1 Enterprise Networks under Stress. 2 = 60% growth/year Vern Paxson, ICIR, “Measuring Adversaries”

Slides:



Advertisements
Similar presentations
New Directions in Enterprise Network Management Aditya Akella University of Wisconsin, Madison MSR Networking Summit June 2006.
Advertisements

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 © 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID Next Generation Network Architectures Summary John.
Logically Centralized Control Class 2. Types of Networks ISP Networks – Entity only owns the switches – Throughput: 100GB-10TB – Heterogeneous devices:
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: EIGRP Advanced Configurations and Troubleshooting Scaling.
Traffic Shaping Why traffic shaping? Isochronous shaping
Innosoft international inc. Ó 1999 Innosoft International, Inc. Using LDAPv3 for Directory-Enabled Applications & Networking Greg Lavender Director of.
G. Alonso, D. Kossmann Systems Group
Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
1 Quality of Service vs. Any Service at All 10th IEEE/IFIP Conference on Network Operations and Management Systems (NOMS 2006) Vancouver, BC, Canada April.
An Annotation Layer for Network Management George Porter, Arne Baste, David Chu, Dilip Joseph Randy H. Katz NetRads Retreat - June 2005.
High speed links, distributed services, can’t modify routers  Lack of visibility But, need for more visibility and control  Increased number and complexity.
Blue Coat Systems Securing and accelerating the Remote office Matt Bennett.
1 Improving the Performance of Distributed Applications Using Active Networks Mohamed M. Hefeeda 4/28/1999.
SANE: A Protection Architecture for Enterprise Networks Offense by: Amit Mondal Bert Gonzalez.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
1 NSF DRAFT PROPOSAL Protecting Networks with COPS: Making Networks More Robust by Checking, Observing, and Protecting Services Randy H. Katz, Scott Shenker,
1 Action Breakout Session Anil, AP, Nina Bhatti, Charles Berdnall, Joe Hellerstein, Wei Hu, Anthony Joseph, Randy Katz, Li, Machi Mukund Kimmo Raatikanen,
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
1 Protecting Networks with COPS: Making Networks More Robust by Checking, Observing, and Protecting Services Randy H. Katz, Scott Shenker, Ion Stoica Computer.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.
1 Quality of Service vs. Any Service at All IWQoS 2005 Passau Germany Randy H. Katz Computer Science Division Electrical Engineering and Computer Science.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Lecture 15 Denial of Service Attacks
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
OpenFlow Switch Limitations. Background: Current Applications Traffic Engineering application (performance) – Fine grained rules and short time scales.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Presentation Title Subtitle Author Copyright © 2002 OPNET Technologies, Inc. TM Introduction to IP and Routing.
CISCO NETWORKING ACADEMY Chabot College ELEC IP Routing Protocol Highlights.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
1 Controlling IP Spoofing via Inter-Domain Packet Filters Zhenhai Duan Department of Computer Science Florida State University.
ESubnet Enterprises Inc. Richard Danielli, eSubnet Higher sales volumes through high network availability INTIX 2010.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Identifying Application Impacts on Network Design Designing and Supporting Computer.
Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
© 2004 AARNet Pty Ltd Measurement in aarnet3 4 July 2004.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.
Networking Fundamentals. Basics Network – collection of nodes and links that cooperate for communication Nodes – computer systems –Internal (routers,
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
McLean HIGHER COMPUTER NETWORKING Lesson 13 Denial of Service Attacks Description of the denial of service attack: effect: disruption or denial of.
Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.
Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.
Operations and Maintenance Next Generation Requirements draft-amante-oam-ng-requirements-01 Shane Amante Alia Atlas Andrew Lange Danny McPherson March.
Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.
Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.
ITU ccTLD Workshop March 3, 2003 A Survey of ccTLD DNS Vulnerabilities.
Large Scale Sharing Marco F. Duarte COMP 520: Distributed Systems September 19, 2004.
Denial of Convenience Attack to Smartphones Using a Fake Wi-Fi Access Point Erich Dondyk, Cliff C. Zou University of Central Florida.
Denial-of-Service Attacks
Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,
Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.
Action Breakout Session
ETHANE: TAKING CONTROL OF THE ENTERPRISE
Instructor Materials Chapter 10: OSPF Tuning and Troubleshooting
Presentation transcript:

1 Enterprise Networks under Stress

2 = 60% growth/year Vern Paxson, ICIR, “Measuring Adversaries”

3 = 596% growth/year Vern Paxson, ICIR, “Measuring Adversaries” “Background” Radiation -- Dominates traffic in many of today’s networks

4 Some Observations Internet reasonably robust to point problems like link and router failures (“fail stop”) Successfully operates under a wide range of loading conditions and over diverse technologies During 9/11/01, Internet worked well, under heavy traffic conditions and with some major facilities failures in Lower Manhattan

5 The Problem Networks awash in illegitimate traffic: port scans, propagating worms, p2p file swapping –Legitimate traffic starved for bandwidth –Essential network services (e.g., DNS, NFS) compromised Needed: better network management of services/applications to achieve good performance and resilience even in the face of network stress –Self-aware network environment –Observing and responding to traffic changes –While sustaining the ability to control the network

6 From the Frontlines Berkeley Campus Network –Unanticipated traffic surges render the network unmanageable (and may cause routers to fail) –Denial of service attacks, latest worm, or the newest file sharing protocol largely indistinguishable –In-band control channel is starved, making it difficult to manage and recover the network Berkeley EECS Department Network (12/04) –Suspected denial-of-service attack against DNS –Poorly implemented/configured spam appliance adds to DNS overload –Traffic surges render it impossible to access Web or mount file systems Network problems contribute to brittleness of distributed systems

7 Why and How Networks Fail Complex phenomenology of failure Traffic surges break enterprise networks “Unexpected” traffic as deadly as high net utilization –Cisco Express Forwarding: random IP addresses --> flood route cache --> force traffic thru slow path --> high CPU utilization --> dropped router table updates –Route Summarization: powerful misconfigured peer overwhelms weaker peer with too many router table entries –SNMP DoS attack: overwhelm SNMP ports on routers –DNS attack: response-response loops in DNS queries generate traffic overload

8 Technology Trends Integration of servers, storage, switching, and routing –Blade Servers, Stateful Routers, Inspection-and-Action Boxes (iBoxes) Packet flow manipulations at L4-L7 –Inspection/segregation/accounting of traffic –Packet marking/annotating Building blocks for network protection –Pervasive observation and statistics collection –Analysis, model extraction, statistical correlation and causality testing –Actions for load balancing and traffic shaping Load Balancing Traffic Shaping

9 R R Distribution Tier E E E S S I R IAIA E Internet Edge Access Edge Server Edge Spam Appliance Primary & Secondary DNS Servers ISIS S Mail Server S Scenario: Traffic Surge Inhibiting Network Services DNS Server swamped by excessive request traffic –Observe: DNS time outs, Web access traffic slowed, but also higher than normal mail delivery latency implying busy server edge (correlation between Mail Server and DNS Server utilization?) –Root Cause: High DNS request rates generated by Spam Appliance triggered by mail surge

10 Scenario Continued How Diagnosed? –I-S detects high link utilization but abnormally high DNS traffic –Stats from I-I: high mail traffic, low outgoing web traffic, in traffic high but link utilization not high –Stats from I-A: lower web traffic, no unusual mail origination –Problem localized to Server edge, but visibility limited R R Distribution Tier E E E S S I R IAIA E Internet Edge Access Edge Server Edge Spam Appliance Primary & Secondary DNS Servers ISIS S Mail Server S

11 Scenario Continued Possible Action Responses –Experiment: Redirect local DNS requests to Secondary DNS server: if these complete, can infer the server is the problem, not the network –Throttle: Due to MS-DNS correlation, block/slow traffic at Server Edge: should expect reduced DNS server utilization R R Distribution Tier E E E S S I R IAIA E Internet Edge Access Edge Server Edge Spam Appliance Primary & Secondary DNS Servers ISIS S Mail Server S

12 Internet Edge PC Access Edge MS FS Spam Filter DNS Server Edge Scenario Distribution Tier

13 Observed Operational Problems User visible services: –NFS mount operations time out –Web access also fails intermittently due to time outs Failure causes: –Independent or correlated failures? –Problem in access, server, or Internet edge? –File server failure? –Internet denial of service attack?

14 Network Dashboard b/w consumed time Gentle rise in ingress b/w FS CPU utilization time No unusual pattern MS CPU utilization time Mail traffic growing DNS CPU utilization time Unusual step jump/ DNS xact rates Access Edge b/w consumed time Decline in access edge b/w In Web Out Web

15 Network Dashboard b/w consumed time FS CPU utilization time MS CPU utilization time DNS CPU utilization time Access Edge b/w consumed time Gentle rise in ingress b/w No unusual pattern Mail traffic growing Unusual step jump/ DNS xact rates Decline in access edge b/w In Web Out Web CERT Advisory! DNS Attack!

16 Observed Correlations Mail traffic up MS CPU utilization up –Service time up, service load up, service queue longer, latency longer DNS CPU utilization up –Service time up, request rate up, latency up Access edge b/w down Causality no surprise! How does mail traffic cause DNS load?

17 Run Experiment Shape Mail Traffic MS CPU utilization time Mail traffic limited DNS CPU utilization time DNS down Access Edge b/w consumed time Access edge b/w returns Root cause:  Spam appliance --> DNS lookups to verify sender domains;  Spam attack hammers internal DNS, degrading other services: NFS, Web In Web Out Web

18 Policies and Actions Restore the Network Shape mail traffic –Mail delay acceptable to users? –Can’t do this forever unless mail is filtered at the Internet edge Load balance DNS services –Increase resources faster than incoming mail rate –Actually done: dedicated DNS server for Spam appliance Other actions? Traffic priority, QoS knobs

19 Analysis Root causes difficult to diagnose –Transitive and hidden causes Key is pervasive observation –iBoxes provide the needed infrastructure –Observations to identify correlations –Perform active experiments to “suggest” causality

20 Many Challenges Policy specification: how to express? Service Level Objectives? Experimental plan –Distributed vs. centralized development –Controlling the experiments … when the network is stressed –Sequencing matters, to reveal “hidden” causes Active experiments –Making things worse before they get better –Stability, convergence issues Actions –Beyond shaping of classified flows, load balancing, server scaling?

21 Implications for Network Operations and Management Processing-in-the-Network is real Enables pervasive monitoring and actions Statistical models to discover correlations and to detect anomalies Automated experiments to reveal causality Policies drive actions to reduce network stress

22 Datacenter Networks

23 Networks Under Stress

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.