Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.

Slides:

Advertisements

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

Advertisements

Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

1 Reading Log Files. 2 Segment Format

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Network Attacks Mark Shtern.

Firewalls and Intrusion Detection Systems

A DoS-limiting Network Architecture CSCE 715: Fall’06 Presentation by: Amit Jain Shantnu Chaturvedi.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

Security Awareness: Applying Practical Security in Your World

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

A DoS Limiting Network Architecture An Overview by - Amit Mondal.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

FIREWALL Mạng máy tính nâng cao-V1.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Chapter 6: Packet Filtering

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.

--Harish Reddy Vemula Distributed Denial of Service.

UNIT IP Datagram Fragmentation Figure 20.7 IP datagram.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

GORAN OSIM AND TIM MYERS CPSC 424 DDOS AND THE SYSADMIN.

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

Distributed Denial of Service Attacks

CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.

Packet-Marking Scheme for DDoS Attack Prevention

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

Denial of Service Attack 발표자 : 전지훈. What is Denial of Service Attack?  Denial of Service Attack = DoS Attack  Service attacks on a Web server floods.

Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.

ISACA – Charlotte Chapter June 3, 2014 Mark Krawczyk, CISA, CISSP, CCNA.

1 Defense Strategies for DDoS Attacks Steven M. Bellovin

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

DoS/DDoS attack and defense

Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.

IP Spoofing. What Is IP Spoofing Putting a fake IP address in the IP header field for source address (requires root)

Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.

Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.

Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.

Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

Defending Against DDoS

Defending Against DDoS

DDoS Attack and Its Defense

Outline The spoofing problem Approaches to handle spoofing

Session 20 INST 346 Technologies, Infrastructure and Architecture

Presentation transcript:

Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004

DoS & DDoS DoS: “an attack with the purpose of preventing legitimate users from using a victim computing system or network resource” [3] DoS: “an attack with the purpose of preventing legitimate users from using a victim computing system or network resource” [3] DDoS: “A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. “ [4] DDoS: “A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. “ [4] You may have paid for the hardware, but do you really own your network? You may have paid for the hardware, but do you really own your network?

Typical Attack Skill SYN Flooding SYN Flooding IP spoofing IP spoofing Bandwidth attack Bandwidth attack Filling victim’s hard disk space Filling victim’s hard disk space …

What can DoS lead to? Website Website DNS DNS Mail Server Mail Server Emergency Emergency Many tools are available for DoS attack and teenagers must like to try them.[2] Many tools are available for DoS attack and teenagers must like to try them.[2]

Case Study DDoS attack hits clickbank and spamcop.net, by Mirko Zorz, June 25, 2003 DDoS attack hits clickbank and spamcop.net, by Mirko Zorz, June 25, 2003 DDoS attack hits clickbank and spamcop.net DDoS attack hits clickbank and spamcop.net Super Bowl fuels gambling sites' extortion fears, by Paul Roberts, IDG News Service, January 28, 2004 Super Bowl fuels gambling sites' extortion fears, by Paul Roberts, IDG News Service, January 28, 2004 Super Bowl fuels gambling sites' extortion fears Super Bowl fuels gambling sites' extortion fears

Defense Two general area: Two general area: Defense against IP spoofing Defense against IP spoofing Defense against bandwidth flooding attack Defense against bandwidth flooding attack Turn to Lingxuan Turn to Lingxuan

Against Bandwidth Flooding Attack Goal: stop attacks on their way to the victims Goal: stop attacks on their way to the victims Scheme: SIFF[1] Scheme: SIFF[1]

SIFF: Assumptions Marking space in the IP header. Marking space in the IP header. Routers mark every packet. Routers mark every packet. Short-term Route Stability. Short-term Route Stability.

Idea Divide all traffic into Divide all traffic into Privileged: Always get transfer Privileged: Always get transfer Unprivileged: Transferred if not affect Privileged packets Unprivileged: Transferred if not affect Privileged packets Unprivileged > Privileged Unprivileged > Privileged handshake handshake (to get the privilege token) (to get the privilege token)

Idea (cont.) Routers Routers mark packets in hand shakes mark packets in hand shakes match privilege token while forwarding packets match privilege token while forwarding packets Recipient refuse the attack flow by Recipient refuse the attack flow by not providing the privilege token not providing the privilege token or provide a false one or provide a false one

Packet Identifier Design Flags field (3-bits). Flags field (3-bits). SF: Packet is non-legacy PT: EXP or DTA CU: Capability reply present or not Capability: Marks modified by routers Capability: Marks modified by routers C-R: recipients to signal to sender a capability C-R: recipients to signal to sender a capability

Handshake ClientServer EXP(0) EXP(α) EXP(0) {α} EXP(β){α} DTA(!α){β} Legend: Packet-Type (Capability) {Capability Reply} …… Routers

Router Marking Calculation IP of the Interface that at which the packet arrived at IP of the Last-hop router’s outgoing interface Source IP and Destination IP of the packet Keyed Hash Fun Last z bits Marking

Marking Scheme for EXP Packets with a capability field of all zeros get marked with an additional 1bit. Packets with a capability field of all zeros get marked with an additional 1bit. Routers push their markings into the least significant bits of the capability field. Routers push their markings into the least significant bits of the capability field.

Authentication scheme for DTA Routers check the marking in the least significant bits of the capability field, and rotate it into the most significant bits, if it is equal to what the marking would be for an EXPLORER packet. Routers check the marking in the least significant bits of the capability field, and rotate it into the most significant bits, if it is equal to what the marking would be for an EXPLORER packet. ?

Key Switch Why? Why? If the hash fun does not change periodically, an attacker can simply obtain a capability through a seemingly legitimate request, and then use it to flood the server with privileged traffic. If the hash fun does not change periodically, an attacker can simply obtain a capability through a seemingly legitimate request, and then use it to flood the server with privileged traffic. Solution Solution Windowed authentication and marking Windowed authentication and marking

Windowed authentication and Marking for DTA Routers check that the marking equals one of the valid markings in its window and always rotate the newest marking in the window into the capability field. Routers check that the marking equals one of the valid markings in its window and always rotate the newest marking in the window into the capability field.

Do Guesses work? x: # of markings each router maintains in its window; x: # of markings each router maintains in its window; z: # of bits per router marking; z: # of bits per router marking; P(x, z): probability that a randomly guessed capability will pass a particular router. P(x, z): probability that a randomly guessed capability will pass a particular router.

Can Privilege Channel be Established Under Unprivileged Packet Flooding? i: hops of the network; i: hops of the network; ε i : Probability of getting dropped at any one of those routers ε i : Probability of getting dropped at any one of those routers

Limitations Depend on mechanism to detect attack Depend on mechanism to detect attack Network with some router not implemented SIFF Network with some router not implemented SIFF Colluding attacker Colluding attacker Host granularity not application granularity Host granularity not application granularity

Reference [1] SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. With Avi Yaar and Dawn Song. Appears in 2004 IEEE Symposium on Security and Privacy Avi YaarDawn Song2004 IEEE Symposium on Security and PrivacyAvi YaarDawn Song2004 IEEE Symposium on Security and Privacy [2] Tools: [3] David Karig and Ruby Lee, “Remote Denial of Service Attacks and Countermeasures,” Princeton University Department of Electrical Engineering Technical Report CE- L , October [4] Lincoln Stein and John N. Stuart. “The World Wide Web Security FAQ”, Version 3.1.2, February 4, (8 April 2003).