Extensible Security Services on the CROSS/Linux Programmable Router David K. Y. Yau Department of Computer Sciences Purdue University

Slides:

Advertisements

Similar presentations

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Advertisements

Umut Girit  One of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer.

CSIT560 Internet Infrastructure: Switches and Routers Active Queue Management Presented By: Gary Po, Henry Hui and Kenny Chong.

TELE202 Lecture 8 Congestion control 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »X.25 »Source: chapter 10 ¥This Lecture »Congestion control »Source:

William Stallings Data and Computer Communications 7 th Edition Chapter 13 Congestion in Data Networks.

 Liang Guo  Ibrahim Matta  Computer Science Department  Boston University  Presented by:  Chris Gianfrancesco and Rick Skowyra.

Cloud Control with Distributed Rate Limiting Raghaven et all Presented by: Brian Card CS Fall Kinicki 1.

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

The War Between Mice and Elephants LIANG GUO, IBRAHIM MATTA Computer Science Department Boston University ICNP (International Conference on Network Protocols)

Congestion Control An Overview -Jyothi Guntaka. Congestion  What is congestion ?  The aggregate demand for network resources exceeds the available capacity.

1 Web Server Performance in a WAN Environment Vincent W. Freeh Computer Science North Carolina State Vsevolod V. Panteleenko Computer Science & Engineering.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.

Traffic Engineering With Traditional IP Routing Protocols

Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

Diffusion Mechanisms for Active Queue Management Department of Electrical and Computer Engineering University of Delaware May 19th / 2004 Rafael Nunez.

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.

Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

Chapter 1 Read (again) chapter 1.

Wresting Control from BGP: Scalable Fine-grained Route Control UCSD / AT&T Research Usenix —June 22, 2007 Dan Pei, Tom Scholl, Aman Shaikh, Alex C. Snoeren,

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

Promoting the Use of End-to- End Congestion Control in the Internet Sally Floyd and Kevin Fall Presented by Scott McLaren.

Study of Distance Vector Routing Protocols for Mobile Ad Hoc Networks Yi Lu, Weichao Wang, Bharat Bhargava CERIAS and Department of Computer Sciences Purdue.

FTDCS 2003 Network Tomography based Unresponsive Flow Detection and Control Authors Ahsan Habib, Bharat Bhragava Presenter Mohamed.

Tesseract A 4D Network Control Plane

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Diffusion Mechanisms for Active Queue Management Department of Electrical and Computer Engineering University of Delaware Aug 19th / 2004 Rafael Nunez.

1.1 Operating System Concepts Defending Against DDoS Attacks Using Max-min Fair Server Centric Router Throttles David K.Y. Yau John C.S. Lu CS Dept, Purdue.

Diffusion Mechanisms for Active Queue Management Department of Electrical and Computer Engineering University of Delaware May 19th / 2004 Rafael Nunez.

Building a Strong Foundation for a Future Internet Jennifer Rexford ’91 Computer Science Department (and Electrical Engineering and the Center for IT Policy)

Diffusion Early Marking Department of Electrical and Computer Engineering University of Delaware May / 2004 Rafael Nunez Gonzalo Arce.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Multicast Congestion Control in the Internet: Fairness and Scalability

Advanced Network Architecture Research Group 2001/11/149 th International Conference on Network Protocols Scalable Socket Buffer Tuning for High-Performance.

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

1 BitHoc: BitTorrent for wireless ad hoc networks Jointly with: Chadi Barakat Jayeoung Choi Anwar Al Hamra Thierry Turletti EPI PLANETE 28/02/2008 MAESTRO/PLANETE.

Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.

TFRC: TCP Friendly Rate Control using TCP Equation Based Congestion Model CS 218 W 2003 Oct 29, 2003.

Improving Capacity and Flexibility of Wireless Mesh Networks by Interface Switching Yunxia Feng, Minglu Li and Min-You Wu Presented by: Yunxia Feng Dept.

Sharing Information across Congestion Windows CSE222A Project Presentation March 15, 2005 Apurva Sharma.

SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.

Tony McGregor RIPE NCC Visiting Researcher The University of Waikato DAR Active measurement in the large.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Designing Routing Protocol For Mobile Ad Hoc Networks Navid NIKAEIN Christian BONNET EURECOM Institute Sophia-Antipolis France.

Advanced Network Architecture Research Group 2001/11/74 th Asia-Pacific Symposium on Information and Telecommunication Technologies Design and Implementation.

Requirements for Simulation and Modeling Tools Sally Floyd NSF Workshop August 2005.

Multicast ad hoc networks Multicast in ad hoc nets Multicast in ad hoc nets Review of Multicasting in wired networks Review of Multicasting in wired networks.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Intradomain Traffic Engineering By Behzad Akbari These slides are based in part upon slides of J. Rexford (Princeton university)

Research Unit in Networking - University of Liège A Distributed Algorithm for Weighted Max-Min Fairness in MPLS Networks Fabian Skivée

1 SIGCOMM ’ 03 Low-Rate TCP-Targeted Denial of Service Attacks A. Kuzmanovic and E. W. Knightly Rice University Reviewed by Haoyu Song 9/25/2003.

Evaluation of ad hoc routing over a channel switching MAC protocol Ethan Phelps-Goodman Lillie Kittredge.

1 Transport Layer: Basics Outline Intro to transport UDP Congestion control basics.

A Complete Defense Against DDoS Attacks Using Router Throttle Presented By: Abu Sayeed Saifullah.

An End-to-End Service Architecture r Provide assured service, premium service, and best effort service (RFC 2638) Assured service: provide reliable service.

Network Processing Systems Design

CIS 700-5: The Design and Implementation of Cloud Networks

Chapter 5 The Network Layer.

Congestion Control, Internet transport protocols: udp

DDoS Attack Detection under SDN Context

Intelligent Network Services through Active Flow Manipulation

Presentation transcript:

Extensible Security Services on the CROSS/Linux Programmable Router David K. Y. Yau Department of Computer Sciences Purdue University

Motivations n Internet is an open and democratic environment –increasingly used for mission-critical work n Many security threats are present or appearing –need effective and flexible defenses to detect/trace/counter attacks –protect innocent users, prosecute criminals

Routing Infrastructure n Router software critical to network health –patches for security bugs –new defenses against new attacks n Scalable distribution of router software to many routing points –minimal disruptions to existing services –little human intervention n Exploit software-programmable router technology (CROSS platform)

Existing Networks client router: simple forwarding ISP server

CROSS Network Architecture client router: processing + forwarding Web code server Denial-of-service defense Intelligent congestion control ISP

Cross Forwarding Paths Resource allocation manager Function dispatcher Cut- through subscribe dispatch Active packet send Per-flow processing Output network queues Input queues Packet classifier

Example Security Problem: Network Denial-of-service Attacks n Some attacks quite subtle –at routing infrastructure, malicious dropping of packets, etc –securing protocols and intrusion detection n Others by brute force: flooding attacks –cripples victim; precludes any sophisticated defense at point under attack –viewed as resource management problem

Flooding Attack Server

Server-centric Router Throttle n Installed by server when under stress, at a set deployment routers –can be sent by multicast n Specifies leaky bucket rate at which router can forward traffic to the server –aggressive traffic for server dropped before reaching server –rate determined by a control algorithm

To S Router Throttle Aggressive flow Throttle for S’ To S’ Throttle for S Securely installed by S Deployment router

Key Design Problems n Resource allocation: who is entitled to what? –need to keep server operating within load limits –notion of fairness, and how to achieve it? Need global, rather than router-local, fairness n How to respond to network and user dynamics? –Feedback control strategy needed

What is being fair? n Baseline approach of dropping a fraction f of traffic for each flow won’t work well –a flow can cause more damage to other flows simply by being more aggressive! n Rather, no flow should get a higher rate than another flow that has unmet demands –this way, we penalize aggressive flows only, but protect the well-behaving ones

Fairness Notion n Since we proactively drop packets ahead of congestion point, we need a global fairness notion –router-local max-min at destination, and push back to upper levels (Mahajan et al) –max-min fairness among level-k routing points, R(k), I.e., routers about k hops away from destination

Level-k Deployment Points n Deployment points parameterized by an integer k n R(k) -- set of routers that are either k hops away from server S or less than k hops away from S but are directly connected to a host n Fairness across global routing points R(k)

Level-3 Deployment Server

Feedback Control Strategy n Hysteresis control –high and low water marks for server load, to strengthen or relax router throttle n Additive increase/multiplicative decrease rate adjustment –increases when server load exceeds U S, and decreases when server load falls below L S –throttle removed when a relaxed rate does not result in significant server load increase

Fairness Definition n A resource control algorithm achieves level-k max-min fairness among the routers R(k) if the allowed forwarding rate of traffic for S at each router is the router’s max-min fair share of some rate r satisfying L S r U S

Fair Throttle Algorithm

Example Max-min Rates (L=18, H=22) Server

Interesting Questions n Can we preferentially drop attacker traffic over good user traffic? n Can we successfully keep server operating within design limits, so that good user traffic that makes it gets acceptable service? –How stable is such a control algorithm? How does it converge?

Algorithm Evaluation n Control-theoretic analysis –algorithm stability and convergence under different system parameters n Packet network simulations –good user protection under both UDP and TCP traffic n System implementation –deployment costs

Control-theoretic Model

Throttle Rate (L=900; U=1100)

Server Load (L = 900; U = 1100)

Throttle Rate (U = 1100)

Server Load (U = 1100)

Throttle Rate (L=1050;U=1100)

Server Load (L=1050; U=1100)

UDP Simulation Experiments n Global network topology reconstructed from real traceroute data –AT&T Internet mapping project: 709,310 traceroute paths, single source to 103,402 other destinations –randomly select 5,000 paths, with 135,821 nodes of which 3879 are hosts n Randomly select x% of hosts to be attackers –good users send at rate [0,r], attackers at rate [0,R]

20% Evenly Distributed Aggressive (10:1) Attackers

40% Evenly Distributed Aggressive (5:1) Attackers

Evenly Distributed “meek” Attackers

Deployment Extent

TCP Simulation Experiment n Clients access web server via HTTP 1.0 over TCP Reno n Simulated network subset of AT&T traceroute topology –85 hosts, 20% attackers n Web clients make request probabilistically with empirical document size and inter- request time distributions

Web Server Protection

Web Server Traffic Control

System Implementation n On CROSS/Linux router –as Click element kernel service (loadable kernel module) –code can be remotely downloaded through anetd daemon n Deployment platform –Pentium III/864 MHz PC –multiple 10/100 Mb/s ethernet interfaces

Module Load Overhead

Memory and Delay Results n Memory overhead –7.5 bytes of memory per throttle n Delay through throttle element about 200 ns –independent of number of throttles installed

Throughput Result

Future Work n Offered load-aware control algorithm for computing throttle rate –impact on convergence and stability n Policy-based notion of fairness –heterogeneous network regions, by size, susceptibility to attacks, tariff payment n Selective deployment issues n Impact on real user applications

Conclusions n Extensible routers can help improve network health n Presented a server-centric router throttle mechanism for DDoS flooding attacks –can better protect good user traffic from aggressive attacker traffic –can keep server operational under an ongoing attack –has efficient implementation

Acknowledgements n CROSS Implementation –Prem Gopalan, Seung Chul Han, Xuxian Jiang, Puneet Zaroo n Funding has been provided by –NSF, CERIAS, Purdue Research Foundation