1.1 Operating System Concepts Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles David K.Y. Yau John C.S. Lu CS Dept, Purdue.

Slides:



Advertisements
Similar presentations
Scheduling in Web Server Clusters CS 260 LECTURE 3 From: IBM Technical Report.
Advertisements

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
1 CONGESTION CONTROL. 2 Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because.
TELE202 Lecture 8 Congestion control 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »X.25 »Source: chapter 10 ¥This Lecture »Congestion control »Source:
William Stallings Data and Computer Communications 7 th Edition Chapter 13 Congestion in Data Networks.
 Liang Guo  Ibrahim Matta  Computer Science Department  Boston University  Presented by:  Chris Gianfrancesco and Rick Skowyra.
Cloud Control with Distributed Rate Limiting Raghaven et all Presented by: Brian Card CS Fall Kinicki 1.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
CSE Computer Networks Prof. Aaron Striegel Department of Computer Science & Engineering University of Notre Dame Lecture 20 – March 25, 2010.
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)
Congestion Control An Overview -Jyothi Guntaka. Congestion  What is congestion ?  The aggregate demand for network resources exceeds the available capacity.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson
Traffic Engineering With Traditional IP Routing Protocols
Criticisms of I3 Jack Lange. General Issues ► Design ► Performance ► Practicality.
Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.
DDoS Defense by Offense Presented by: Matthew C.H. Ma Damon Chan.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.
Chapter 1 Read (again) chapter 1.
Wresting Control from BGP: Scalable Fine-grained Route Control UCSD / AT&T Research Usenix —June 22, 2007 Dan Pei, Tom Scholl, Aman Shaikh, Alex C. Snoeren,
Distributed-Dynamic Capacity Contracting: A congestion pricing framework for Diff-Serv Murat Yuksel and Shivkumar Kalyanaraman Rensselaer Polytechnic Institute,
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park
Diffusion Mechanisms for Active Queue Management Department of Electrical and Computer Engineering University of Delaware May 19th / 2004 Rafael Nunez.
Extensible Security Services on the CROSS/Linux Programmable Router David K. Y. Yau Department of Computer Sciences Purdue University
Diffusion Early Marking Department of Electrical and Computer Engineering University of Delaware May / 2004 Rafael Nunez Gonzalo Arce.
Lecture 15 Denial of Service Attacks
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
PRISM: Proxies for Internet Streaming Media J. Kurose, P. Shenoy, D. Towsley (UMass/Amherst) L. Gao (Smith College) G. Hjalmtysson, J. Rexford (AT&T Research.
Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David.
Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,
Lecture#1 on Internet. Internet Addressing IP address: pattern of 32 or 128 bits often represented in dotted decimal notation IP address: pattern of 32.
Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.
--Harish Reddy Vemula Distributed Denial of Service.
Improving Capacity and Flexibility of Wireless Mesh Networks by Interface Switching Yunxia Feng, Minglu Li and Min-You Wu Presented by: Yunxia Feng Dept.
SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.
1 TCP/IP based TML for ForCES Protocol Hormuzd Khosravi Furquan Ansari Jon Maloy 61 st IETF Meeting, DC.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
A Utility-based Approach to Scheduling Multimedia Streams in P2P Systems Fang Chen Computer Science Dept. University of California, Riverside
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
1 - CS7701 – Fall 2004 Review of: Detecting Network Intrusions via Sampling: A Game Theoretic Approach Paper by: – Murali Kodialam (Bell Labs) – T.V. Lakshman.
1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.
An End-to-End Service Architecture r Provide assured service, premium service, and best effort service (RFC 2638) Assured service: provide reliable service.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.
Dr. John P. Abraham Introduction to Computer Networks INTRODUCTION TO COMPUTER NETWORKS.
A Complete Defense Against DDoS Attacks Using Router Throttle Presented By: Abu Sayeed Saifullah.
An End-to-End Service Architecture r Provide assured service, premium service, and best effort service (RFC 2638) Assured service: provide reliable service.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Defending Against DDoS
CONGESTION CONTROL.
Defending Against DDoS
Congestion Control (from Chapter 05)
DDoS Attack and Its Defense
Congestion Control (from Chapter 05)
Intelligent Network Services through Active Flow Manipulation
Presentation transcript:

1.1 Operating System Concepts Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles David K.Y. Yau John C.S. Lu CS Dept, Purdue University CS&E Dept,CUHK

1.2 Operating System Concepts Motivations n Internet is an open and democratic environment F increasingly used for mission-critical work and commercial applications. n Many security threats are present or appearing F Easy to launch, even for naïve users. F need effective and flexible defenses to detect/trace/counter attacks F Goals: 4 protect innocent users; 4 prosecute criminals Ambitious goals

1.3 Operating System Concepts Network Denial-of-service Attacks n Some attacks quite subtle F securing protocols and intrusion detection (e.g., BGP, TCP-syn attack) F at routing infrastructure, malicious dropping of packets, etc (low-rate TCP) n Others by brute force: - flooding (e.g., UDP, valid Web Request) n Cripples victim: - precludes any sophisticated defense at victim site F Philosophical question: what is an “attacker”? F Viewed as resource management problem

1.4 Operating System Concepts Flooding Attack Server

1.5 Operating System Concepts Server-centric Router Throttle n Installed by server when under stress, at a set deployment routers F can be sent by multicast n Specifies leaky bucket rate at which router can forward traffic to the server F aggressive traffic for server dropped before reaching server F rate determined by a feedbak control algorithm Issues: (1) Which set of routers? (2) What is the “proper” dropping rate?

1.6 Operating System Concepts To S Router Throttle Aggressive flow Throttle for S’ To S’ Throttle for S Securely installed by S Deployment router C: Each victim has a leaky bucket for rate limit. Small memory and computationoverhead!

1.7 Operating System Concepts Key Design Problems n Resource allocation: who is entitled to what? F need to keep server operating within load limits F notion of fairness, and how to achieve it? 4 Need global, rather than router-local, fairness n How to respond to network and user dynamics (e.g., fluctuation of traffic)? F Feedback control strategy is needed

1.8 Operating System Concepts What is being fair? n Baseline approach of dropping a fraction “f”, say ½, of traffic for each flow won’t work well F a flow can cause more damage to other flows simply by being more aggressive! n Rather, no flow should get a higher rate than another flow that has unmet demands F this way, we penalize “aggressive” flows only, but protect the well-behaving ones

1.9 Operating System Concepts Fairness Notion n Since we “proactively” drop packets ahead of congestion point, we need a global fairness notion F max-min fairness among level-k routing points, R(k), i.e., routers about k hops away from destination Standard knowledge we learn Deployment points

1.10 Operating System Concepts Level-k Deployment Points n Deployment points parameterized by an integer k n R(k) -- set of routers that are either k hops away from server S, or less than k hops away from S but are directly connected to a host n Fairness across global routing points R(k)

1.11 Operating System Concepts Level-3 Deployment Server

1.12 Operating System Concepts Feedback Control Strategy n Hysteresis control F high and low water marks for server load, to strengthen or relax router throttle n Additive increase/multiplicative decrease rate adjustment F increases when server load exceeds U S, and decreases when server load falls below L S F throttle removed when a relaxed rate does not result in significant server load increase

1.13 Operating System Concepts Fairness Definition n A resource control algorithm achieves level-k max-min fairness among the routers R(k) if the allowed forwarding rate of traffic for S at each router is the router’s max-min fair share of some rate r satisfying L S r U S

1.14 Operating System Concepts Fair Throttle Algorithm

1.15 Operating System Concepts Example Max-min Rates (L=18, H=22) Server

1.16 Operating System Concepts Interesting Questions n Can we preferentially drop attacker traffic over good user traffic? n Can we successfully keep server operating within design limits, so that good user traffic that makes it gets acceptable service? n How stable is such a control algorithm? How does it converge?

1.17 Operating System Concepts Algorithm Evaluation n Control-theoretic analysis (fluid analysis) F algorithm stability and convergence under different system parameters n Packet network simulations (packet level analysis) F Test under UDP and TCP traffic. Also test with Web traces n System implementation (the real thing, baby !!!) F deployment costs

1.18 Operating System Concepts Control-theoretic Model Adjusted traffic from source i Throttle signal from victim Step size When throttle signal is high, server is underloaded. When throttle signal is low, server is overloaded. ANALOGY!!!

1.19 Operating System Concepts Feedback Control Model (Us=1750;Ls=1650) Constant Source of 20 Constant Source of 30 Constant Source of 25 Constant Source of 4000 Constant Source of 2800

1.20 Operating System Concepts Output for good traffic (total from source 1)

1.21 Operating System Concepts Output for attack traffic (total from source 5)

1.22 Operating System Concepts Output for attack traffic (total from source 6)

1.23 Operating System Concepts Total traffic to server (Us=1750;Ls=1650)

1.24 Operating System Concepts Case 2: variable attack traffic (Us=1750,Ls=1650) Square Pulse

1.25 Operating System Concepts Output of attack traffic 1

1.26 Operating System Concepts Output of attack traffic 2

1.27 Operating System Concepts Total traffic to server (Us=1750;Ls=1650)

1.28 Operating System Concepts Feedback Control Model (sources and server)

1.29 Operating System Concepts Feedback Control Model (server throttle signal)

1.30 Operating System Concepts Feedback Control Model (sources process throttle)

1.31 Operating System Concepts Throttle Rate (L=900; U=1100)

1.32 Operating System Concepts Server Load (L = 900; U = 1100)

1.33 Operating System Concepts Throttle Rate (U = 1100)

1.34 Operating System Concepts Server Load (U = 1100)

1.35 Operating System Concepts Throttle Rate (L=1050;U=1100)

1.36 Operating System Concepts Server Load (L=1050; U=1100)

1.37 Operating System Concepts NS2: UDP Simulation Experiments n Global network topology reconstructed from real traceroute data F AT&T Internet mapping project: 709,310 traceroute paths, single source to 103,402 other destinations F randomly select 5,000 paths, with 135,821 nodes of which 3879 are hosts n Randomly select x% of hosts to be attackers F good users send at rate [0,r], attackers at rate [0,R]

1.38 Operating System Concepts 20% Evenly Distributed Aggressive (10:1) Attackers

1.39 Operating System Concepts 40% Evenly Distributed Aggressive (5:1) Attackers

1.40 Operating System Concepts Evenly Distributed “meek” Attackers

1.41 Operating System Concepts Deployment Extent

1.42 Operating System Concepts NS2: TCP Simulation Experiment n Clients access web server via HTTP 1.0 over TCP Reno n Simulated network subset of AT&T traceroute topology F 85 hosts, 20% attackers n Web clients make request probabilistically with empirical document size and inter-request time distributions

1.43 Operating System Concepts Web Server Protection

1.44 Operating System Concepts Web Server Traffic Control

1.45 Operating System Concepts System Implementation n On Linux router F loadable kernel module F CPU resource reservation n Deployment platform F Pentium 4/2G Hz PC F multiple 10/100 Mb/s Ethernet interfaces

1.46 Operating System Concepts System Implementation: cont n OPERA: An Open-Source Extensible Router Architecture n A Linux-based package for implementing a software programmable router architecture with the aim to facilitate networking experiments for the research community. Using this architecture, one can dynamically load new extension and services into the programmable router. Some interesting extensions include QoS support and traceback of DDoS attacks.) n Dynamic module loading n Resource reservation n General extension framework n Secured Communication

1.47 Operating System Concepts Network Architecture client router: processing + forwarding Web code server Denial-of- service defense Intelligent congestion control ISP

1.48 Operating System Concepts Future Work n Offered load-aware control algorithm for computing throttle rate F impact on convergence and stability n Policy-based notion of fairness F heterogeneous network regions, by size, susceptibility to attacks, tariff payment n Selective deployment issues n Impact on real user applications n Defense for other forms of DDoS like the reflector attack, BGP cascading failure..etc.

1.49 Operating System Concepts Conclusions n Extensible routers can help improve network health n Presented a server-centric router throttle mechanism for DDoS flooding attacks F can better protect good user traffic from aggressive attacker traffic F can keep server operational under an ongoing attack F has efficient implementation

1.50 Operating System Concepts Existing Networks client router: simple forwarding ISP server

1.51 Operating System Concepts Level-3 Deployment Server

1.52 Operating System Concepts Router’s Forwarding Paths Resource allocation manager Function dispatcher Cut- through subscribe dispatch Active packet send Per-flow processing Output network queues Input queues Packet classifier

1.53 Operating System Concepts Level-3 Deployment

1.54 Operating System Concepts Example Level-k Max-min Fair Rates (L=18, H=22)

1.55 Operating System Concepts Routing Infrastructure n Router software critical to network health F patches for security bugs F new defenses against new attacks n Scalable distribution of router software to many routing points F minimal disruptions to existing services F little human intervention n Exploit software-programmable router technology

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.