Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

Slides:



Advertisements
Similar presentations
COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Reading Log Files. 2 Segment Format
Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
15-441: Computer Networking Lecture 26: Networking Future.
© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Examining IP Header Fields
Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.
04/12/2001ecs289k, spring ecs298k Distributed Denial of Services lecture #5 Dr. S. Felix Wu Computer Science Department University of California,
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Connecting Networks © 2004 Cisco Systems, Inc. All rights reserved. Defining the IP Packet Delivery Process INTRO v2.0—4-1.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University
Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,
Internet Protocol (IP)
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Pi : A Path Identification Mechanism to Defend against DDos Attacks.
Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London
Tracking and Tracing Cyber-Attacks
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.
Trajectory Sampling for Direct Traffic Oberservation N.G. Duffield and Matthias Grossglauser IEEE/ACM Transactions on Networking, Vol. 9, No. 3 June 2001.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Packet-Marking Scheme for DDoS Attack Prevention
By Rod Lykins.  Brief DDoS Introduction  Packet Marking Overview  Other DDoS Defense Mechanisms.
Distributed Denial-of-Service Attack Detection (and Mitigation?) Mukesh Agarwal, Aditya Akella, Ashwin Bharambe.
1 Computer Communication & Networks Lecture 19 Network Layer: IP and Address Mapping Waleed Ejaz.
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Network Support For IP Traceback Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Slides originally byTeng.
Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.
ID NO : 1070 S. VARALAKSHMI Sethu Institute Of Tech IV year -ECE department CEC Batch : AUG 2012.
FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Pi: A Path Identification Mechanism to Defend Against DDoS Attacks
Outline Basics of network security Definitions Sample attacks
Defending Against DDoS
Internet Protocol (IP)
Defending Against DDoS
Outline Basics of network security Definitions Sample attacks
Network Support For IP Traceback
IP Traceback Problem: How do we determine where malicious packet came from ? It’s a problem because attacker can spoof source IP address If we know where.
DDoS Attack and Its Defense
ITIS 6167/8167: Network and Information Security
Outline The spoofing problem Approaches to handle spoofing
Outline Basics of network security Definitions Sample attacks
Presentation transcript:

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004

Why DDoS is hard to prevent Internet –Limited resources –Security highly interdependent

ISP? The problem with DDOS security is this: if you implement DDOS security, it does not protect your network, it merely prevents your network from harming others. Why would an ISP spend extra time and effort implementing a security protocol that was good for everyone else... but not for them? by simul, Kuro5hin.org (targeted by DDoS attacks), February 4, 2004

Defenses IP spoofing –Egress filtering –Keep routing state for each packet –New type of control message (ICMP) –Embed traceback information into IP header Bandwidth flooding –Use Overlay Networks to debug input –Push back to preserve bandwidth –Equip your host with gobs of bandwidth and the appliances can mitigate the effect

Problem Statement Use IP traceback to defend IP spoofing –Packets having the same routing path with the attacker packets will be dropped Challenges –The average Internet routing path length is around 15, so reconstruct the path will take 60 bytes –Where to put the traceback information?

PI Overview Model the Internet as a binary tree rooted at the victim node The router mark 0 or 1 in IP identification field based on past path information

IP Header Identification field (16 bits) –IP identification is only used for fragmentation, which constitutes less than 0.25% of the packets in Internet

Pi Marking - Basic Marking Scheme Marking Scheme –Each router marks n bits into IP Identification field Marking Location –TTL (mod 16/n) indexes location in field to mark Marking Function –Last n bits of hash (eg. MD5) of router IP address The following slides are adapted from Abraham Yaar’s Oakland 2003 slides

Pi Marking - Example

Pi Marking Scheme - TTL Attack Final TTL Pointer Final TTL Pointer Problem –Attacker shifts markings by modifying initial TTL Note - marking bits and order haven’t changed, just location in the marking field Solution –Victim uses final TTL to justify packet contents using bit rotation

Pi Marking - IP Fragmentation Problem –Mark values in IP Identification field breaks fragmentation Solution –Don’t mark packets that may ever get fragmented, or are fragments themselves –During DDoS attack, drop packets not satisfying this predicate

Pi Filtering – Basic Scheme Basic Scheme –Drop all packets with Pi marks matching that of any attack packets Assumption –Victim can identify attack packets Implementation Overhead –Memory: Bit vector of length 2 16 (8kB) if (BitVec[PiMark] == 0) then accept() else drop(); –Computation: O(1) per packet

Pi Filtering - Thresholds Problem –Single attacker causes multiple users’ rejections Solution –Assume, for a particular Pi mark, i: a i = number of attack packets u i = number of legitimate users’ packets –Victim chooses threshold, t, such that if: then all packets with Pi mark i are dropped

Experiment Results – Basic Filter DDoS protection –Accepted: 60% of user traffic 17% attacker traffic Downward slope due to “marking saturation” –All markings flagged as attacker

Experiment Results – Threshold Filter Thresholds Work! –Victim increases false positives to decrease false negatives Greater attack traffic requires greater threshold values

Comments Review of the goal –The same routing path yields the same marking –Different routing path has little probability to overlap Question –Why bother using rotated marking instead of a simple hash function?

DDoS Attacks IP spoofing Bandwidth flooding Back to Zhanxiang