NC STATE UNIVERSITY / MCNC Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu  Fengmin Gong DARPA.

Slides:

Advertisements

Similar presentations

Congestion Control and Fairness Models Nick Feamster CS 4251 Computer Networking II Spring 2008.

Advertisements

Congestion Control and Fairness Models Nick Feamster CS 4251 Computer Networking II Spring 2008.

QoS Strategy in DiffServ aware MPLS environment Teerapat Sanguankotchakorn, D.Eng. Telecommunications Program, School of Advanced Technologies Asian Institute.

Architectures for Congestion-Sensitive Pricing of Network Services Thesis Defense by Murat Yuksel CS Department, RPI July 3 rd, 2002.

CNDS 2001, Phoenix, AZ Simulating the Smart Market Pricing Scheme on Differentiated- Services Architecture Murat Yuksel and Shivkumar Kalyanaraman Rensselaer.

CS640: Introduction to Computer Networks Mozafar Bag-Mohammadi Lecture 3 TCP Congestion Control.

© 2006 Cisco Systems, Inc. All rights reserved. Module 4: Implement the DiffServ QoS Model Lesson 4.10: Deploying End-to-End QoS.

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.

Network Border Patrol Celio Albuquerque, Brett J. Vickers and Tatsuya Suda Jaideep Vaidya CS590F Fall 2000.

Advanced Computer Networking Congestion Control for High Bandwidth-Delay Product Environments (XCP Algorithm) 1.

Fundamentals of Computer Security Geetika Sharma Fall 2008.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

CPSC Topics in Multimedia Networking A Mechanism for Equitable Bandwidth Allocation under QoS and Budget Constraints D. Sivakumar IBM Almaden Research.

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 ECSE-6600: Internet Protocols Informal Quiz #11 Shivkumar Kalyanaraman: GOOGLE: “Shiv RPI”

Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.

A Case for Relative Differentiated Services and the Proportional Differentiation Model Constantinos Dovrolis Parameswaran Ramanathan University of Wisconsin-Madison.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.

ACN: IntServ and DiffServ1 Integrated Service (IntServ) versus Differentiated Service (Diffserv) Information taken from Kurose and Ross textbook “ Computer.

Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

A Strategy for Implementing Smart Market Pricing Scheme on Diff-Serv Murat Yuksel and Shivkumar Kalyanaraman Rensselaer Polytechnic Institute, Troy, NY.

Distributed-Dynamic Capacity Contracting: A congestion pricing framework for Diff-Serv Murat Yuksel and Shivkumar Kalyanaraman Rensselaer Polytechnic Institute,

FTDCS 2003 Network Tomography based Unresponsive Flow Detection and Control Authors Ahsan Habib, Bharat Bhragava Presenter Mohamed.

Using Prices to Allocate Resources at Access Points Jimmy Shih, Randy Katz, Anthony Joseph One Administrative Domain Access Point A Access Point B Network.

Internet QoS Syed Faisal Hasan, PhD (Research Scholar Information Trust Institute) Visiting Lecturer ECE CS/ECE 438: Communication Networks.

Efficient agent-based selection of DiffServ SLAs over MPLS networks Thanasis G. Papaioannou a,b, Stelios Sartzetakis a, and George D. Stamoulis a,b presented.

An Architecture for Differentiated Services

Congestion Control for High Bandwidth-Delay Product Environments Dina Katabi Mark Handley Charlie Rohrs.

10th Workshop on Information Technologies and Systems 1 A Comparative Evaluation of Internet Pricing Schemes: Smart Market and Dynamic Capacity Contracting.

John Bean Director, Europe, Middle East & Africa 7 August 2015 CONFIDENTIAL © 2010, Peering Partner's. All rights reserved.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Distributed Denial of Service Attack and Prevention Andrew Barkley Quoc Thong Le Gia Matt Dingfield Yashodhan Gokhale.

Internet Infrastructure and Pricing. Internet Pipelines Technology of the internet enables ecommerce –Issues of congestion and peak-load pricing –Convergence.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

{vp, sra, Security in Differentiated Services Networks Venkatesh Prabhakar Srinivas R.

QoS in MPLS SMU CSE 8344.

Advanced Network Architecture Research Group 2001/11/149 th International Conference on Network Protocols Scalable Socket Buffer Tuning for High-Performance.

Integrated Services (RFC 1633) r Architecture for providing QoS guarantees to individual application sessions r Call setup: a session requiring QoS guarantees.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

CS Spring 2011 CS 414 – Multimedia Systems Design Lecture 23 - Multimedia Network Protocols (Layer 3) Klara Nahrstedt Spring 2011.

Tiziana Ferrari Quality of Service Support in Packet Networks1 Quality of Service Support in Packet Networks Tiziana Ferrari Italian.

Vulnerabilities and Safeguards in Networks with QoS Support Dr. Sonia Fahmy CS Dept., Purdue University.

Adaptive Packet Marking for Providing Differentiated Services in the Internet Wu-chang Feng, Debanjan Saha, Dilip Kandlur, Kang Shin October 13, 1998.

Adaptive QoS Management for IEEE Future Wireless ISPs 通訊所鄭筱親 Wireless Networks 10, 413–421, 2004.

Protecting VoIP networks against denial of service and service theft Henning Schulzrinne with Gaston Ormazabal (Verizon) and IRT graduate students Dept.

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

CONGESTION CONTROL and RESOURCE ALLOCATION. Definition Resource Allocation : Process by which network elements try to meet the competing demands that.

Ran aware flow control tool

Applicazione del paradigma Diffserv per il controllo della QoS in reti IP: aspetti teorici e sperimentali Stefano Salsano Università di Roma “La Sapienza”

Covilhã, 30 June Atílio Gameiro Page 1 The information in this document is provided as is and no guarantee or warranty is given that the information is.

Denial of Service DoS attacks try to deny legimate users access to services, networks, systems or to other resources. There are DoS tools available, thus.

Research Unit in Networking - University of Liège A Distributed Algorithm for Weighted Max-Min Fairness in MPLS Networks Fabian Skivée

NC State / UC Davis / MCNC Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu  Dan Stephenson DARPA.

1 Protecting Network Quality of Service against Denial of Service Attacks Douglas S. Reeves S. Felix Wu Chandru Sargor N. C. State University / MCNC October.

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 3: Introduction to IP QoS.

Jennifer Rexford Fall 2014 (TTh 3:00-4:20 in CS 105) COS 561: Advanced Computer Networks TCP.

Zurich Research Laboratory IBM Zurich Research Laboratory Adaptive End-to-End QoS Guarantees in IP Networks using an Active Network Approach Roman Pletka.

NC STATE UNIVERSITY / MCNC Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu  Fengmin Gong Talk:

TeraPaths: A QoS Enabled Collaborative Data Sharing Infrastructure for Petascale Computing Research The TeraPaths Project Team Usatlas Tier 2 workshop.

Mitigating Congestion in Wireless Sensor Networks Bret Hull, Kyle Jamieson, Hari Balakrishnan MIT Computer Science and Artificial Intelligence Laborartory.

© 2006 Cisco Systems, Inc. All rights reserved. 3.2: Implementing QoS.

An End-to-End Service Architecture r Provide assured service, premium service, and best effort service (RFC 2638) Assured service: provide reliable service.

Congestion Notification Process for Real-Time Traffic draft-babiarz-tsvwg-rtecn-04.txt Jozef Babiarz Kwok Ho Chan

Optimization-based Cross-Layer Design in Networked Control Systems Jia Bai, Emeka P. Eyisi Yuan Xue and Xenofon D. Koutsoukos.

Some Great Open Source Intrusion Detection Systems (IDSs)

Instructor Materials Chapter 6: Quality of Service

Corelite Architecture: Achieving Rated Weight Fairness

Establishing End-to-End Guaranteed Bandwidth Network Paths Across Multiple Administrative Domains The DOE-funded TeraPaths project at Brookhaven National.

Presentation transcript:

NC STATE UNIVERSITY / MCNC Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu  Fengmin Gong DARPA IA&S Meeting July 20, 2000

NC STATE UNIVERSITY / MCNC 2 New Capabilities... Different classes of service for users –how much bandwidth –what quality level (delay, loss rates) Based on trust, need, importance, urgency,.... : Policies!

NC STATE UNIVERSITY / MCNC 3 Provided By... Service provider provisions the resources for the expected demand User makes request Network allocates bandwidth amount and quality level, sends response Network enforces amount / quality

NC STATE UNIVERSITY / MCNC 4 …Create New Vulnerabilities! Each step can be attacked

NC STATE UNIVERSITY / MCNC 5 Attack 1: Excessive User Demands Everyone asks for... –maximum resource amount –premium service Why not?

NC STATE UNIVERSITY / MCNC 6 Our Solution: Resource Pricing (An example: Telephone Network)

NC STATE UNIVERSITY / MCNC 7 Resource Prices Based on Demand Predicted-load (static) pricing –ex.: provisioning, time-of-day pricing Auction-based (semi-static) pricing –ex.: bandwidth exchanges, time-slot assignment Congestion-based (dynamic) pricing –ex.: congestion control Combined approaches

NC STATE UNIVERSITY / MCNC 8 Policy Specification / Enforcement What determines the price? How much can each user pay?

NC STATE UNIVERSITY / MCNC 9 Provable Fairness Fairness is the consequence of a policy Achievable... –Pareto optimal –Weighted max-min fair –Proportional fair –Equal QoS –Maximal aggregate utility –Maximum revenue

NC STATE UNIVERSITY / MCNC 10 Properties Simple, distributed computation Fast convergence Low overhead

NC STATE UNIVERSITY / MCNC 11 Comparison With Other Approaches First-come, first-served –“grab resources early and often” Fixed (absolute) priority –starvation problems Non-weighted fairness (TCP) –everyone is equal? Other resource pricing work –static / centralized, restricted fairness

NC STATE UNIVERSITY / MCNC 12 Future Work: Implementation Fall 2000 (management tools: Summer 2001)

NC STATE UNIVERSITY / MCNC 13 Fut. Wk.: 3rd Party Authorization Fall 2000

NC STATE UNIVERSITY / MCNC 14 Future Work: Service Class Provisioning Given predicted demand for each service class... –how much of each service class should network owner provision? –what price charge for each class? Goals: maximum profit, maximum utility,...? Spring 2001

NC STATE UNIVERSITY / MCNC 15 Future Work: Protecting the Pricing Mechanism Vulnerability to attack Protecting… –RSVP –COPS –SIP –Policy server and databases –Authorization server, user database, billing database Spring 2002

NC STATE UNIVERSITY / MCNC 16 Impact of This Work Disincentives for "bad" user behavior Ability to flexibly specify and enforce policies Efficient (optimal) allocation Economic incentives for deployment of new services

NC STATE UNIVERSITY / MCNC 17 Attack 2: Modify Resource Request / Response Signals RSVP is the control mechanism for QoS Routers can "legally" modify these signals How detect illegal modification?

NC STATE UNIVERSITY / MCNC 18 RSVP Attack Examples

NC STATE UNIVERSITY / MCNC 19 RSVP Attack Examples

NC STATE UNIVERSITY / MCNC 20 RSVP Attack Examples

NC STATE UNIVERSITY / MCNC 21 Our Solution: Selective Signing + Auditing 1. Sign at the end-points the message contents that cannot be changed 2. Each router audits fields that can be changed –remember values transmitted downstream –compare with values propagated upstream Has been implemented and tested

NC STATE UNIVERSITY / MCNC 22 Comparison With Other Approaches End-to-end signing of complete message contents –Won't work with changeable contents Hop-by-hop signing of message contents –Excessive overhead –Does not detect attacks by corrupted routers

NC STATE UNIVERSITY / MCNC 23 Future Work Other attacks –Message dropping –Message insertion –Resource "hoarding" –Summer 2001 Auditing –Integration with intrusion detection –Fall 2001

NC STATE UNIVERSITY / MCNC 24 Impact of This Work Practical, more effective detection of DoS attacks on control flow

NC STATE UNIVERSITY / MCNC 25 Attack 3: TCP Packet Dropping Congestion causes "normal" packet dropping Can malicious packet dropping (not due to normal congestion) be detected? –due to corrupted routers –due to "unfriendly" users

NC STATE UNIVERSITY / MCNC 26 Our Solution Build a profile of normal dropping behavior Compare with observed dropping behavior –statistical techniques –neural net techniques Experiments: 5 sites in 4 countries over several weeks

NC STATE UNIVERSITY / MCNC 27 Effectiveness Created several types of dropping attacks –random –periodic –re-transmissions only Measured losses and latency High detection rate (> 80%), low (1%- 5%) false positive rate

NC STATE UNIVERSITY / MCNC 28 Impact Attacks will become less obvious; degraded service, not disrupted service First work on monitoring this type of attack

NC STATE UNIVERSITY / MCNC 29 Attack 4: Compromised DiffServ Routers

NC STATE UNIVERSITY / MCNC 30 Attack Types Dropping one data flow to benefit others Injecting(spoofing, flooding,...) packets to a high priority flow Remarking packets in a data flow Delaying packets in a data flow Compromised ingress, core, or egress routers

NC STATE UNIVERSITY / MCNC 31 Approach Monitor router behavior externally Monitoring agents externally controlled by intrusion detection system (IDS) –selectively enabled when needed IDS performs analysis of measurements

NC STATE UNIVERSITY / MCNC 32 Monitoring Granularity is Per-Hop-Behavior (PHB, macroflow) Metrics: ingress rate, egress rate, drop rate, delay Passive (packet counting) Active (packet probing)

NC STATE UNIVERSITY / MCNC 33 Status Attack analysis Architecture Testbed, measurements Future work –Implement passive monitoring, Fall 2000 –Implement active monitoring, Spring 2001 –Implement analysis, Summer 2001 –Integrate with existing intrusion-detection engine, Year 3

NC STATE UNIVERSITY / MCNC 34 Impact First work on detecting and preventing attacks on DiffServ

NC STATE UNIVERSITY / MCNC 35 Technology Transfer Code release (pricing simulator, TCP dropping attack analyzer) Patent application on pricing with NEC Collaboration with Nortel on resource authorization Discussions with Enron, NEC, IETF DiffServ WG

NC STATE UNIVERSITY / MCNC 36 General Hicks’ “Hot List” of Needs Prevent Denial of Service attacks Automate network bandwidth allocation –reallocate to other, changing priorities