Protecting Web Servers from Content Request Floods Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob CSAIL –MIT.

Slides:



Advertisements
Similar presentations
Securing Passwords against Dictionary Attacks
Advertisements

SPATor: Improving Tor Bridges with Single Packet Authorization Paper Presentation by Carlos Salazar.
Chapter 17: WEB COMPONENTS
CSC 774 Advanced Network Security
TCP Flooding. TCP handshake C S SYN C SYN S, ACK C ACK S Listening Store data Wait Connected.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Chapter 2: Application Layer
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Kill-Bots: Surviving DDoS Attacks That Mimic Legitimate Browsing Srikanth Kandula Dina Katabi, Matthias Jacob, and Arthur Berger.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
Detecting SYN Flooding Attacks Haining Wang, Dandle Zhang, Kang G. Shin Presented By Hareesh Pattipati.
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
Lecture 15 Denial of Service Attacks
Load Sharing and Balancing - Saravanan Mathialagan Masters in Computer Science Georgia State University.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Design and Implementation of SIP-aware DDoS Attack Detection System.
DDoS Mitigation for ISP subscribers Rajaram Pejaver November 23, 2010 De-DDoS.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Network Security Denial of Service Attacks Dina Katabi nms.csail.mit.edu/~dina.
Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds Srikanth Kandula, Dina Katabi, Matthias Jacob, and Arthur Berger Awarded Best Student.
1 Semester 2 Module 10 Intermediate TCP/IP Yuda college of business James Chen
1 Distributed Systems : Server Load Balancing Dr. Sunny Jeong. Mr. Colin Zhang With Thanks to Prof. G. Coulouris,
Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.
Protocol(TCP/IP, HTTP) 송준화 조경민 2001/03/13. Network Computing Lab.2 Layering of TCP/IP-based protocols.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Security+ Guide to Network Security Fundamentals, Fourth Edition
Transmission Control Protocol TCP. Transport layer function.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
CSE 461 Section. Let’s learn things first! Joke Later!
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
Network & WebSecurity Dina Katabi nms.csail.mit.edu/~dina.
Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.
Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.
Denial of Service Attack 발표자 : 전지훈. What is Denial of Service Attack?  Denial of Service Attack = DoS Attack  Service attacks on a Web server floods.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.
________________ CS3235, Nov 2002 (Distributed) Denial of Service Relatively new development. –Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.
New Client Puzzle Outsourcing Techniques for DoS Resistance Brent Waters, Stanford University Ari Juels, RSA Laboratories Alex Halderman, Princeton University.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Web Services. 2 Internet Collection of physically interconnected computers. Messages decomposed into packets. Packets transmitted from source to destination.
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Internet Privacy Define PRIVACY? How important is internet privacy to you? What privacy settings do you utilize for your social media sites?
Regan Little. Definition Methods of Screening Types of Firewall Network-Level Firewalls Circuit-Level Firewalls Application-Level Firewalls Stateful Multi-Level.
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Search Engine and Optimization 1. Introduction to Web Search Engines 2.
KEYNOTE OF THE FUTURE 3: DAVID BECKETT CSIT PhD Student QUEEN’S UNIVERSITY BELFAST.
SDN and Security Security as a service in the cloud
COMP2322 Lab 6 TCP Steven Lee Mar 29, 2017.
Reddy Mainampati Udit Parikh Alex Kardomateas
Outline Basics of network security Definitions Sample attacks
Outline Basics of network security Definitions Sample attacks
CIS 4930/6930 – Privacy-Preserving and Trustworthy Cyber-Systems Dr
Outline Basics of network security Definitions Sample attacks
Presentation transcript:

Protecting Web Servers from Content Request Floods Srikanth Kandula ▪ Shantanu Sinha ▪ Dina Katabi ▪ Matthias Jacob CSAIL –MIT

The Attack GET LargeFile.zip DO LongDBQuery Hard to detect or counter because malicious requests look normal! Want to protect DB and disk bandwidth, socket buffers, processes, …

User Filter A Fairness Problem – Filters Humans Machines Server Resources Solution – Ensure that each human gets equal share Problem – Each machine gets equal share ●●●

Establishing Fairness Use Reverse Turing Test Suspected attack! To access enter the above letters:

Under attack. Come back later. Give Me Establishing Fairness Use Reverse Turing Test Suspected attack! To access enter the above letters: Under attack. Come back later. BTW, can solve test to access now. Existing SolsOur Solution

2 Modes Common case: Server behavior unchanged Normal UnderAttack

Solution Overview Verify SYN Cookie SYN Cookie Ignore! SYN HTTP Request SYNACKACK SYN Cookie TCP RST Send Test Server Unchanged Client Other Characteristics:   One test per session   Tests generated offline   Test expires   Replay attacks are harmless   Each answer grants up to 4 TCPs   Can’t attack by duplicating answers No connection until test answered

Solution Overview SYN RECV State Establish Connection SYNACKACK HTTP Request HTTP Response SYNACK SYN Client Server N/W StackApp Server Vulnerable to SYN Floods

Solution Overview Create Cookie Establish Connection SYNACKACK HTTP Request HTTP Response SYN Cookie SYN Client Server N/W StackApp Server Common Case Verify Cookie RST SYNACKACK HTTP Request Send Test SYN Cookie SYN Create Cookie Ignore Server N/W StackApp Server Client Send out a test from memory

Solution Overview Create Cookie Establish Connection SYNACKACK HTTP Request HTTP Response SYN Cookie SYN Client Server N/W StackApp Server Verify Cookie & Answer SYNACKACK Test Answer SYN Cookie SYN Create Cookie Ignore Client Server N/W StackApp Server HTTP Response Common CaseGrant access if answer is correct Tests are generated offline

Verify Cookie RST SYNACKACK HTTP Request Send Test SYN Cookie SYN Solution Overview Server behavior unchanged (Common case)   Create session after a correct answer   Up to 4 TCP connections per answer   One test per browsing session   Tests generated offline Create Cookie Ignore Client Server N/W StackApp Server

Solution Overview Server behavior unchanged (Common case)   Create session after a correct answer   Up to 4 TCP connections per answer   One test per browsing session   Tests generated offline Verify Cookie & Answer SYNACKACK Test Answer SYN Cookie SYN Create Cookie Ignore Client Server N/W StackApp Server HTTP Response

Extra – What If? User doesn’t want to solve the test? Attacker distributes a few answers to all worms? Each test allows access to limited resources Give Me Under attack. Come back later. BTW, solve the test to access now. Under attack. Come back later.

 None when there is no attack  Under attack, per new-client overhead Two hashes In-kernel HTTP header parse Fetch two data packets from memory and transmit Extra System Overhead

 Time constraints  Harder resource constraints Even a TCP connection cannot be established before test is answered  Other Preserve TCP / HTTP semantics Maintain HTTP sessions Support caches and web farms Yahoo/Hotmail method is not sufficient! Extra – Requirements

Extra Fairness  Problem – A single human attacker uses more server resources than a human user  Insight – Each machine gets equal share  Solution – Each human user gets a fair share DB Query Large File

Extra - Our Approach Reverse Turing Test to distinguish humans from machines Limits an attack to the number of human attackers [screenshot of yahoo image test] used by yahoo to prevent hard disk space utilization

 Attacker spreads a worm  Worm floods server with requests for large files or database queries worker processes/threads, socket buffers database and disk bandwidth Hard to detect or counter because malicious requests look normal! Extra - The Attack

 Cryptographic Client puzzles Computation power is cheap in DDoS attacks  IP source filtering AOL clients use same IP address pool Extra - Better than

Extra - Our Objective  Build a practical system to mitigate these attacks Unmodified clients Unmodified server software Deployable today

Establishing Fairness Use Reverse Turing Test Suspected attack! To access enter the above letters: Different from Prior Work   Crypto puzzles are easy since computation power is cheap   Yahoo! only protects disk space during account creation   We want to receive requests, deliver puzzles, validate answers before establishing a TCP connection

Establishing Fairness Use Reverse Turing Test Suspected attack! To access enter the above letters: Give Me BTW, solve the test to access now. Under attack. Come back later. BTW, solve the test to access now. Users who Solve a Test can access the server Under attack. Come back later. Yahoo uses RTT to protect disk space We receive requests, serve tests, validate answers before establishing a TCP connection

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.