Presentation is loading. Please wait.

Presentation is loading. Please wait.

DDoS Defense for a Community of Peers

Published byBrendan Anderson Modified over 6 years ago

Similar presentations

Presentation on theme: "DDoS Defense for a Community of Peers"— Presentation transcript:

1 DDoS Defense for a Community of Peers
Jem Berkes (Project PI) and Adam Wick (Transition Lead)

2 About DDoS

3 A DDoS Attack

4 Source data: Arbor Networks Worldwide Infrastructure Security Report, and recent media reports

5 When DDoS Becomes a Problem ...
Network Capacities (Gbps) Med. Organization ISP Internet Exchange Internet Backbone DDoS Attack Critical bottleneck The Internet has bottlenecks: internet exchanges, regional routing. The aggregate or world-wide capacity is NOT the issue! 250 500 750 1000

6 Current Attacks Now Exceed Bottlenecks
Mirai / IoT botnets Enormous increase from 500 Gbps to 1,200+ Gbps Can’t stop this alone Tier 1 ISPs Cloud providers – not immune Aggregate, world-wide capacity is not the issue

7 Networks Must Collaborate
Effective defense requires collaboration between networks Must stop traffic closer to sources Automate response/coordination under attack stress We’re creating a tool to do this – 3DCoP

8 Handling DDoS with 3DCoP

9 Flow representation of traffic
IP IP IP SRCIP SPORT DSTIP DPORT PROTO COUNT Big Packet bodies Compact summary NetFlow, IPFIX

10 Our approach Decentralized collaboration between networks
Share flow information (clues) from distributed sensors via P2P Use clues to compute Sources of attacks Spoofed traffic Optimal blocking

11 Decentralized P2P Network
Out-of-band P2P Can operate using cell phone tethering – during attack IPFS: Kademlia-based DHT swarm Every node has public key

12 What is shared? Subset of flow data, classified as Anomalies
Undesirable traffic (attacks) Assertions: present or not present Each node pushes data Decide what you want to share

13 Who is it shared with? Strict/private mode
Flow data only shared with owner of flow endpoint Enforced with public key cryptography Global announcements For very anomalous traffic, or attacks Groups/associations Each site always controls what they share, and with whom

14 Data Processing Traffic Router NetFlow SiLK Analysis Pipeline
3DCoP Engine

15 3DCoP Engine SiLK flow data P2P Network Site policy and configuration

16 3DCoP Engine I see anomalies SiLK flow data P2P Network
Site policy and configuration

17 You’re sending an attack
3DCoP Engine I see anomalies You’re sending an attack SiLK flow data P2P Network Site policy and configuration

18 Engine State tables Local anomalies, peer-reported anomalies, etc.
Rules-based algorithm State iterations with real-time updates Automatic traffic analysis leading to actions

19 Rules in the Engine if I see anomalous outbound flows
and others report anomalies from me then increase oddness score for flows foreach anomalous flow if oddness score > THRESHOLD and network utilization is high and many src_ip are sending to few dst_ip then promote anomaly to attack

20 More Rules… foreach peer-reported anomaly
if local anomaly matches port number then // might be related attack if port is a known amplifier service increase oddness score // we might all be part of // the same DDoS attack

21 Example

22 Demo scenario A 30 Mbps 700 Mbps Spoofing as C C B 30 Mbps 700 Mbps

23 Demo scenario A C B Spoofing as C Seeing attacks from A 30 Mbps

24 Seeing heavy traffic from C
Demo scenario Seeing heavy traffic from C A 30 Mbps 700 Mbps Spoofing as C C B 30 Mbps 700 Mbps

25 Seeing heavy traffic from C
Demo scenario Seeing heavy traffic from C We didn’t send that We didn’t send that traffic A 30 Mbps 700 Mbps Spoofing as C C B 30 Mbps 700 Mbps

26 Aha! That’s spoofed traffic
Demo scenario Aha! That’s spoofed traffic A 30 Mbps 700 Mbps Spoofing as C C B 30 Mbps 700 Mbps

27 Demo scenario Block inbound A Spoofing as C C B

28 Optimal mitigation Demo scenario A Spoofing as C C B

29 Demo scenario A Spoofing as C C B

30 State Iterations Network containing A (amplifier)
Network containing C (victim)

31 State Iterations Network containing A (amplifier) Inbound Anomalies
C --> A Outbound Anomalies A --> C Network containing C (victim) Inbound Attacks A --> C

32 State Iterations Network containing A (amplifier) Inbound Anomalies
C --> A Outbound Anomalies A --> C Network containing C (victim) Inbound Attacks A --> C

33 State Iterations Network containing A (amplifier) Inbound Anomalies
C --> A Outbound Attacks, Must Stop A --> C Network containing C (victim) Inbound Attacks A --> C

34 State Iterations Network containing A (amplifier) Inbound Anomalies
C --> A Outbound Attacks, Must Stop A --> C Network containing C (victim) Inbound Attacks A --> C Check flow repository…

35 State Iterations Network containing A (amplifier) Inbound Anomalies
C --> A Outbound Attacks, Must Stop A --> C Assertions that Peers Did Not Send Network containing C (victim) Inbound Attacks A --> C Someone is spoofing my IP C --> A

36 State Iterations Network containing A (amplifier)
Inbound Spoofed Attacks C --> A Outbound Attacks, Must Stop A --> C Assertions that Peers Did Not Send Network containing C (victim) Inbound Attacks A --> C Someone is spoofing my IP C --> A

37 We’ve learned a lot! Network containing A (amplifier)
Inbound Spoofed Attacks C --> A Outbound Attacks, Must Stop A --> C Assertions that Peers Did Not Send Network containing C (victim) Inbound Attacks A --> C Someone is spoofing my IP C --> A

38 Vital information learned through collaboration
We’ve learned a lot! Network containing A (amplifier) Inbound Spoofed Attacks C --> A Outbound Attacks, Must Stop A --> C Assertions that Peers Did Not Send Vital information learned through collaboration

39 What About Mischief and Lies?
We have considered this Peers make statements about their own traffic “I don’t want this traffic” Public key crypto ties ownership/responsibility

40 Status

41 Status Have an early prototype
We are seeking pilot and evaluation partners. Correctly computes results with a simple attack Identifies attack sources Identifies spoofed traffic Next steps Construct larger, more complex attack scenarios Develop the engine further Accuracy Better reasoning

42 Contact Us! Jem Berkes: Galois 3DCoP Team: We are actively seeking evaluation partners for 3DCoP. Please contact us if you’d be interested in trying 3DCoP out in your organization. All trademarks, service marks, trade names, trade dress, product names, and logos appearing in these slides are the property of their respective owners, including in some instances Galois, Inc. This project is the result of funding provided by the Science and Technology Directorate of the United States Department of Homeland Security under contract number D15PC The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Department of Homeland Security, or the U.S. Government.

Download ppt "DDoS Defense for a Community of Peers"

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Nanxi Kang Princeton University

Nanxi Kang Princeton University
1 SUNGARD AVAILABILITY SERVICES Messaging and Collaboration - E-mail Availability Service - Notification Service.

1 SUNGARD AVAILABILITY SERVICES Messaging and Collaboration - Availability Service - Notification Service.
Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,

Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Arbor Multi-Layer Cloud DDoS Protection

Arbor Multi-Layer Cloud DDoS Protection
Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.

Licentiate Seminar: On Measurement and Analysis of Internet Backbone Traffic Wolfgang John Department of Computer Science and Engineering Chalmers University.
PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
Tomo-gravity Yin ZhangMatthew Roughan Nick DuffieldAlbert Greenberg “A Northern NJ Research Lab” ACM.

Tomo-gravity Yin ZhangMatthew Roughan Nick DuffieldAlbert Greenberg “A Northern NJ Research Lab” ACM.
NOC Lessons Learned TEIN2 and CERNET Xing Li 2007-01-22.

NOC Lessons Learned TEIN2 and CERNET Xing Li
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.
TCOM 515 Lecture 6.

TCOM 515 Lecture 6.
VeriFlow: Verifying Network-Wide Invariants in Real Time

VeriFlow: Verifying Network-Wide Invariants in Real Time
Access Control List ACL. Access Control List ACL.

Access Control List ACL. Access Control List ACL.
DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Similar presentations

Ads by Google