DoS-resistant Internet - progress Bob Briscoe Jun 2005.

Slides:

Advertisements

Similar presentations

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

Advertisements

Network Operations Research Nick Feamster

CONEX BoF. Welcome to CONEX! Chairs: –Leslie Daigle –Philip Eardley Scribe Note well MORE INFO: -ECN.

Internet Indirection Infrastructure (i3 ) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002 Presented by:

Internetworking II: MPLS, Security, and Traffic Engineering

1 o Two issues in practice – Scale – Administrative autonomy o Autonomous system (AS) or region o Intra autonomous system routing protocol o Gateway routers.

Spring 2000CS 4611 Quality of Service Outline Realtime Applications Integrated Services Differentiated Services.

ConEx Abstract Protocol What’s the Credit marking for? draft-mathis-conex-abstract-mech-00.txt draft-mathis-conex-abstract-mech-00.txt apologies from Bob.

Network Border Patrol: Preventing Congestion Collapse and Promoting Fairness in the Internet Celio Albuquerque, Brett J. Vickers, Tatsuya Suda 1.

1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

DoS-resistant Internet Grand Strategy technical and economic measures Bob Briscoe Jun 2006.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

10/31/2007cs6221 Internet Indirection Infrastructure ( i3 ) Paper By Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Sharma Sonesh Sharma.

Criticisms of I3 Jack Lange. General Issues ► Design ► Performance ► Practicality.

CS 268: Lecture 5 (Project Suggestions) Ion Stoica February 6, 2002.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.

A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.

Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006.

CS 268: Project Suggestions Ion Stoica February 6, 2003.

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

Internet Indirection Infrastructure Slides thanks to Ion Stoica.

1 Routing as a Service Karthik Lakshminarayanan (with Ion Stoica and Scott Shenker) Sahara/i3 retreat, January 2004.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.

Indirection Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm Slides.

Stealth Probing: Efficient Data- Plane Security for IP Routing Ioannis Avramopoulos Princeton University Joint work with Jennifer Rexford.

A DoS Limiting Network Architecture An Overview by - Amit Mondal.

Internet Indirection Infrastructure (i3) Ion Stoica Daniel Adkins Shelley Zhuang Scott Shenker Sonesh Surana (Published in SIGCOMM 2002) URL:

Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

MPlane – Building an Intelligent Measurement Plane for the Internet Maurizio Dusi – NEC Laboratories Europe NSF Workshop on perfSONAR.

“To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Botnets ” Xin Liu, Xiaowei Yang, Yanbin Lu Department of Computer Science,

Steps Towards a DoS-resistant Internet Architecture Mark Handley Adam Greenhalgh CII/University College London.

Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London

Papers covered ● K. Lakshminarayanan, D. Adkins, A. Perrig, I. Stoica, “Taming IP Packet Flooding Attacks”, HotNets-II. ● M. Handley, A. Greenhalgh, “Steps.

Happy Network Administrators  Happy Packets  Happy Users WIRED Position Statement Aman Shaikh AT&T Labs – Research October 16,

Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks BGP.

Computer Networks with Internet Technology William Stallings

DoS-resistant Internet Grand Strategy Bob Briscoe Jan 2006.

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

Social & Economic Control of Networks Bob Briscoe Chief Researcher BT Networks Research Centre Jul 2007.

Congestion exposure BoF candidate protocol: re-ECN Bob Briscoe Chief Researcher, BT Nov 2009 This work is partly funded by Trilogy, a research project.

Re-ECN: Adding Accountability for Causing Congestion to TCP/IP Bob Briscoe, BT & UCL Arnaud Jacquet, BT Alessandro Salvatori, BT IETF-65 tsvwg Mar 2006.

Downstream knowledge upstream re-feedback Bob Briscoe Arnaud Jacquet, Carla Di Cairano- Gilfedder, Andrea Soppera & Martin Koyabe BT Research.

Guaranteed QoS Synthesiser (GQS) Bob Briscoe, Peter Hovell BT Research Jan 2005.

Re-ECN: Adding Accountability for Causing Congestion to TCP/IP Bob Briscoe, BT & UCL Arnaud Jacquet, BT Alessandro Salvatori, BT CRN DoS w-g, Apr 2006.

CONEX BoF. Welcome to CONEX! Chairs: –Leslie Daigle –Philip Eardley Scribe Note well.

Evolving Toward a Self-Managing Network Jennifer Rexford Princeton University

Making stuff real re-feedback Bob Briscoe, BT Research Nov 2005 CRN DoS resistant Internet w-g.

Interconnect QoS settlements & impairments Bob Briscoe BT Group CTO.

Evolving Toward a Self-Managing Network Jennifer Rexford Princeton University

4 Byte AS Number Update Geoff Huston August 2008.

1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.

Extension of the MLD proxy functionality to support multiple upstream interfaces 1 Luis M. Contreras Telefónica I+D Carlos J. Bernardos Universidad Carlos.

Constructing Inter-Domain Packet Filters to Control IP Spoofing Based on BGP Updates Zhenhai Duan, Xin Yuan Department of Computer Science Florida State.

Internet Indirection Infrastructure (i3) Ion Stoica Daniel Adkins Shelley Zhuang Scott Sheker Sonesh Surana Presented by Kiran Komaravolu.

1 Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI.

Multicasting EECS June Multicast One-to-many, many-to-many communications Applications: – Teleconferencing – Database – Distributed computing.

Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.

Internet Indirection Infrastructure (i3)

Zueyong Zhu† and J. William Atwood‡

Should the IETF do anything about DDoS attacks?

COS 561: Advanced Computer Networks

A DoS-limiting Network Architecture

Preventing Internet Denial-of-Service with Capabilities

Data collection methodology and NM paradigms

Presentation transcript:

DoS-resistant Internet - progress Bob Briscoe Jun 2005

BT activity Research –2020 Communications Architecture project DoS-resistant Internet Architecture task –Network Security project BGP security control plane separation intrusion detection systems Engineering –Network design –Second line support for operations Operations –Deployment and operation of attack mitigation technology

legend D1.1 Taxonomy of attacks D1.2 Taxonomy of defences D2.1 Agenda for arch change D2.2 Roadmapping strategic options D3.x [Place-holder]: New architectural ideas M2.1 Focused literature study M2.2? [Place-holder]: Testing architectural uncertainties D2.1.1? [Placeholder]: System demonstrator M4.1 Industry co-ordination M4.2 BT co-ordination DoS resistant Internet architecture BT 0506 deliverables Registry of defences DoS-resistant architecture Operator co-ord Grand strategy Registry of attacks CRN DoS-resistant Internet w-g task BT DoS-resistant Internet Architecture task

DoS-resistant Internet Architecture approach cherry pick the ideas of others sprinkle in a few ideas of our own stress-test propose a target architecture of complementary solutions describe incremental deployment

architectural component ideas candidate list Symmetric paths, address separation, RPF checks, state set-up bit, nonce exchange, middlewalls M Handley and A Greenhalgh “Steps towards a DoS-resistant Internet architecture” FDNA (2004) Secure Internet Indirection Infrastructure D Adkins et al “Towards a More Functional and Secure Network Infrastructure” UC Berkeley TR-CSD (2003) Re-feedback B Briscoe et al “Policing Congestion Response in an Internetwork using Re- feedback” SIGCOMM (2005) Receiver-driven Capabilities X Yang et al, “DoS-limiting Internet architecture” SIGCOMM (2005) tactical approaches ingress filtering, filter pushback…

symmetric paths powerful approach loss of Internet flexibility acknowledged extended to preserve data in flight during reroutes stress-testing with authors big question: would it significantly reduce worm attacks? NANA NBNB NDND R1R1 S1S1 NCNC

Secure Internet Indirection Infrastructure Secure i 3 rough analogy: receiver-driven multicast receiver creates channel (trigger) in infrastructure senders send to channel unlike IP multicast, overlay infrastructure (Chord) highly redundant essentially, allow more, less efficient routes choice of routes under receiver control if some routes used for attack, drop them efficient route could be norm, then less efficient routes when under attack inherent weakness for servers: must advertise triggers so attackers on dropped triggers just re-start authors offer some mitigation

re-feedback incentive architecture downstream path congest -ion, ρ i i N1N1 N1N1 N2N2 N2N2 N3N3 N3N3 N4N4 N4N4 N5N5 N5N5 R1R1 S1S1 shaper/ policer dropper bulk congestion pricing bulk congestion charging routing traffic eng congestion control 0

receiver-driven capabilities yet to fully analyse (only just published) sent traffic picks up time-bounded tags –tags from each network (router) –and byte permission from destination –collectively termed a capability routers store tags subsequent traffic authorised using capability detail devils bootstrapping bounded router state incremental deployment

Grand Strategy: some questions if upstream network doesn’t filter/throttle –once attackers identified, what do we do? continue to add more and more filters at borders? disconnect their network? throttle their network? sue them (under what law – tort, criminal)? can the network help identify persistent attackers? unenforceable due to numerous weak legal systems? pair-wise network agreements, or source identification? inter-domain charging –congestion-based would it slowly mitigate persistent attacks? –filter-based would it encourage push-back? incremental deployment new, clean Internet? gradually clean up the one we’ve got

in summary multiple answers, defence in depth pair-wise network agreements AND source identification complementary approaches identify attackers (networks) by address routers filter traffic from identified attacks/attackers inter-domain charge to congestion-causing networks police congestion-causing traffic

more info Bob Briscoe