Presentation is loading. Please wait.

Presentation is loading. Please wait.

ANCP Network Anti-Attack Updates draft-fan-ancp-network-anti-attack-01 IETF 78 th, July. 25-30, 2010 Bo Wu Liang Fan.

Published byAgatha Scott Modified over 9 years ago

Similar presentations

Presentation on theme: "ANCP Network Anti-Attack Updates draft-fan-ancp-network-anti-attack-01 IETF 78 th, July. 25-30, 2010 Bo Wu Liang Fan."— Presentation transcript:

1 ANCP Network Anti-Attack Updates draft-fan-ancp-network-anti-attack-01 IETF 78 th, July. 25-30, 2010 Bo Wu (wu.bo@zte.com.cn )wu.bo@zte.com.cn Liang Fan ( fan.liang2@zte.com.cn )fan.liang2@zte.com.cn Bo Yuan ( yuan.bo3@zte.com.cn)yuan.bo3@zte.com.cn ZTE Corporation

2 Current Status 01-version updates –Add 2 use cases based on comments from last meeting

3 Attacker Problem statement Traditionally, network attacks from subscribers are detected at NAS site Detection could be done by NAS or additional device, such as Firewall/DPI box. Centralized attacking detection & policy enforcement

4 Case 1: Control Message Attack PPPoE/DHCP Control Message Attack –PPPoE PADI, DHCP discover, etc. –Could be a fake one or just replicated from the original one –Massive amount of packets per second Influence to the NAS –All control message will be sent to the control plane –Though trigger the traffic managing policy on control plane, but will Loss of the legal control message of the same type –NAS will enforce ACL to rate-limit control packets from dedicated subscriber Attacker

5 Example: PADI Packet Attack Attacker 1.The attacker sends a large number of PADI Packets 2.The NAS receives these packets and sends the packets to its control plane 3.The PPP control plane on the NAS will be aware of the abnormal rate of control messages from a dedicated subscriber 4.The NAS sends the anti-attack policy to the AN.

6 Case 2: DOS Attack DOS attack –SYN flood, fraggle, smurf, etc. –Towards the NAS & the network behind the NAS –Usually happened on a large number of hosts (synchronously) Original Solution –Detected on the NAS site, by an internal or external DPI function module –Policies implemented on the NAS site Attacker

7 Example: SYN Flood Attack 1.The attacker sends a large number of SYN packets 2.The NAS will be aware of the SYN flood attack from the dedicated subscriber with or without an external box. 3.The NAS sends the anti-attack policy to the AN. Attacker

8 Conclusion Use ANCP to dynamically trigger current available function on the AN. MAC Black/White List –Send MAC black list of the attacking message, or MAC white list of the registered MAC addresses to the AN –MAC white list not applicable to enterprise user MAC Table Size Limitation –Enable MAC learning limitation on the AN MAC Rate Limitation –Limit upstream rate of a dedicated MAC on the AN –No influence to other hosts on the same access loop

9 Next steps Need comments from work group Thank you

Download ppt "ANCP Network Anti-Attack Updates draft-fan-ancp-network-anti-attack-01 IETF 78 th, July. 25-30, 2010 Bo Wu Liang Fan."

Similar presentations

Using HIP to solve MULTI-HOMING IN IPv6 networks YUAN Zhangyi Beijing University of Posts and Telecommunications.

Using HIP to solve MULTI-HOMING IN IPv6 networks YUAN Zhangyi Beijing University of Posts and Telecommunications.
The subnet 192.168.32.16/28 has been selected to be further subnetted to support point-to-point serial links. What is the maximum number of serial links.

The subnet /28 has been selected to be further subnetted to support point-to-point serial links. What is the maximum number of serial links.
,< 資 管 Lee 附錄 A0 IGMP vs Multicast Listener Discovery.

,< 資 管 Lee 附錄 A0 IGMP vs Multicast Listener Discovery.
IP over ETH over IEEE802.16 draft-riegel-16ng-ip-over-eth-over-80216-01 Max Riegel

IP over ETH over IEEE draft-riegel-16ng-ip-over-eth-over Max Riegel
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 67 - ANCP WG November 5-10, 2006 draft-moustafa-ancp-security-threats-00.txt.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.

© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Protecting Against Spoofing Attacks.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Networking Components

Networking Components
IETF72 ANCP WG1 ANCP Applicability to PON draft-bitar-wadhwa-ancp-pon-00.txt Nabil Bitar, Verizon Sanjay Wadhwa, Juniper Networks.

IETF72 ANCP WG1 ANCP Applicability to PON draft-bitar-wadhwa-ancp-pon-00.txt Nabil Bitar, Verizon Sanjay Wadhwa, Juniper Networks.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
What’s New in Fireware XTM v11.8.1 WatchGuard Training.

What’s New in Fireware XTM v WatchGuard Training.
Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.

Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.

S New Security Developments in DICOM Lawrence Tarbox, Ph.D Chair, DICOM WG 14 (Security) Siemens Corporate Research.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 70 – Vancouver draft-ietf-ancp-framework-04.txt.

Framework & Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks ANCP WG IETF 70 – Vancouver draft-ietf-ancp-framework-04.txt.

Similar presentations

Ads by Google