SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Hiral Chhaya CDA 6133.

Slides:

Advertisements

Similar presentations

Chris Karlof and David Wagner

Advertisements

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Quiz 1 Posted on DEN 8 multiple-choice questions

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

A Survey of Secure Wireless Ad Hoc Routing

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

1 SOS: Secure Overlay Services Angelos Keromytis, Dept. of Computer Science Vishal Misra, Dept. of Computer Science Dan Rubenstein, Dept. of Electrical.

Secure Routing in Sensor Networks: Attacks and Countermeasures First IEEE International Workshop on Sensor Network Protocols and Applications 5/11/2003.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Delay Tolerant Networking Gareth Ferneyhough UNR CSE Department

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.

Using Overlays to Improve Security Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University SPIE ITCom Conference on Scalability and.

1 Routing as a Service Karthik Lakshminarayanan (with Ion Stoica and Scott Shenker) Sahara/i3 retreat, January 2004.

Web server security Dr Jim Briggs WEBP security1.

Survey of Distributed Denial of Service Attacks and Popular Countermeasures Andrew Knotts, Kent State University Referenced from: Charalampos Patrikakis,Michalis.

3/30/2005 Auburn University Information Assurance Lab 1 Simulating Secure Overlay Services.

 Structured peer to peer overlay networks are resilient – but not secure.  Even a small fraction of malicious nodes may result in failure of correct.

Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

Sample Research Defenses Packetscore Pushback Traceback SOS Proof-of-work systems Human behavior modeling SENSS.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.

1. SOS: Secure Overlay Service (+Mayday) A. D. Keromytis, V. Misra, D. Runbenstein Columbia University Presented by Yingfei Dong.

Protecting Web 2.0 Services from Botnet Exploitations Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second Nguyen H Vo, Josef Pieprzyk Department.

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

--Harish Reddy Vemula Distributed Denial of Service.

SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.

Slide 1/24 Denial of Service Elusion (DoSE): Keeping Clients Connected for Less Paul Wood, Christopher Gutierrez, Saurabh Bagchi School of Electrical and.

Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols ► Acts as denial of service by disrupting the flow of data between a source and.

SOS: Secure Overlay Services A.Keromytis, V. Misra, and D. Rubenstein Presented by Tsirbas Rafail.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.

RFC 3964 Security Considerations for 6to4 Speaker: Chungyi Wang Adviser: Quincy Wu Date:

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Chapter 4: Implementing Firewall Technologies

Santhosh Rajathayalan ( ) Senthil Kumar Sevugan ( )

Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin

DoS/DDoS attack and defense

SOS: An Architecture For Mitigating DDoS Attacks Authors: Angelos D. Keromytis, Vishal Misra, Dan Rubenstein. Published: ACM SIGCOMM 2002 Presenter: Jerome.

Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:

7/11/2005ECRIT Security Considerations1 ECRIT Security Considerations draft-taylor-ecrit-security-threats-00.txt Henning Schulzrinne, Raj Shanmugam, Hannes.

INFSO-RI Enabling Grids for E-sciencE NPM Security Alistair K Phipps (NeSC) JRA4 Face To Face, CERN, Geneva.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

RMTP-II Security Considerations Brian Whetten GlobalCast Communications.

ANONYMIZING / WEB PRIVACY. TOOLS: STAYING ANONYMOUS ON THE INTERNET Proxy Server Tor.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.

Presentation transcript:

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Hiral Chhaya CDA 6133

Outline Introduction SOS Architecture Defense Against Attacks Performance Strength Weaknesses Future Work

DOS ATTACK

Introduction SOS – Secure Overlay Services Proactively secure communications between known entities against Denial of Service (DoS) Attacks Assumes a pre-determined set of approved clients communicating with a target Packets are validated at entry points of the overlay and once inside are tunneled securely to secretly designated nodes.

SOS Architecture Diagram

SOS Architecture Target Selects some subset of nodes to act as Secret Servlets Accepts traffic only from Secret Servlet IPs Secret Servlets Verifies authenticity of request to act as Secret Servlet Identifies Beacon Nodes

SOS Architecture Beacon Nodes Notified by either Secret Servlets or Target of their role (“Hey, you’re a Beacon!”)‏ Verify validity of information received Forwards traffic received to particular Secret Servlet associated with Target

SOS Architecture Secure Overlay Access Point (SOAP) Nodes Authenticates and authorizes request from client to communicate with Target Securely routes all traffic to Target via Beacon nodes Verification of packet is done by IPsec or TSL

Protection Against DoS If an SOAP node is attacked, source point can enter through an alternate SOAP node If a node within the overlay is attacked, the node “exits” and the overlay provides new paths to Beacons No node is more important or sensitive than any other If Secret Servlet is compromised, new subset of Secret Servlets can be chosen

Secured Overlay Service

Defending Against Attack Security Analysis Assumptions: An attacker knows and can attack overlay nodes Attacker does not know functionality of any given node, and cannot determine it Bandwidth available to launch an attack is limited Different users access overlay via different SOAPs A node can simultaneously act as a SOAP, Beacon and/or Secret Servlet

Example

Defending Against Static Attacks ~40% of nodes must be attacked simultaneously for attack to succeed once out of 10,000 attempts

Defending Against Static Attacks Increasing number of Beacons and Secret Servlets quickly drops probability of successful attack

Performance Measurement of time-to-completion of https requests Depending upon the number of nodes in the overlay, the time-to-completion increases by a factor of 2-10

Strengths Proactive approach to fighting Denial of Service (DoS) attacks Overlay can self-heal when a participant node is attacked Scalable access control

Weaknesses Assumes, for security analysis, that no attack can come from inside the overlay Assumes that an attacker cannot mask illegitimate traffic to appear legitimate To improve scalability, the number of SOAPs, Beacons, and Secret Servlets are limited – which lessens protection from DoS attacks Shortcut implementation does not protect secret information

Future Work More details about how repair and attack processes will function Evaluation of damage and attack that can come from inside the overlay Consideration of attack traffic that may be able to pass through overlay Exploration of overlays shared by multiple organizations in a secure manner Investigation of possible shortcuts through the overlay that do not compromise security

Thank You !!!!