Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.

Slides:

Advertisements

Similar presentations

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

FIREWALLS Chapter 11.

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

Computer Security and Penetration Testing

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

CISCO NETWORKING ACADEMY PROGRAM (CNAP)

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

IS333, Ch. 26: TCP Victor Norman Calvin College 1.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

Jan 01, 2008CS573: Network Protocols and Standards D – Selective Multicast Network Protocols and Standards Winter

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

Examining IP Header Fields

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff

Attack Profiles CS-480b Dick Steflik Attack Categories Denial-of-Service Exploitation Attacks Information Gathering Attacks Disinformation Attacks.

Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.

1 Figure 3-33: Internet Control Message Protocol (ICMP) ICMP is for Supervisory Messages at the Internet Layer ICMP and IP  An ICMP message is delivered.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

IIT Indore © Neminath Hubballi

Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London

Firewalls. Evil Hackers FirewallYour network Firewalls mitigate risk Block many threats They have vulnerabilities.

Covert Communications Simple Nomad DC Feb2004.

Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

FIREWALKING. KNOW YOUR ENEMY: FIREWALLS What is a firewall? A device or set of devices designed to permit or deny network transmissions based upon a set.

CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.

Advances in Multicast - The Promise of Single Source Multicast (SSM) (with a little on multicast DOS) Marshall Eubanks Multicast Technologies

Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

Distributed Denial of Service Attacks

CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )

1 Defense Strategies for DDoS Attacks Steven M. Bellovin

TCP Security Vulnerabilities Phil Cayton CSE

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

DoS/DDoS attack and defense

Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.

Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.

IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.

Computer Network Security Dr. X. OSI stack… again.

Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.

Port Scanning (based on nmap tool)

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Ethernet Network Systems Security

Preventing Internet Denial-of-Service with Capabilities

Firewalls Purpose of a Firewall Characteristic of a firewall

IIT Indore © Neminath Hubballi

Delivery, Forwarding, and Routing of IP Packets

Outline The spoofing problem Approaches to handle spoofing

Presentation transcript:

Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell

Most approaches to DoS prevention involve the middle Is a pure E2E approach possible? A packet recipient can tell a packet sender to stop sending or slow down Partially or exclusively

Yes! Requires that the majority of end hosts dont opt out. Only applies to botnet-based attacks With some caveats.... We call it the Shutup Protocol

This is not just an interesting academic exercise Although we dont see a good business model for them A small number of OS vendors could achieve broad deployment quickly Unlike ISPs.....

Were not the first..... Marianne Shaw suggested the basic idea of pure E2E DoS prevention on the basis of cooperative hosts (SRUTI06) Katarina Argyraki and Cheriton suggest a trust but verify approach, where the middle can punish the end host (Usenix 2005) Dave Andersen et.tus. propose AIP, E2E DoS control, but which is clean slate and requires address spoofing enforcement in the network

This works as long as.... All these messages are received, and Third parties dont insert additional messages

Spoofed source addresses Initiator spoofs source address Shutup request goes somewhere else

Solution exploits notion of return reachability Its hard to authenticate the address assignment process A host can always assign its own address SM interprets existence of received packet as evidence that the address is legit Need to protect against collaborator on same LAN sending packets with bogus destination address

Packets are rate-limited until address is validated Normally that is the MAC of the router Packets are validated by one received packet, but only for MAC address of sender SM prevents MAC address spoofing

Our assumption is that such colluding opportunities are rare Local colluder with disabled SM allows spoofed source addresses By spoofing MAC of router Hard to build a big botnet this way

Shutup request blocked by firewall Initially thought wed have to transmit shutup request inline with 5-tuple flow But using ICMP with associated 5-tuple in payload works well Firewall interprets as a legitimate ICMP message (which it is!)

3 rd party inserts bogus shutup Initiator SM only accepts Shutup message for recently sent flow packet If 3 rd party not on path, hard to guess response Nonce_I Eavesdropping 3 rd party can disrupt flow anyway (TCP RST, etc.)

Heavy forward volume prevents challenge from getting through Initially SM allows a heavy flow, but later slows down flow if recipient doesnt explicitly authorize higher rate Authorized with throttle request handshake Later = 5 to 10 seconds This is effectively a capability

Actually, we allow full rate for a while as long as any packet received from recipient... What about legacy recipients? They cannot send an explicit throttle But use random-ish port numbers, TCP seq numbers, etc. to try to authenticate received packets Yeah, this is a bit lame....recipients that want protection should deploy shutup

ns2 simulated attack, attack BW = 240X of bottleneck, 2500 attackers, throttle time = 10s, throttle aggregate BW > bottleneck Attack starts Most challenges are dropped Attackers start to self- throttle. Bottleneck still saturated, but more challenges get through Number of shutupd attackers drops quickly

We experimented with having the SM try to detect scanning attacks What about other unwanted traffic? Characterized as a large proportion of shutups from many recipients Tricky part is applications that expect a number of failures, as well as black- holed spam error messages Some promising results, but....

The case for network witnesses, feng schluessler