Slide 1/24 Denial of Service Elusion (DoSE): Keeping Clients Connected for Less Paul Wood, Christopher Gutierrez, Saurabh Bagchi School of Electrical and.

Slides:



Advertisements
Similar presentations
October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.
Advertisements

Slides mostly by Sherif Khattab 1 Denial-of-Service [Gligor, 84] ``A group of otherwise-authorized users of a specific service is said to deny service.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
Secure Lync mobile Authentication
Secure SharePoint mobile connectivity
The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.
Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Ao-Jan Su and Aleksandar Kuzmanovic Department of EECS Northwestern University Thinning Akamai USENIX/ACM SIGCOMM IMC ’08.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Chapter 11 Firewalls.
MIDDLEWARE SYSTEMS RESEARCH GROUP A Taxonomy for Denial of Service Attacks in Content-based Publish/Subscribe Systems Alex Wun, Alex Cheung, Hans-Arno.
Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.
Communications in ISTORE Dan Hettena. Communication Goals Goals: Fault tolerance through redundancy Tolerate any single hardware failure High bandwidth.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.
Jak zwiększyć bezpieczeństwo i wysoką dostępność aplikacji wg
Survey of Distributed Denial of Service Attacks and Popular Countermeasures Andrew Knotts, Kent State University Referenced from: Charalampos Patrikakis,Michalis.
3/30/2005 Auburn University Information Assurance Lab 1 Simulating Secure Overlay Services.
Authors: Thomas Ristenpart, et at.
N. GSU Slide 1 Chapter 04 Cloud Computing Systems N. Xiong Georgia State University.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Norman SecureSurf Protect your users when surfing the Internet.
VAP What is a Virtual Application ? A virtual application is an application that has been optimized to run on virtual infrastructure. The application software.
On the Design of Autonomic, Decentralized VPNs David Wolinsky, Kyungyong Lee, Oscar Boykin, and Renato Figueiredo ACIS P2P Group University of Florida.
1. SOS: Secure Overlay Service (+Mayday) A. D. Keromytis, V. Misra, D. Runbenstein Columbia University Presented by Yingfei Dong.
Networking Virtualization Using FPGAs Russell Tessier, Deepak Unnikrishnan, Dong Yin, and Lixin Gao Reconfigurable Computing Group Department of Electrical.
Achieving Better Reliability With Software Reliability Engineering Russel D’Souza Russel D’Souza.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Passwords Breaches, Storage, Attacks OWASP AppSec USA 2013.
Enhancing the Security of Corporate Wi-Fi Networks using DAIR PRESENTED BY SRAVANI KAMBAM 1.
VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems.
Akamai Technologies - Overview RSA ® Conference 2013.
Resisting Denial-of-Service Attacks Using Overlay Networks Ju Wang Advisor: Andrew A. Chien Department of Computer Science and Engineering, University.
SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
SOS: Secure Overlay Services A.Keromytis, V. Misra, and D. Rubenstein Presented by Tsirbas Rafail.
Firewall Security.
SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Hiral Chhaya CDA 6133.
Security in Cloud Computing Zac Douglass Chris Kahn.
Cloud Computing is a Nebulous Subject Or how I learned to love VDF on Amazon.
Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.
Kona Security Solutions - Overview
Slammer Worm By : Varsha Gupta.P 08QR1A1216.
SOS: An Architecture For Mitigating DDoS Attacks Authors: Angelos D. Keromytis, Vishal Misra, Dan Rubenstein. Published: ACM SIGCOMM 2002 Presenter: Jerome.
Slide 1/20 Defending Against Strategic Adversaries in Dynamic Pricing Markets for Smart Grids Paul Wood, Saurabh Bagchi Purdue University
Cloud computing: IaaS. IaaS is the simplest cloud offerings. IaaS is the simplest cloud offerings. It is an evolution of virtual private server offerings.
#SummitNow Alfresco Deployments on AWS Cost-Effective, Scalable & Secure Michael Waldrop Director, Solutions Engineering .
Internet security for the home Paul Norton MEng(Hons) MIEE Electronic engineer working for Pascall Electronics Ltd. on the Isle of Wight A talk on Internet.
KEYNOTE OF THE FUTURE 3: DAVID BECKETT CSIT PhD Student QUEEN’S UNIVERSITY BELFAST.
Server Consolidation in Clouds through Gossiping Moreno MarzollaOzalp Babaoglu Fabio Panzieri Università di Bologna, Dip. di Scienze dell'Informazione.
Canaries in the Network
CIS 700-5: The Design and Implementation of Cloud Networks
Lab A: Planning an Installation
Network Security Analysis Name : Waleed Al-Rumaih ID :
AKAMAI INTELLIGENT PLATFORM™
Home Internet Vulnerabilities
IS 4506 Server Configuration (HTTP Server)
Presentation transcript:

Slide 1/24 Denial of Service Elusion (DoSE): Keeping Clients Connected for Less Paul Wood, Christopher Gutierrez, Saurabh Bagchi School of Electrical and Computer Engineering Department of Computer Science Purdue University Presentation available at: engineering.purdue.edu/dcsl

Slide 2/24 Outline Problem Motivation Prior Work DoSE Overview Experimental Results Conclusions

Slide 3/24 Denial of Service: The Lingering Threat Attacks almost impossible to stop at end users

Slide 4/24 Ease of Attack IP + Click

Slide 5/24 Attack and Defense Costs $2.99 for an attack Source: liquidweb.com/services/ddos.html $1800 for defense

Slide 6/24 Commercial Proxy Service Limitations HTTP/HTTPS Only (No TCP/UDP apps) Server IP leakage: During large attacks DMCA Complaints

Slide 7/24 Prior Work for DoS Protection: Overlay Networks Source: Angelos D. Keromytis, Vishal Misra, and Dan Rubenstein SOS: secure overlay services. SIGCOMM Comput. Commun. Rev. 32, 4 (August 2002), Protection via Proxy/Relay Lacks entry point (SOAP) management, beacon management DoSE: Cloud-Based Relay Management

Slide 8/24 Prior Work: MOTAG Q. Jia, H. Wang, D. Fleck, F. Li, A. Stavrou, and W. Powell, “Catch me if you can: A cloud-enabled ddos defense,” in Dependable Systems and Networks (DSN), 2014 Subject to DDoS 1000 Replicas DoSE: Cost-Effective Replica Management

Slide 9/24 DoSE Goals Cost-Conscious Defense –Repel DDoS-as-a-Service Self-owned cloud resources –No DMCA leak Commodity Service Usage –No load-balancer customization –Off-the-shelf cloud components

Slide 10/24 DoSE Overview Clients access Protected Services via Relays Relays are assigned via CDN Interface Attacks are filtered in remote datacenters

Slide 11/24 DoSE Overview Assumptions: CDN DoS-Proof Independent Relay Faults Protected Service IP hidden

Slide 12/24 Attacker Model

Slide 13/24 Relays EC2 Instances Goals: Hide protected service IP (Relay) Shield service from attacks (Firewall)

Slide 14/24 Client Assignment Service Goal: Resilient Client-Relay Assignments Puzzles rate-limit assignments (repeat attacks)

Slide 15/24 Attack Mitigation: Risk Assignment Risk: Likelihood client is malicious Risk-Proportional Relay Assignment One unit of risk evenly divided Attacker eventually singled Problem: Growth in the number of relays for ON-OFF attacks Solution: Consolidate number of relays using a parameter

Slide 16/24 Cost Reduction via Consolidation Consolidation

Slide 17/24 Controlling # Relays versus Speed of Attacker Identification Cumulative Risk per Attack (CRPA) Risk per Relay (RPR) CRPA=1 RPR=0.5 CRPA/RPR=2 CRPA=1 RPR=0.25 CRPA/RPR=4

Slide 18/24 Experimental Results: Defending Against Single Attacker Agent-Based MATLAB solution (Open Source release on github) Relay Start Time: 40s CPRA/RPR= Clients Single Attack Source UDP Stream 1.Attacker identified in 300 seconds 2.Majority of clients kept online during attack

Slide 19/24 Defending Against Single Attacker: Cost Attacker found in 3 rounds 1000 clients CRPA/RPR=30 21 Relays Consumed $0.07 EC2 Spot (Micro) Higher CPRA Faster isolation Lower CRPA Economic sustainability Attacker identified faster with larger CRPA/RPR

Slide 20/24 Repeated Attacks Clients:Attackers = 100:1 New clients every 1.6 s Connected for 400 s New attacks every 160 s Fresh insiders Risk-history minimizes disruptions for connected clients

Slide 21/24 Success with Larger Attacks 300 Attackers = $0.47 DoSE is cost effective and efficient for most sizes of attacks

Slide 22/24 Comparison w/ MOTAG DoSE is less costly and more effective than MOTAG for small attacks

Slide 23/24 Costs Assignment and Relays –$2-9/Relay per Month (x3) –$0.008 per 5000 assigns Attack Mitigation –$0.07-$0.47 per Attack Commercial –$1800+ for UDP/TCP MOTAG –$2000+ for 1000 Relays –Additional $ for IP release Retransmission Bandwidth Costs –$0.09/GB –$0.02/GB if Service in Cloud

Slide 24/24 Conclusion Low Cost –$0.07-$0.47 Defense/Attack –$2.99+ to launch attack Off-the-Shelf –Unmodified CDN –Simple Linux relays

Slide 25/24 Stopping Large Attacks Attack Absorbed by Full Relay Exposure

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.