Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preventing Internet Denial-of-Service with Capabilities

Similar presentations


Presentation on theme: "Preventing Internet Denial-of-Service with Capabilities"— Presentation transcript:

1 Preventing Internet Denial-of-Service with Capabilities
Tom Anderson, David Wetherall Univ. of Washington Timothy Roscoe Intel Research at Berkeley 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

2 Anupam Chanda, Khaled Elmeleegy. Comp 629
Paper Summary An approach to prevent DoS attacks Nodes obtain “permission to send” from destination Capabilities Verification points enforce capabilities Suitable for incremental deployment 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

3 Anupam Chanda, Khaled Elmeleegy. Comp 629
Overview Motivation Related work Proposed solution Conclusion 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

4 Anupam Chanda, Khaled Elmeleegy. Comp 629
Motivation DoS – flooding limited resource CPU/Memory on hosts, routers, firewalls Anomaly detection Automated response – often shutdown New applications likely to be anomalous “Normal” traffic could be an attack CodeRed virus 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

5 Anupam Chanda, Khaled Elmeleegy. Comp 629
Related Work 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

6 Source Address Filtering
At network ingress and egress points Prevents spoofing attacks However… Addresses with same n/w prefix can be spoofed Attacks often consist of legitimate packets – hosts under a virus attack 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

7 Anupam Chanda, Khaled Elmeleegy. Comp 629
IP Traceback Traces the source of the attack Detection rather than prevention Can do post-mortem traceback Marking of IP packets 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

8 Anupam Chanda, Khaled Elmeleegy. Comp 629
IP Traceback (contd.) A1 A2 A3 R4 R5 R6 R2 R3 R1 V 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

9 Anupam Chanda, Khaled Elmeleegy. Comp 629
Pushback Pushback daemon Monitors traffic pattern Rules to indicate DoS attack Communicates with upstream routers (pushback) Upstream routers drop packets 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

10 Anupam Chanda, Khaled Elmeleegy. Comp 629
Anomaly Detection Rule-based or statistical techniques Classify traffic as friendly/malicious Malicious traffic detection Install network filters s to network administrators Legitimate applications may trigger alerts Application level end-to-end decision making is required 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

11 Anupam Chanda, Khaled Elmeleegy. Comp 629
Overlay Filtering Traffic rerouted through special nodes Sophisticated analysis and filtering Traffic passed through overlay Adds a secret to the packets Downstream routers check for the secret Similar to capability-based filtering which adds nonce tokens in the capabilities 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

12 Anupam Chanda, Khaled Elmeleegy. Comp 629
Proposed Solution 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

13 Anupam Chanda, Khaled Elmeleegy. Comp 629
System’s components Request To Send (RTS) server Used by sources to get tokens to send (capabilities) Verification Points (VP) Perform access control by verifying the existence of a token in the packet VPs are coupled with RTS servers, both co-located with BGP speakers 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

14 Obtaining permission to send
Autonomous Systems (AS) advertise they want their inbound traffic filtered Augment BGP advertisement Give the address of their RTS server Any AS along the way may add its RTS to the BGP advertisement Source can discover a chain of RTS servers through which it can send its request 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

15 Token Generation and passing
Destination generates a hash chain 64-bit one way hash values h1,h2…hk Destination sends hk back to the source through RTS servers RTS servers and VPs remember the token and associates it with the flow 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

16 Sending with capabilities
Token (capability) allows source to send n packets in t seconds Source includes token in packets VPs along the path validates the token If token found and is valid, increment usage count Else drop packet 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

17 Acquiring new capabilities (in band)
Could explicitly request new token Bad performance (overhead) Destination sends hk-1 ( new capability) after receiving nearly n packets Source switches to use hk-1 for the next n packets VPs switch to hk-1. They figure hk-1 as hk = hash(hk-1) (hash chain) 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

18 Anupam Chanda, Khaled Elmeleegy. Comp 629
Security issues RTS servers control RTS pkt rates to destinations RTS servers are protected against flood Only accessed by nodes on the same AS or another RTS servers Tokens are difficult to guess If you can sniff then you can disrupt the communication anyway 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

19 Anupam Chanda, Khaled Elmeleegy. Comp 629
Conclusions Explicit authorization scheme to address DoS Paper argued that the scheme other than it solves the DoS problem, it is: Feasible Incrementally deployable No experiments, so no sense of added overhead 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

20 Anupam Chanda, Khaled Elmeleegy. Comp 629
Questions ? 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629


Download ppt "Preventing Internet Denial-of-Service with Capabilities"

Similar presentations


Ads by Google