Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.

Slides:



Advertisements
Similar presentations
Internet Indirection Infrastructure (i3 ) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002 Presented by:
Advertisements

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Internet Indirection Infrastructure Presented in by Jayanthkumar Kannan On 09/17/03.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
I3 Status Ion Stoica UC Berkeley Jan 13, The Problem Indirection: a key technique in implementing many network services,
Firewalls and Intrusion Detection Systems
Internet Indirection Infrastructure Ion Stoica and many others… UC Berkeley.
10/31/2007cs6221 Internet Indirection Infrastructure ( i3 ) Paper By Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Sharma Sonesh Sharma.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
Criticisms of I3 Jack Lange. General Issues ► Design ► Performance ► Practicality.
Criticisms of I3 Zhichun Li. General Issues Functionality Security Performance Practicality If not significant better than existing schemes, why bother?
CS 268: Lecture 5 (Project Suggestions) Ion Stoica February 6, 2002.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Internet Indirection Infrastructure (i3) Status – Summer ‘03 Ion Stoica UC Berkeley June 5, 2003.
CS 268: Project Suggestions Ion Stoica February 6, 2003.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Internet Indirection Infrastructure Ion Stoica UC Berkeley June 10, 2002.
Internet Indirection Infrastructure Slides thanks to Ion Stoica.
CS 268: Lecture 25 Internet Indirection Infrastructure Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Indirection Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm Slides.
Internet Indirection Infrastructure (i3) Ion Stoica Daniel Adkins Shelley Zhuang Scott Shenker Sonesh Surana (Published in SIGCOMM 2002) URL:
Internet Indirection Infrastructure (i3) Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh Surana UC Berkeley SIGCOMM 2002.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
FIREWALL Mạng máy tính nâng cao-V1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Internet Indirection Infrastructure Ion Stoica April 16, 2003.
Internet Indirection Infrastructure Ion Stoica et. al. SIGCOMM 2002 Presented in CIS700 by Yun Mao 02/24/04.
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,
Papers covered ● K. Lakshminarayanan, D. Adkins, A. Perrig, I. Stoica, “Taming IP Packet Flooding Attacks”, HotNets-II. ● M. Handley, A. Greenhalgh, “Steps.
Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.
Information-Centric Networks07a-1 Week 7 / Paper 1 Internet Indirection Infrastructure –Ion Stoica, Daniel Adkins, Shelley Zhuang, Scott Shenker, Sonesh.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences University of California, Berkeley Berkeley,
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Distributed Denial of Service Attacks
SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Information-Centric Networks Section # 7.1: Evolved Addressing & Forwarding Instructor: George Xylomenos Department: Informatics.
Internet Indirection Infrastructure Ion Stoica UC Berkeley Nov 14, 2005.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Internet Indirection Infrastructure (i3) Ion Stoica Daniel Adkins Shelley Zhuang Scott Sheker Sonesh Surana Presented by Kiran Komaravolu.
Internet Indirection Infrastructure (i3)
Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Pi: A Path Identification Mechanism to Defend Against DDoS Attacks
Defending Against DDoS
Internet Indirection Infrastructure
Red Team Exercise Part 3 Week 4
DDoS Attack and Its Defense
Presentation transcript:

Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica

Motivation The Internet is vulnerable to Denial of Service (DoS) attacks (packet floods). The Internet only does point-to-point communication well. –Other applications are difficult to deploy. In general, there is a tradeoff between adding functionality and achieving security.

DoS Assumptions Attacker power –Can flood using multiple clients –Can’t take out network –Can’t compromise I3 nodes DoS is “solved” when… –The victim’s link is no longer saturated

Traditional Solutions IP-level filtering –Must identify a pattern –Need help from your ISP –Slow response time –… but effective SYN rate limiting –Limits legitimate connections

The Woes of IP You only have one address Subnets are small enough to scan Any security can be subverted by denial of service on an IP address/subnet IP addresses can be spoofed

Functionality vs. Security Claim: More functionality = less security –Complexity leads to bugs and holes –More flexibility gives attackers more options Not necessarily! –More options = more defenses –No need to trade functionality for security

Three Principles Hide IP addresses –Must use overlay End-hosts have ability to defend against attacks (in the network) Don’t create additional vulnerabilities

I3 Solves This Problem Hide IP addresses by using I3 ID’s instead –All or nothing End-hosts can defend against DoS attacks I3 creates additional vulnerabilities –We can fix them.

DoS Solution? Can’t prevent, but can dilute Drop a fraction of incoming traffic in the network Random dropping reduces load… But also drops legitimate requests Real clients will retry

Diluting a DoS Attack Attacker floods victim via public triggers. x4x4 V x3x3 V x2x2 V x1x1 V Attacker (A) Victim dilutes attack by dropping two of its four public triggers. x4x4 V x3x3 V Victim (V)

Slowing Down a DoS Attack Server (S) Client (C) tS x A DoS-Filter (A) 1 id C 2 3

Multicast Access Control IP multicast address known to all receivers Mischievous subscribers can send to entire group I3 has efficient non-cryptographic solution

Multicast Access Control (2) id G id 1 id R3 S1 id 1 R1 R2 R3 id s 2 id G id s 1 id G S2 Senders id 1 id R2 id 1 id R 1 R1 id R2 R2 id R3 R3

Security Problems in I3 Eavesdropping Sender Receiver (R) idR send(id,data) send(R, data) Attacker (A) idE Dead-end id 4 Attacker id 2 id 1 id 3 id 2 id 3 Victim (V) Confluence id 3 V Attacker id 2 id 1 id 3 Attacker send(id,data) Loop id 4 id 1 id 2 id 3 id 1 id 4 id 3 id 2

Secure-I3 Overview Constrained triggers –Only allow trigger (x,y) if y.key=H(x) or x.key = H(y) –Solves eavesdropping, loop, confluence Pushback –Crucial to DoS solution Trigger challenges –Cannot insert triggers -> to other end-hosts

Conclusion There is hope for security –Our solution gives servers more defenses than they would have under IP –IP-level filtering is still useful, but slower More functionality and more security

Open Questions Formal model of DoS –Beats intuition and assumptions What if I3 servers are compromised?

The End

Trigger Constraints prefixkeysuffix must match xy y.key = h r (x) xy x.key = h l (y) xy x.key = h l (y.key) end-host address (a)(b) (c)(d)

If you really want security… If you have determined (and well- funded) enemies… –Learn to make friends! If you have a critical server… –Don’t place it on a public, open network! If you must be online… –Pay for excess capacity!