1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

Slides:



Advertisements
Similar presentations
The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June
Advertisements

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.
Introduction Assumptions and Goals Architecture Design Details Analysis Implementation and Evaluation Discussion 2 A Presentation at Advanced Defence.
Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.
1 CONGESTION CONTROL. 2 Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because.
TELE202 Lecture 8 Congestion control 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »X.25 »Source: chapter 10 ¥This Lecture »Congestion control »Source:
Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.
Traffic Shaping Why traffic shaping? Isochronous shaping
1.  Congestion Control Congestion Control  Factors that Cause Congestion Factors that Cause Congestion  Congestion Control vs Flow Control Congestion.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
User-level Internet Path Diagnosis Ratul Mahajan, Neil Spring, David Wetherall and Thomas Anderson Designed by Yao Zhao.
FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
CacheCast: Eliminating Redundant Link Traffic for Single Source Multiple Destination Transfers Piotr Srebrny, Thomas Plagemann, Vera Goebel Department.
March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,
Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP
A DoS-limiting Network Architecture CSCE 715: Fall’06 Presentation by: Amit Jain Shantnu Chaturvedi.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
15-441: Computer Networking Lecture 26: Networking Future.
Denial-of-Service Attacks and Defenses Jinyang Li.
To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets Xin Liu Xiaowei Yang Yanbin Lu UC Irvine
1 Controlling High Bandwidth Aggregates in the Network.
A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.
A DoS-limiting Network Architecture ~Offense~ Alberto Gonzalez Keven Tan.
Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.
This is not an impossible architecture – Incremental Deployment Compatible Unlike any previous papers, this paper addresses a lot of issues connected.
A DoS Limiting Network Architecture An Overview by - Amit Mondal.
Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002.
Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
Path-Vector Contract Routing Hasan T. Karaoglu, Murat Yuksel University of Nevada, Reno ICC’12 NGNI, Toronto June, 2012.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Paper Review Building a Robust Software-based Router Using Network Processors.
“To Filter or to Authorize: Network-Layer DoS Defense Against Multimillion-node Botnets ” Xin Liu, Xiaowei Yang, Yanbin Lu Department of Computer Science,
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Presenter: Chen Chih-Ming 96/12/27. Outline  Background  Problem Definition  State of Art  Portcullis Architecture  Designs  Potential Attacks 
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
Information-Centric Networks07a-1 Week 7 / Paper 1 Internet Indirection Infrastructure –Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh.
Computer Networks Performance Metrics. Performance Metrics Outline Generic Performance Metrics Network performance Measures Components of Hop and End-to-End.
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Paper by: Bryan Parno et al. (CMU) Presented by: Ionut Trestian Gergely Biczók.
EMIST DDoS Experimental Methodology Alefiya Hussain January 31, 2006.
Tiered Incentives for Integrity Based Queuing Fariba Khan, Carl A. Gunter University of Illinois at Urbana-Champaign.
Presentation On:- A DoS Limiting Network Architecture Xiaowei Yang David Wetherall Thomas Anderson Presented by- Saurabh Lalwani.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
JELENA MIRKOVIC (USC) PETER REIHER (UCLA) Building Accountability into the Future Internet In Proc. IEEE NPSec, 2009 Speaker: Yun Liaw.
Networking Named Content Van Jacobson, Diana K. Smetters, James D. Thornton, Michael F. Plass, Nicholas H. Briggs, Rebecca L. Braynard.
Measuring the Capacity of a Web Server USENIX Sympo. on Internet Tech. and Sys. ‘ Koo-Min Ahn.
High-Speed Policy-Based Packet Forwarding Using Efficient Multi-dimensional Range Matching Lakshman and Stiliadis ACM SIGCOMM 98.
Chapter 10 Congestion Control in Data Networks and Internets 1 Chapter 10 Congestion Control in Data Networks and Internets.
Computer Data Security & Privacy
Computer Data Communications
The Taming of The Shrew: Mitigating Low-Rate TCP-targeted Attack
A DoS-limiting Network Architecture
ECE 544 Protocol Design Project 2016
CONGESTION CONTROL.
HighSpeed TCP for Large Congestion Windows
Preventing Internet Denial-of-Service with Capabilities
Presentation transcript:

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

2 DoS is not even close to be solved Address validation is insufficient (botnets) Traceback is too little too late (detection only) Pushback lacks discrimination (imprecise) Secure overlay filtering requires offline authenticators (public servers) 

3 Capabilities are a promising approach Destination control The destinations know better. Network filtering based on explicit and unforgeable packet state, i.e., capabilities Only the network can shed load before the damage has been made. Anderson et al. [Anderson03], Yarr et al. [Yarr04]

4 Sketch of the capability approach 1. Source requests permission to send. 2. Destination authorizes source for limited transfer, e.g, 32KB in 10 secs A capability is the proof of a destination’s authorization. 3. Source places capabilities on packets and sends them. 4. Network filters packets based on capabilities. cap

5 Capabilities alone do not effectively limit DoS Goal: minimize the damage of the arbitrary behavior of k attacking hosts. Non-goal: make DoS impossible Problems 1. Request or authorized packet floods 2. Added functionality in a router’s forwarding path 3. Authorization policies 4. Deployment TVA addresses all of the above.

6 Challenges 1. Counter a broad range of attacks, including request and authorized packet floods 2. Router processing with bounded state and computation 3. Effective authorization policies 4. Incrementally deployable

7 Request packet floods Request packets do not carry capabilities.

8 Counter request packet floods (I) Rate-limit request packets cap

9 Counter request packet floods (II) Rate-limit request packets Routers insert path identifier tags [Yarr03]. Fair queue requests using the most recent tags. Per path-id queues 12 11

10 Authorized packet floods cap

11 Counter authorized packet floods Per-destination queues TVA bounds the number of queues. cap

12 Challenges 1. Counter a broad range of attacks, including request packet floods and authorized packet floods 2. Router processing with bounded state and computation 3. Effective authorization policies

13 TVA’s implementation of capabilities Routers stamp pre-capabilities on request packets (timestamp, hash(src, dst, key, timestamp) Destinations return fine-grained capabilities (N, T, timestamp, hash(pre-cap, N, T)) send N bytes in the next T seconds, e.g. 32KB in 10 seconds pre 1 pre 2 cap 1 cap 2

14 Validating fine-grained capabilities 1. A router verifies that the hash value is correct. 2. Checks for expiration: timestamp + T · now 3. Checks for byte bound: sent + pkt_len · N cap 1 cap 2 data N, T, timestamp, hash(pre-cap, N, T)

15 Bounded computation The main computation overhead is hash validation. On a Pentium Xeon 3.2GHz PC Stamping pre-capabilities takes 460ns Validating capabilities takes 1486ns

16 Bounded state Create a slot if a capability sends faster than N/T. For a link with a fixed capacity C, there are at most C/(N/T) flows  Number of slots is bounded by C / (N/T) cap 1 cap 2 data N, T, timestamp, hash(pre-cap, N, T) sent + pkt_len · N

17 Worst case byte bound is 2N in T seconds T t1t1 t2t2 t3t3 0 a slot is created a slot is expired TTL average rate · N/T t · T bytes · N If a slot expires, it indicates that a capability sends slower than N/T. t4t4 t5t5

18 Bounded number of queues Tag space bounds the number of request queues. Number of destination queues is bounded by C/R path-identifier queue Validate capability requests per-destination queue regular packets Y N low priority queue legacy packets Queue on most recent tags Keeps a queue if a destination receives faster than a threshold rate R

19 Challenges 1. Counter a broad range of attacks, including request packet floods and authorized packet floods 2. Router processing with bounded state and computation 3. Effective authorization policies

20 Simple policies can be effective Fine-grained capabilities tolerate authorization mistakes. Client policy Authorize requests that match outgoing ones Public server policy Authorize all initial requests Stop misbehaving senders A server has control over its incoming traffic when overload occurs.

21 Evaluation

22 Overview of different schemes SIFF [Yarr04] request and legacy traffic have the same priority authorized traffic has a higher priority time-limited capabilities Pushback [Mahajan01, Ioannidis02] Network controlled filtering Legacy Internet best-effort

23 Ns-2 Simulation Setup Scale down topology to speed up simulations Two metrics: The transfer time of a fixed-length file (20KB) Fraction of completed transfers … … 10 legitimate users attackers 10Mb bottleneck destination colluder 1Mb

24 TVA is able to limit legacy packet floods Internet SIFF pushback TVA

25 TVA is able to limit request packet floods TVA

26 TVA is able to limit authorized packet floods SIFF TVA

27 Simple policies can be effective

28 Conclusion Key contribution a comprehensive and practical capability system for the first time. We made TVA practical in three aspects Counter a broad range of attacks Bounded state and computation Simple and effective authorization policies Coming next Testbed implementation Request rate limit, queuing scheme Robust service differentiation Traffic with different priority

29 Types of Queues inside a TVA-router TVA bounds the number of queues. path-identifier queue Validate capability requests per-destination queue regular packets Y N low priority queue legacy packets

30 TVA’s implementation of capabilities Routers stamp pre-capabilities on request packets (timestamp, hash(src, dst, key, timestamp) Destinations return fine-grained capabilities (N, T, timestamp, hash(pre-cap, N, T)) send N bytes in the next T seconds, e.g. 32KB in 10 seconds pre 1 pre 2 cap 1 cap 2 cap 1 cap 2 data