Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine,

Slides:

Advertisements

Similar presentations

On the Necessity of Handling DDoS Traffic in the Middle of the Network Peter Reiher UCLA Computer Communications Workshop October 22, 2008.

Advertisements

© 2006 Cisco Systems, Inc. All rights reserved. MPLS v MPLS VPN Technology Introducing the MPLS VPN Routing Model.

TCP/IP MODEL Maninder Kaur

CS 457 – Lecture 16 Global Internet - BGP Spring 2012.

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

1 What's happening in Networking Research Today? Prasad Calyam, OARnet OARTech Presentation, Dec 8 th, 2004.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

High speed links, distributed services, can’t modify routers  Lack of visibility But, need for more visibility and control  Increased number and complexity.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

1 Controlling High Bandwidth Aggregates in the Network.

SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.

Detecting SYN-Flooding Attacks ＡａｒｏｎＢｅａｃｈＣＳ３９５ＮｅｔｗｏｒｋＳｅｃｕｒｉｔｙＳｐｒｉｎｇ２００４.

SAVE: Source Address Validity Enforcement Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA USENIX Work-In Progress Session Washington.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

1 Collaborative Online Passive Monitoring for Internet Quarantine Weidong Cui SAHARA Winter Retreat, 2004.

Lecture 15 Denial of Service Attacks

NETWORKING CONCEPTS. TCP/IP The TCPIIP protocol suite was developed prior to the OSI model TCP/IP protocol suite was defined as having four layers: Host-to-network,

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Clouseau: A practical IP spoofing defense through route-based filtering Jelena Mirkovic, University of Delaware Nikola Jevtic,

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.

Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Network Presence, LLC SM Innovative Security Solutions SM Understanding, Planning For, and Responding To Denial of Service Attacks SANS 2001.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.

Distributed Denial of Service Attacks

Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.

Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

Denial of Service Attack 발표자 : 전지훈. What is Denial of Service Attack?  Denial of Service Attack = DoS Attack  Service attacks on a Web server floods.

Chapter 9 Cisco IOS Firewall. IOS Firewall  Stateful packet-filter firewall that runs on a router  Provides firewall capabilities and normal routing.

1 Attacking DDoS at the Source Jelena Mirković, Gregory Prier, Peter Reiher University of California Los Angeles Presentation by: David Allen.

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

1 Network Address Translation. 2 Network Address Translation (NAT) Extension of original addressing scheme Motivated by exhaustion of IP address space.

4343 X2 – The Transport Layer Tanenbaum Ch.6.

Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—1-1 BGP Overview Establishing BGP Sessions.

Lect1..ppt - 01/06/05 CDA 6505 Network Architecture and Client/Server Computing Lecture 3 TCP and IP by Zornitza Genova Prodanoff.

Chapter 3 TCP and IP 1 Chapter 3 TCP and IP. Chapter 3 TCP and IP 2 Introduction Transmission Control Protocol (TCP) User Datagram Protocol (UDP) Internet.

IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Kittiphan Techakittiroj (25/06/59 19:10 น. 25/06/59 19:10 น. 25/06/59 19:10 น.) Network Address Translation Kittiphan Techakittiroj

An Effective Defense Against Spam Laundering Author: Mengjun Xie, Heng Yin, Haining Wang Presented At: CCS’ 06 Prepared By: Amit Shrivastava.

Chapter 3 TCP and IP Chapter 3 TCP and IP.

Outline Basics of network security Definitions Sample attacks

The Taming of The Shrew: Mitigating Low-Rate TCP-targeted Attack

Who should be responsible for risks to basic Internet infrastructure?

Practical IPv6 Filtering

CS 3700 Networks and Distributed Systems

Outline Basics of network security Definitions Sample attacks

Introduction to Network Security

COMPUTER NETWORKS CS610 Lecture-37 Hammad Khalid Khan.

Outline Basics of network security Definitions Sample attacks

Presentation transcript:

Source Router Approach to DDoS Defense Jelena Mirković and Peter Reiher UCLA USENIX Work-In Progress Session Washington DC, 08/17/2001 {sunshine,

Approach Overview  Goal: Prevent our site from participating in DDoS attack  Monitor incoming and outgoing traffic looking for signs that some destination is in trouble  Reduce traffic to that destination  Separate attacking from normal flows  Shut down attacking machines

Approach Overview A B C D E F G I J H

A B C D E F G I J H

A B C D E F G I J H

A B C D E F G I J H

A B C D E F G I J H

 For every destination address router keeps lightweight statistics (number of packets/bytes, timing).  The statistics are used along with built-in models to characterize “normal” traffic.

Approach Overview  Router periodically matches the model with current packet statistics: Discrepancy > threshold  router throttles all traffic to that destination and extends monitoring to separate good from bed flows.

Approach Overview  Attacking flows should stand out from legitimate flows by the number and frequency of packets in them.  Once attacking flows are identified measures can be taken to track and shut down the attacking machines.

Related Work - MULTOPS  Yes, it is similar to MULTOPS, but:  It is located on source side only  Traffic models do not rely only on packet ratio  Discovery of attacking machines  Can be pushed further in the network

time Stable Packet Ratio in Mixed Traffic packet ratio

time packet ratio Stable Packet Ratio in TCP Traffic

time packet ratio Stable Packet Ratio in UDP Traffic

time packet ratio Stable Packet Ratio in UDP Traffic

time packet ratio Variable Packet Ratio in Mixed Traffic

DDoS + FTP FTP DDoS time packet ratio Variable Packet Ratio in Attack Traffic

Challenges  Router performance.  Why would ISP implement this?  False positives.  Multicast traffic is usually unidirectional.  Asymmetric routes.  Throttling and TCP congestion control mechanism.  Traffic patterns in the Internet change drastically over time.

For More Info...