Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds Srikanth Kandula, Dina Katabi, Matthias Jacob, and Arthur Berger Awarded Best Student.

Slides:



Advertisements
Similar presentations
The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June
Advertisements

Security Issues In Mobile IP
Quiz 1 Posted on DEN 8 multiple-choice questions
CSC 774 Advanced Network Security
Slides mostly by Sherif Khattab 1 Denial-of-Service [Gligor, 84] ``A group of otherwise-authorized users of a specific service is said to deny service.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
A Survey of Secure Wireless Ad Hoc Routing
Secure Lync mobile Authentication
Secure SharePoint mobile connectivity
SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
1 Controlling High Bandwidth Aggregates in the Network.
Security Awareness: Applying Practical Security in Your World
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
DoS attacks prevention Avital Yachin Under supervision of Gal Badishi SoftLab – June 2006.
Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger.
Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.
Lecture 15 Denial of Service Attacks
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
DDoS Mitigation for ISP subscribers Rajaram Pejaver November 23, 2010 De-DDoS.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Towards a Scalable and Secure VoIP Infrastructure Towards a Scalable and Secure VoIP Infrastructure Lab for Advanced Networking Systems Director: David.
Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
Protecting Web Servers from Content Request Floods Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob CSAIL –MIT.
The Case for Persistent-Connection HTTP Telecommunication System LAB 최 명길 Western Research Laboratory Research Report 95/4 (Proceedings of the SIGCOMM.
Protocol-Independent Adaptive Replay of Application Dialog Authors: Vern Paxson, Nicholas C. Weaver, Randy H. Katz Published At: 13th Annual Network and.
Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Mitigating DoS Attack Through Selective Bin Verification Micah Sherr a, Michael Greenwald b, Carl A. Gunter c, Sanjeev Khanna a, and Santosh S. Venkatesh.
Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Paper by: Bryan Parno et al. (CMU) Presented by: Ionut Trestian Gergely Biczók.
T. Lopatic, J. McDonald, D. Song, "A Stateful Inspection of FireWall-1", Black Hat Briefings A Stateful Inspection of FireWall-1 Thomas Lopatic,
Firewall Security.
SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
Slide title In CAPITALS 50 pt Slide subtitle 32 pt RTSP 2.0 TLS handling Magnus Westerlund draft-ietf-mmusic-rfc2326bis-12.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
Mehmud Abliz, Taieb Znati, ACSAC (Dec., 2009). Outline Introduction Desired properties Basic scheme Improvements to the basic scheme Analysis Related.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
McLean HIGHER COMPUTER NETWORKING Lesson 13 Denial of Service Attacks Description of the denial of service attack: effect: disruption or denial of.
DYNAMIC LOAD BALANCING ON WEB-SERVER SYSTEMS by Valeria Cardellini Michele Colajanni Philip S. Yu.
SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Hiral Chhaya CDA 6133.
New Client Puzzle Outsourcing Techniques for DoS Resistance Brent Waters, Ari Juels, J. Alex Halderman and Edward W. Felten.
CMSC Presentation An End-to-End Approach to Host Mobility An End-to-End Approach to Host Mobility Alex C. Snoeren and Hari Balakrishnan Alex C. Snoeren.
Application Layer Attack. DDoS DDoS – Distributed Denial of Service Why would any one want to do this? In some cases, for bringing down service of competitors,
Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.
Distributed Denial of Service Yi Zhang April 26, 2016.
Using Rhythmic Nonces for Puzzle-Based DoS Resistance Ellick M. Chan, Carl A. Gunter, Sonia Jahid, Evgeni Peryshkin, and Daniel Rebolledo University of.
Denial-of-Service Attacks
Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.
Prepared By : Pina Chhatrala
Chris Meullion Preston Burden Dwight Philpotts John C. Jones-Walker
Firewalls Purpose of a Firewall Characteristic of a firewall
Presentation transcript:

Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds Srikanth Kandula, Dina Katabi, Matthias Jacob, and Arthur Berger Awarded Best Student Paper! (NSDI-2005) Defense by Manan Sanghi

Flash Crowd

DDOS

Botz-4-Sale request

Botz-4-Sale Reverse Turing test

Botz-4-Sale Solution

Botz-4-Sale Welcome! HTTP cookie Allows at most 8 simultaneous connections Valid for 30 minutes

Botz-4-Sale request

Botz-4-Sale Reverse Turing test

Botz-4-Sale request

Botz-4-Sale System is Busy, either solve puzzle or try later

Botz-4-Sale request

Botz-4-Sale Reverse Turing test

Botz-4-Sale request

Botz-4-Sale System is Busy, either solve puzzle or try later

Botz-4-Sale Request …

Botz-4-Sale

Kill-Bots Overview Graphical Puzzles served during Stage 1

Example Normal Load 40% K 1 =70% K 2 =50% Time out (5 minutes) unauthenticated users

Two stages in Suspected Attack Mode Stage 1: CAPTCHA based Authentication  No state maintenance before authentication  HTTP cookie  Cryptographic support Stage 2: Authenticating users who do not answer CAPTCHA  No more reverse Turing tests  Bloom filters to filter out over-zealous zombies

Resource Allocation and Admission Control Tradeoff  Authenticate new clients  Serve already authenticated clients

Adaptive Admission Control Cute Queuing Theory type analysis

Security Analysis Socially-engineered Attacks Copy Attacks  Including IP address in one-way hash does not deal well with proxies and mobile users Replay Attacks  Time information in the cookie hash DoS attacks on the authentication mechanism  No connection state for unauthenticated clients In-kernel HTTP header processing  HTTP headers not parsed  Pattern match arguments to GET and Cookie fields  Cost : less than 8  s

System Architecture

Evaluation – Experimental Setup

Evaluation

Evaluation - Microbenchmarks

Evaluation- CyberSlam attacks

Evaluation – Flash Crowds

On Admission Control Authentication is not sufficient Good performance requires admission control

Threat Model Bandwidth floods, DNS entries, routing entries not considered Attacker cannot sniff legitimate users’ packets Attacker cannot access server’s local network Zombies are not as smart as humans Attacker does not have a large number of humans aiding his evil plans

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.