches and Routers Active Queue Management Presented By: Gary Po, Henry Hui and Kenny Chong.

Review: Routing algorithms Distance Vector algorithm. –What information is maintained in each router? –How to distribute the global network information?

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

CS 268: Lecture 8 (Router Support for Congestion Control) Ion Stoica February 19, 2002.

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

Security & Efficiency in Ad- Hoc Routing Protocol with emphasis on Distance Vector and Link State. Ayo Fakolujo Wichita State University.

A Real-Time Video Multicast Architecture for Assured Forwarding Services Ashraf Matrawy, Ioannis Lambadaris IEEE TRANSACTIONS ON MULTIMEDIA, AUGUST 2005.

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff

Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger.

Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.

A DoS Limiting Network Architecture An Overview by - Amit Mondal.

Controlling High Bandwidth Aggregates in the Network Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker AT&T.

Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.

Lecture 15 Denial of Service Attacks

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Network Layer (3). Node lookup in p2p networks Section in the textbook. In a p2p network, each node may provide some kind of service for other.

Presenter: Chen Chih-Ming 96/12/27. Outline  Background  Problem Definition  State of Art  Portcullis Architecture  Designs  Potential Attacks 

Advanced Network Architecture Research Group 2001/11/149 th International Conference on Network Protocols Scalable Socket Buffer Tuning for High-Performance.

Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds Srikanth Kandula, Dina Katabi, Matthias Jacob, and Arthur Berger Awarded Best Student.

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

--Harish Reddy Vemula Distributed Denial of Service.

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 18, NO. 5, MAY 2007 Presented by: C. W. Fan-Chiang.

Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

Advanced Network Architecture Research Group 2001/11/74 th Asia-Pacific Symposium on Information and Telecommunication Technologies Design and Implementation.

Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Paper by: Bryan Parno et al. (CMU) Presented by: Ionut Trestian Gergely Biczók.

Tiered Incentives for Integrity Based Queuing Fariba Khan, Carl A. Gunter University of Illinois at Urbana-Champaign.

Mehmud Abliz, Taieb Znati, ACSAC (Dec., 2009). Outline Introduction Desired properties Basic scheme Improvements to the basic scheme Analysis Related.

Packet-Marking Scheme for DDoS Attack Prevention

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Research Unit in Networking - University of Liège A Distributed Algorithm for Weighted Max-Min Fairness in MPLS Networks Fabian Skivée

1 Defense Strategies for DDoS Attacks Steven M. Bellovin

Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem.

Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.

Using Rhythmic Nonces for Puzzle-Based DoS Resistance Ellick M. Chan, Carl A. Gunter, Sonia Jahid, Evgeni Peryshkin, and Daniel Rebolledo University of.

PATH DIVERSITY WITH FORWARD ERROR CORRECTION SYSTEM FOR PACKET SWITCHED NETWORKS Thinh Nguyen and Avideh Zakhor IEEE INFOCOM 2003.

Denial-of-Service Attacks

Improved Algorithms for Network Topology Discovery

Phalanx : Withstanding Multimillion-Node Botnets

Defending Against DDoS

A DoS-limiting Network Architecture

Defending Against DDoS

DDoS Attack and Its Defense

Presentation transcript:

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter

Overview Background Congestion puzzles mechanism Implementation and security analysis Experiments Conclusions

Bandwidth Exhaustion Attacks victim zombie attacker Background CP mechanism Implementation Experiments Conclusions

Attack model Can do: Forge any information in packets they send Coordinate their zombies perfectly Compromise some routers Cannot do: Modify a large fraction of the legitimate packets Eavesdrop on most legitimate flow Background CP mechanism Implementation Experiments Conclusions

Puzzles Router Good guy Bad guys Background CP mechanism Implementation Experiments Conclusions

One type of puzzle Random hash function h Client Nonce N c Server Nonce N s Puzzle Solution X mm…m Puzzle difficulty d Client Server Background CP mechanism Implementation Experiments Conclusions

Congestion Puzzles (CP) Apply puzzles at network (IP) level Don’t require attack signatures Only a small fraction of routers needs to implement CP Lightweight implementation within routers Background CP mechanism Implementation Experiments Conclusions

Algorithm overview Congestion !!! 1. Puzzle distribution mechanism Puzzle parameters 2.Puzzle based Rate Limiter Computation flow Bit flow 3. Distributed Puzzle Mechanism Background CP mechanism Implementation Experiments Conclusions

Puzzle distribution PBauPBauPNaupm auRPPSaupsPSaupsPNaupmps RPaupmps Congestion change Background CP mechanism Implementation Experiments Conclusions

Puzzle based rate limiter Control: Control: Function: Function: Background CP mechanism Implementation Experiments Conclusions

Distributed puzzle mechanism s NsNs NsNs N s |N 1 N s |N 2 N s |N 1 N s |N 2 NsNs N s |N 1 |N 3 |N C |X 3 N s |N 1 |N 4 |N C |X 4 N s |N 2 |N 5 |N C |X 5 N s |N 2 |N 6 |N C |X 6 Asking upstream routers to help Blocking reuse of solutions in different paths Background CP mechanism Implementation Experiments Conclusions

Implementation CPU: Checking only part of the solutions Needs only about 0.16% to mitigates Memory: We need to know if a sequence appeared Using Bloom filter requires only 1.1MB Background CP mechanism Implementation Experiments Conclusions

Security analysis Bandwidth allocation: moving from max-min fairness to weighted max-min fairness Malicious routers: can only affect the clients going through it Authentication: prevent cheating clients into solving puzzles Clients recruit: the malicious router can only use solutions needed as well by the clients Background CP mechanism Implementation Experiments Conclusions

Experiments NS-2 network simulator CAIDA’s Skitter map of real internet topologies 1500 paths: 500 legitimate (simulating surfing) and zombies (300kbps UDP) Congested link bandwidth: 20Mpbs Other: 30Mbps Simulating the puzzle solving delay Background CP mechanism Implementation Experiments Conclusions

Puzzle difficulty (d) Background CP mechanism Implementation Experiments Conclusions

Partial deployment (1) Background CP mechanism Implementation Experiments Conclusions

Partial deployment (2) Background CP mechanism Implementation Experiments Conclusions

Conclusions Congestion puzzles as a new countermeasure to bandwidth exhaustion attacks May encourages the owners of zombies to change their attacks Future work: Using attack signatures Using memory bound instead of computation May help managing flash crowds Background CP mechanism Implementation Experiments Conclusions

Thank you! Presented by Amitai Reuvenny

HW assignment What is the assumption on the attack that lets us use lightweight authentication schemes ? Describe what is the different between weighted averaging and exponential averaging How will a bloom filter with 16 bits and 2 functions: X mod 13, (X mod 11) + 5 look after adding the numbers 55 and 32 ? What is free riding and what can be done to mitigate it ?