A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

Slides:



Advertisements
Similar presentations
COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Advertisements

Security Issues In Mobile IP
Data-Plane Accountability with In-Band Path Diagnosis Murtaza Motiwala, Nick Feamster Georgia Tech Andy Bavier Princeton University.
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Internet Security CSCE 813 IPsec
CSC 774 Advanced Network Security
Review: Routing algorithms Distance Vector algorithm. –What information is maintained in each router? –How to distribute the global network information?
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
Traffic Shaping Why traffic shaping? Isochronous shaping
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Encapsulation Security Payload Protocol Lan Vu. OUTLINE 1.Introduction and terms 2.ESP Overview 3.ESP Packet Format 4.ESP Fields 5.ESP Modes 6.ESP packet.
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
TCP: Software for Reliable Communication. Spring 2002Computer Networks Applications Internet: a Collection of Disparate Networks Different goals: Speed,
Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
Review of IP traceback Ming-Hour Yang The Department of Information & Computer Engineering Chung Yuan Christian University
Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;
Brief Announcement: Spoofing Prevention Method Anat Bremler-Barr Hanoch Levy computer science computer science Interdisciplinary Center Herzliya Tel-Aviv.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
IIT Indore © Neminath Hubballi
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,
Security for the Optimized Link- State Routing Protocol for Wireless Ad Hoc Networks Stephen Asherson Computer Science MSc Student DNA Lab 1.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Preventing Denial of Service Attacks by N.V.Krishna Rao (08034D0501) Under Supervision and Guidance of Dr. S.Durga Bhavani S.V.S.Hanumantha Rao (Internal.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
Preventing Denial of Service Attacks by N.V.Krishna Rao (08034D0501) Under Supervision and Guidance of Dr. S.Durga Bhavani S.V.S.Hanumantha Rao (Internal.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Packet-Marking Scheme for DDoS Attack Prevention
1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.
JELENA MIRKOVIC (USC) PETER REIHER (UCLA) Building Accountability into the Future Internet In Proc. IEEE NPSec, 2009 Speaker: Yun Liaw.
New Client Puzzle Outsourcing Techniques for DoS Resistance Brent Waters, Ari Juels, J. Alex Halderman and Edward W. Felten.
Role of Router. The Router as a Perimeter Device  Usually the main function of a router is considered as the forwarding of packets between two network.
Spoofing Prevention Method Srikanth T.S.S. Sri Lakshmi Ramya S.
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
International Conference Security in Pervasive Computing(SPC’06) MMC Lab. 임동혁.
1 Kyung Hee University Chapter 11 User Datagram Protocol.
Network Support For IP Traceback Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Slides originally byTeng.
IP Spoofing. What Is IP Spoofing Putting a fake IP address in the IP header field for source address (requires root)
Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.
Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.
Introduction Wireless devices offering IP connectivity
Defending Against DDoS
Defending Against DDoS
Preventing Internet Denial-of-Service with Capabilities
DDoS Attack and Its Defense
Outline The spoofing problem Approaches to handle spoofing
Presentation transcript:

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University of Delaware

05/11/2004 CISC Outline Objectives Problem Description Related Work Proposed Solution Implementation Details Results Future Work Conclusion

05/11/2004 CISC Objectives of the Project Propose a new simple and effective solution to stamp IP packet to enable easy authentication of IP packets so as to counter DDoS Attacks. Implement the above solution and conduct experiments on emulab testbed to verify its effectiveness.

05/11/2004 CISC Problem Description DDoS is enormous threat to Internet. Many public websites available which don’t verify the authenticity of their users. Victims overwhelmed with requests and the legitimate users are denied service.

05/11/2004 CISC Why DDoS difficult to solve? No authentication required to use services Little chance of attacker being caught Difficult to differentiate attack from legitimate traffic Huge Number of Vulnerable machines available Problem of finite resources

05/11/2004 CISC Related Work IP Easy-pass: Edge Resource Access Control by H. Wang, A. Bose, M. El-Gendy, K. G. Shin Practical Network Support for IP Traceback by S. Savage, D. Wetherall, A. Karlin, T. Anderson StackPi by A. Perrig, D. Song. A. Yaar

05/11/2004 CISC IP Easy-pass: Edge Resource Access Control by H. Wang, A. Bose, M. El-Gendy, K. G. Shin What we liked about this paper? –Per Packet Filtering based on IP Easy Pass –Dynamic Passes What we didn’t like about this paper? –Space Overhead –Encryption and Decryption Overhead

05/11/2004 CISC Practical Network Support for IP Traceback by S. Savage, D. Wetherall, A. Karlin, T. Anderson What we liked about this paper? –The use of IP identification field for storing marks in the packets. What we didn’t like about this paper? –Reactive in nature

05/11/2004 CISC StackPi by A. Perrig, D. Song. A. Yaar What we liked about this paper? –Per Packet Filtering –Proactive approach What we didn’t like about this paper? –Stale Pass –Complicated

05/11/2004 CISC Desired Properties in Proposed Solution Simple to implement Limited Overheads Limited increase in end to end delay Per Packet Filtering Easily Deployable Robust

05/11/2004 CISC Proposed Solution Create mechanism which would distinguish legitimate IP packets from attack packets. Drop all the packets which fail the filtering test.

05/11/2004 CISC How to differentiate attack and legitimate packets? Generate Unique ID for each packet Store this key in the IP header’s identification field to avoid space overheads Routers check the packets ID field to check whether the given packet is genuine or not before forwarding to destination (Victim)

05/11/2004 CISC Issues with key generation Complex generation techniques at client so that key spoofing is difficult to do Simple verification at router so that router overhead remains small Keep changing the keys so that attackers don’t have time to predict the keys

05/11/2004 CISC How does our solution work? Generation of keys is done at client Initial communication between client and core router takes place to understand the initial key Generation of legitimate packets takes place Verification of packets done at core routers Router drops or accepts packets based on the key value

05/11/2004 CISC Other Issues We use a sliding window to take care of packet loss or reordering. As we use dynamic pass and not a stale pass replay attacks are also avoided. Our solution can be used with any Transport or Application protocol as we just change IP ID field.

Implementation Details by Maitreya Natu

05/11/2004 CISC

05/11/2004 CISC f1f1 f 100 f 101 Client uses SHA to generate a queue of 101 keys

05/11/2004 CISC f1f1 f 100 f 101 Client sends the 101 st key to the router for before sending the data packets

05/11/2004 CISC f 101 f1f1 f Router receives the key and stores it in a client table Router maintains a window to keep track of arriving packets

05/11/2004 CISC f 101 f1f1 f 99 f Client inserts a new key (here f 100 ) in the IP ID field of each outgoing packet We use the dos code to insert the key in ID field

05/11/2004 CISC f 101 f1f1 f 99 f

05/11/2004 CISC f 101 f1f1 f 99 f

05/11/2004 CISC f 101 f1f1 f 99 f 100 f (f 100 ) = f Router captures each packet and extracts the key from the IP ID field We use capture code to capture incoming packets It identifies the source IP address and accepts packets only with valid IP addresses For each packet with a valid IP address, applies SHA on the ID key to detect if the key is in the window range f 101 f94f94

05/11/2004 CISC f 101 f1f1 f 99 f 100 f (f 100 ) = f Router sets the corresponding bit in the window and forwards the packet

05/11/2004 CISC f 100 f1f1 f 99 f Router sets the corresponding bit in the window and forwards the packet

05/11/2004 CISC f 101 f1f1 f 98 f

05/11/2004 CISC f 101 f1f1 f 97 f

05/11/2004 CISC f 101 f1f1 f 96 f

05/11/2004 CISC f 97 f1f1 f f 97 When the first four bits of the window are set, the window is advanced by 4 bits by setting the client key to the 4 th key (here f 97 ) received

05/11/2004 CISC f 97 f1f1 f 95 f The window is advanced by 4 bits by left shifting by 4 bits to process further packets

05/11/2004 CISC f 101 f1f1 f

05/11/2004 CISC f 101 f1f1 f 92 f

05/11/2004 CISC f 93 f1f1 f f 93 If the first 4 bits are not set due to packet loss, then the window is shifted when the 8 th packet is received, changing the client key to the 8 th key (here f 93 ) received

05/11/2004 CISC f 93 f1f1 f 91 f The window is advanced by 8 bits by left shifting by 8 bits to process further packets

Results By Namratha Hundigopal

05/11/2004 CISC Topology V LAN 5Mb 250 kb 1Mb

05/11/2004 CISC Results Client  20 pkts/sec for 10 sec Attacker  5 – 130 pkts/sec for 15 sec

05/11/2004 CISC Client  20 pkts/sec for 10 sec Attacker  5 – 70 pkts/sec for 15 sec

05/11/2004 CISC

05/11/2004 CISC

05/11/2004 CISC Future Work Implementation of initial handshake between legitimate clients and router Extension of the scheme to achieve a secure end to end path Testing with smart attacks Testing with real time applications

05/11/2004 CISC Conclusion Proposed a stamping technique to identify legitimate packets Implemented the algorithm on emulab testbed It effectively prevents legitimate packets from loss for all flooding rates we considered with negligible increase in end to end delay

05/11/2004 CISC Question or Comments? Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.