Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun.

Slides:



Advertisements
Similar presentations
The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June
Advertisements

Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.
Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.
Congestion Control Reasons: - too many packets in the network and not enough buffer space S = rate at which packets are generated R = rate at which receivers.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
A Survey of Secure Wireless Ad Hoc Routing
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
LOGO Video Packet Selection and Scheduling for Multipath Streaming IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 3, APRIL 2007 Dan Jurca, Student Member,
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Do we need PCP? Hongyu Gao Yinzhi Cao. Outline Design Goal Underlying Assumption Design Detail Evaluation Deployment Conclusion.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
1 Controlling High Bandwidth Aggregates in the Network.
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.
Self-Citation More than 7 papers at places of least relevance Nothing new except for the problem We stress however that our proposal is somewhat motivated.
A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.
EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao
DDoS Defense by Offense Presented by: Matthew C.H. Ma Damon Chan.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
A Poisoning-Resilient TCP Stack Amit Mondal Aleksandar Kuzmanovic Northwestern University
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Scalable Low Overhead Delay Estimation Yossi Cohen Advance IP seminar.
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)
Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.
Assessing the Effect of Deceptive Data in the Web of Trust Yi Hu, Brajendra Panda, and Yanjun Zuo Computer Science and Computer Engineering Department.
A DoS Limiting Network Architecture An Overview by - Amit Mondal.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Department Of Computer Engineering
CS332 Ch. 28 Spring 2014 Victor Norman. Access delay vs. Queuing Delay Q: What is the difference between access delay and queuing delay? A: I think the.
1 Proceeding the Second Exercises on Computer and Systems Engineering Professor OKAMURA Laboratory. Othman Othman M.M.
What does it take to define an architecture? (Part 2) David D. Clark July, 2012.
Presenter: Chen Chih-Ming 96/12/27. Outline  Background  Problem Definition  State of Art  Portcullis Architecture  Designs  Potential Attacks 
Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds Srikanth Kandula, Dina Katabi, Matthias Jacob, and Arthur Berger Awarded Best Student.
© 2006 Cisco Systems, Inc. All rights reserved. 3.3: Selecting an Appropriate QoS Policy Model.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 3: Introduction to IP QoS.
Network management Reinhard Laroy BIPT European Parliament - 27 February 2012.
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Paper Presentation – CAP Page 2 Outline Review - DNS Proposed Solution Simulation Results / Evaluation Discussion.
IntServ Introduction and Experience. Disclaimer Intent was to have an IntServ expert do this but due to scheduling conflicts and snafus that didn’t happen.
Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,
Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.
Web Server Support for Tired Services Telecommunication Management Lab M.G. Choi.
An Integrated QoS, Security and Mobility Framework for Delivering Ubiquitous Services Across All IP-based Networks Haitham Cruickshank University of Surrey.
2008/4/101 A DAPTIVE P OWER A LLOCATION AND C ALL A DMISSION C ONTROL IN M ULTISERVICE W IMAX A CCESS N ETWORKS IEEE Wireless Communications February 2007.
Link Scheduling & Queuing COS 461: Computer Networks
ACN: RED paper1 Random Early Detection Gateways for Congestion Avoidance Sally Floyd and Van Jacobson, IEEE Transactions on Networking, Vol.1, No. 4, (Aug.
TOMA: A Viable Solution for Large- Scale Multicast Service Support Li Lao, Jun-Hong Cui, and Mario Gerla UCLA and University of Connecticut Networking.
QoS research in a complicated world Christian Huitema Architect Windows Networking & Communications Microsoft Corporation.
Mitigating DoS Attack Through Selective Bin Verification Micah Sherr a, Michael Greenwald b, Carl A. Gunter c, Sanjeev Khanna a, and Santosh S. Venkatesh.
Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Paper by: Bryan Parno et al. (CMU) Presented by: Ionut Trestian Gergely Biczók.
TCP Trunking: Design, Implementation and Performance H.T. Kung and S. Y. Wang.
© Jörg Liebeherr, Quality-of-Service Architectures for the Internet Integrated Services (IntServ)
Tiered Incentives for Integrity Based Queuing Fariba Khan, Carl A. Gunter University of Illinois at Urbana-Champaign.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
Privacy Preserving Payments in Credit Networks By: Moreno-Sanchez et al from Saarland University Presented By: Cody Watson Some Slides Borrowed From NDSS’15.
On Reducing Mesh Delay for Peer- to-Peer Live Streaming Dongni Ren, Y.-T. Hillman Li, S.-H. Gary Chan Department of Computer Science and Engineering The.
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
Fall, 2001CS 6401 Switching and Routing Outline Routing overview Store-and-Forward switches Virtual circuits vs. Datagram switching.
Analysis and Comparison of TCP Reno and TCP Vegas Review
Suresh Krishnan Secure Proxy ND Suresh Krishnan
Chapter 6 Section 3.
Analyzing Security and Energy Tradeoffs in Autonomic Capacity Management Wei Wu.
Chapter 5 TCP Sliding Window
EE 122: Lecture 7 Ion Stoica September 18, 2001.
April 10, 2006, Northwestern University
Congestion Control Reasons:
Reinhard Laroy BIPT European Parliament - 27 February 2012
Presentation transcript:

Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun Hu Offense: Kiaie, A., Teng, X.

Outline Relevance Deployment Scalability

Relevance? Portcullis is not solution to DoS Portcullis is solution to solution to DoS Assumes capability systems Weaknesses (from Monday): – Questionable scalability – Does not address adaptive bandwidth issue – Questionable deployment plan

Relevance? Is TVA broken? – Portcullis authors argue TVA’s capability setup is broken due to (non-working) fair-queuing – However TVA paper, section 5.4, Figure 11 demonstrates that mechanism other than fair- queuing, expiring capabilities, limit DoS attack effectiveness to 5 seconds – Not good enough? Conclusion: Portcullis solves nonexistent problem?

Deployment? Portcullis requires modification of hosts and routers Section 6.1, Figure 3 has nice graph evaluating full deployment – Modification of all hosts and routers Section 6.4, Figure 5 has nice graph evaluating ‘partial’ deployment – Only ISPs upgrade routers – All hosts still need to be modified! Conclusion: Portcullis has no partial deployment, only partial partial deployment

Scalability? Theorem 4.1. Under the Portcullis router scheduling policy … legitimate sender utilizing the Portcullis sending policy … successfully transmits a request packet in O(n m ) amount of time in expectation, regardless of the strategy employed by the adversary.

Scalability? Theorem 4.1. Under the Portcullis router scheduling policy … legitimate sender utilizing the Portcullis sending policy … successfully transmits a request packet in O(n m ) amount of time in expectation, regardless of the strategy employed by the adversary.

Scalability? Attacker’s goal: Conquer and use n m hosts such that O(n m ) > t such that user gives up => effective DDoS

Scalability?

Figure 3 shows graph (looks more than linear) that says with attackers, t = 8s Median botnet size = (source (Thursday, February 16, 2006; 3:12 PM): dyn/content/article/2006/02/16/AR ht ml) dyn/content/article/2006/02/16/AR ht ml Assume linear: t(45000) = 45000*8/20000 = 18s Would you give up and go elsewhere if after 18s the page has not loaded? Conclusion: Portcullis has scalability problem? Median likely to be > now in 2008

Scalability? “Our second result states that for any scheduling policy and any sending algorithm, a legitimate sender cannot perform better than the guarantee provided by Theorem 4.1:”

Scalability? Interpretation 1: We are on the way to destruction. We have no chance to survive make our time.

Scalability? Interpretation 2: Big contribution of this paper is to show that we should not rely on scheduling policy and sending algorithm to solve DoS/DoC problem?

Summary Portcullis: – Questionable relevance – Questionable deployment plan given huge cost- benefit ratio (benefit is small) – Questionable scalability

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.