Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

Slides:



Advertisements
Similar presentations
On the Necessity of Handling DDoS Traffic in the Middle of the Network Peter Reiher UCLA Computer Communications Workshop October 22, 2008.
Advertisements

Denial of Service. Denial of Service Attacks Unlike other forms of computer attacks, goal isnt access or theft of information or services The goal is.
Quiz 1 Posted on DEN 8 multiple-choice questions
Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
Lecture 8 Page 1 CS 236, Spring 2008 Distributed Denial of Service Attacks CS 236 Advanced Computer Security Peter Reiher May 20, 2008.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
1 Controlling High Bandwidth Aggregates in the Network.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.
Max Robinson Jelena Mirković DR. Peter Reiher DefCOM Motivation Distributed denial-of-service attacks require a distributed solution. Detection is more.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Denial of Service. Denial of Service Attacks Unlike other forms of computer attacks, goal isn’t access or theft of information or services The goal is.
An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Sample Research Defenses Packetscore Pushback Traceback SOS Proof-of-work systems Human behavior modeling SENSS.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Denial of Service.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
Interest NACK Junxiao Shi, Introduction Interest NACK, aka "negative acknowledgement", is sent from upstream to downstream to inform that.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Lecture 18 Page 1 Advanced Network Security Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Lecture 12 Page 1 CS 236 Online Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts.
Distributed Denial of Service Attacks
Firewall Security.
Lecture 12 Page 1 CS 236, Spring 2008 Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite.
Packet-Marking Scheme for DDoS Attack Prevention
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 1 Resource Limitations  Don’t allow an individual attack machine to.
Denial of Service. Denial of Service Attacks Unlike other forms of computer attacks, goal isn’t access or theft of information or services The goal is.
Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:
1 Defense Strategies for DDoS Attacks Steven M. Bellovin
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
DoS/DDoS attack and defense
Lecture 17 Page 1 CS 236, Spring 2008 Advanced Topics in Network Security: IP Spoofing and DDoS CS 236 On-Line MS Program Networks and Systems Security.
Lecture 16 Page 1 CS 239, Spring 2007 Designing Performance Experiments: An Example CS 239 Experimental Methodologies for System Software Peter Reiher.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
AP Waseem Iqbal.  DoS is an attack on computer or network that reduces, restricts or prevents legitimate of its resources  In a DoS attack, attackers.
Lecture 18 Page 1 CS 236 Online Prolog to Lecture 18 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Advanced Topics in Network Security: IP Spoofing and DDoS CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
DDoS In the Real World Do DDoS attacks really happen?
Distributed Denial of Service (DDoS) Attacks
Computer Data Security & Privacy
Outline Basics of network security Definitions Sample attacks
Virtual Private Networks
Defending Against DDoS
DDoS In the Real World Do DDoS attacks really happen?
Defending Against DDoS
Outline Basics of network security Definitions Sample attacks
DDoS Attack and Its Defense
Advanced Topics in Network Security: IP Spoofing and DDoS CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Outline The spoofing problem Approaches to handle spoofing
Outline Basics of network security Definitions Sample attacks
Outline Why is DDoS hard to handle?
Distributed Denial of Service (DDoS) Attacks
Outline The concept of perimeter defense and networks Firewalls.
Presentation transcript:

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014

Lecture 20 Page 2 Advanced Network Security Outline Basic DDoS defense approaches Some example DDoS defenses

Lecture 20 Page 3 Advanced Network Security Basic Approaches to DDoS Defense Don’t let it happen at all Add resources to stay ahead of it Track attack streams to their source –And, presumably, stop them Filter attacks to remove attack traffic

Lecture 20 Page 4 Advanced Network Security Prevention It would be nice if attackers could not perpetrate DDoS attacks at all How to prevent them? –Hygiene approaches –Resource limitations –Hide from the attackers

Lecture 20 Page 5 Advanced Network Security Hygiene Approaches 1.Make protocols less susceptible to DDoS 2.Make computers harder to enlist as zombies 3.Close holes at potential targets that can be used for DDoS All these are good and worthy approaches None of them are enough in isolation Hygiene alone hasn’t solved any other computer security problem, and won’t solve this one, either

Lecture 20 Page 6 Advanced Network Security Resource Limitations Don’t allow an individual attack machine to use many of a target’s resources Requires: –Authentication, or –Making the sender do special work (puzzles) Authentication schemes are often expensive for the receiver Existing legitimate senders largely not set up to handle doing special work Can still be overcome with a large enough army of zombies

Lecture 20 Page 7 Advanced Network Security Hiding From the Attacker Make it hard for anyone but legitimate clients to deliver messages at all E.g., keep your machine’s identity obscure A possible solution for some potential targets –But not for others, like public web servers To the extent that approach relies on secrecy, it’s fragile –Some approaches don’t require secrecy

Lecture 20 Page 8 Advanced Network Security Resource Multiplication As attacker demands more resources, supply them Not always possible and usually expensive Not clear that defender can keep ahead of the attacker But still a good step against limited attacks –Has sometimes worked in practice –And sometimes not More advanced versions use Akamai-like techniques

Lecture 20 Page 9 Advanced Network Security Trace and Stop Attacks Figure out which machines attacks come from Go to those machines (or near them) and stop the attacks Tracing is trivial if IP source addresses aren’t spoofed –Tracing may be possible even if they are spoofed May not have ability/authority to do anything once you’ve found the attack machines Not too helpful if attacker has a vast supply of machines

Lecture 20 Page 10 Advanced Network Security Filtering Attack Streams The basis for most defensive approaches Addresses the core of the problem by limiting the amount of work presented to target Key question is: –What do you drop? Good solutions drop all (and only) attack traffic Less good solutions drop some (or all) of everything

Lecture 20 Page 11 Advanced Network Security Filtering Versus Rate Limiting Filtering drops packets with particular characteristics –If you get the characteristics right, you do little collateral damage –But no guarantee you have dropped enough Rate limiting drops packets on basis of amount of traffic –Can thus assure target is not overwhelmed –But may drop some good traffic Not really a hard-and-fast distinction

Lecture 20 Page 12 Advanced Network Security 12 Where Do You Filter? Near the target? Near the source? In the network core? In multiple places?

Lecture 20 Page 13 Advanced Network Security Implications of Filtering Location Choices Near target Near source In core

Lecture 20 Page 14 Advanced Network Security Implications of Filtering Location Choices Near target –Easier to detect attack –Sees everything –May be hard to prevent collateral damage –May be hard to handle attack volume –Good deployment incentive Near source In core

Lecture 20 Page 15 Advanced Network Security Implications of Filtering Location Choices Near target Near source –May be hard to detect attack –Doesn’t see everything –Easier to prevent collateral damage –Easier to handle attack volume –Poor deployment incentive In core

Lecture 20 Page 16 Advanced Network Security Implications of Filtering Location Choices Near target Near source In core –Easier to handle attack volume –Sees everything (with sufficient deployment) –May be hard to prevent collateral damage –May be hard to detect attack –Poor deployment incentive

Lecture 20 Page 17 Advanced Network Security Example Defenses Pushback DWard Netbouncer SOS Defcom

Lecture 20 Page 18 Advanced Network Security Pushback Goal: Preferentially drop attack traffic to relieve congestion Enable core routers to respond to congestion locally by: –Profiling traffic dropped by RED –Identifying high-bandwidth aggregates –Preferentially dropping aggregate traffic to enforce desired bandwidth limit Pushback: A router identifies the upstream neighbors that forward the aggregate traffic to it, requests that they deploy rate-limit

Lecture 20 Page 19 Advanced Network Security 19 Pushback Example P P P P

Lecture 20 Page 20 Advanced Network Security 20 Pushback Example P P P P

Lecture 20 Page 21 Advanced Network Security 21 Pushback Example P P P P

Lecture 20 Page 22 Advanced Network Security 22 Pushback Example P P P P

Lecture 20 Page 23 Advanced Network Security 23 Pushback Example P P P P

Lecture 20 Page 24 Advanced Network Security 24 Pushback Example P P P P

Lecture 20 Page 25 Advanced Network Security Can it work? Even a few core routers are able to control high-volume attacks Separation of traffic aggregates improves current situation –Only traffic for the victim is dropped –Drops affect part of traffic that contains the attack traffic Likely to successfully control the attack, relieving congestion in the Internet Will inflict collateral damage on legitimate traffic

Lecture 20 Page 26 Advanced Network Security Advantages and Limitations +Routers can handle high traffic volumes +Deployment at a few core routers can affect many traffic flows, due to core topology +Simple operation, no overhead for routers +Pushback minimizes collateral damage by placing response close to the sources –Pushback only works in contiguous deployment –Collateral damage is inflicted whenever attack traffic is not clearly separate from legitimate traffic –Deployment requires modification of existing core routers and likely purchase of new hardware

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.