Presentation is loading. Please wait.

Presentation is loading. Please wait.

DFence: Transparent Network- based Denial of Service Mitigation Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang University of Texas.

Published byJulianna Cowles Modified over 9 years ago

Similar presentations

Presentation on theme: "DFence: Transparent Network- based Denial of Service Mitigation Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang University of Texas."— Presentation transcript:

1 dFence: Transparent Network- based Denial of Service Mitigation Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang University of Texas at Austin mahimkar@cs.utexas.edu

2 The Problem Denial of Service (DoS) attacks –A significant threat to Internet reliability & availability –Many forms – SYN flood, Data flood, NAPTHA, HTTP request flood, Botnet Lots of research and commercial products –Speak-up, SIFF, Kill-botz, TVA, Pushback, Cisco Guard, Arbor, … Yet, lots of attacks still out there –Feb 6. 2007 DDoS attack on 6 of 13 root DNS servers –Domain registrar GoDaddy.com was DDoSed (March 2007)

3 dFence Principles Transparency –No software modifications to end-hosts or routers In-Network defense –Filter attack traffic before it gets close to server Shared on-demand infrastructure –Multiplex defense resources to protect multiple customers –No performance penalty during peace time Stateful mitigation –Necessary for effective defenses against a broad range of DoS attacks

4 dFence Overview Customer Network under protection Internet Service Provider Other Customer Networks Attack Detected Distributed Set of Middleboxes Only Good traffic Apply stateful filtering

5 Challenges Bidirectional Traffic Interception Attack Mitigation Functionality Dynamic State Management Robustness to route changes, failures and DoS attacks on middleboxes

6 Outline Bidirectional Traffic Interception Attack Mitigation FunctionalityAttack Mitigation Functionality Dynamic State ManagementDynamic State Management

7 Inbound Traffic Interception

8 Internet Service Provider Other Customer Networks 12.0.0.0/24 10.0.0.0/24 Customer Network (D) under protection iBGP advertisements to attract only traffic going to the customer network under protection PBR rule 10.0.0.0/24 D (on internal) 12.0.0.0/24 R 1 10.0.0.0/24 R 2 12.0.0.0/24 R 1 10.0.0.0/24 M R1R1 R2R2 M Routing table Inbound Traffic Interception

9 Outbound Traffic Interception

10 Customer Network (D) under protection Other Customer Networks 10.0.0.0/24 12.0.0.0/24 R1R1 R2R2 M PBR rule Src = 10.0.0.0/24 M (on external) Internet Service Provider Outbound Traffic Interception

11 Outline Bidirectional Traffic InterceptionBidirectional Traffic Interception Attack Mitigation Functionality Dynamic State ManagementDynamic State Management

12 Attack Mitigation at Middlebox Stateful policies are a good match for TCP-based attacks Careful creation of minimal state for connections Attack Classification Attack ExamplesState Requirement SpoofedSpoofed SYN Spoofed TCP data Reflector attacks Zero Un-spoofed mis-behaving NAPTHA Un-spoofed data flood Temporary Un-spoofed well-behaving Normal trafficLife-time of connection

13 An Example Policy Mitigating Spoofed Attacks –SYN flood: exhaust server resources by flooding it with bogus SYN requests –Network-based SYN cookie generation –Advantages over server-side Transparency Multiplexing

14 SYN Cookie [D. Bernstein] Client Server SYN C ACK S (Cookie+1) SYN S, ACK C (Seq# = Cookie) No state maintained Establish connection if cookie is correct Cookie is an unforgeable token

15 Network-based SYN Cookie Challenges –How to handle mismatch in sequence number generated by middlebox and server –How does middlebox handle data received from clients before its handshake with server is complete

16 What does not work Full TCP splicing with address / port / sequence / acknowledgement number translations –Increases state requirement at middlebox –Adds more processing burden Buffer data packets till handshake with server is complete –Opens door to another DoS attack Drop data packets till handshake with server is complete –Client enters TCP time-out and suffers 3 second delay

17 Client Server Middlebox SYN C SYN S, ACK C (Seq# = Cookie) Window = 0 ACK S (Cookie+1) SYN C SYN S, ACK C (Seq# = Value S ) SYN S, ACK C (Seq# = Cookie) Re-open window ACK S (Cookie+1) ACK S (Value S +1) Choke client Sequence # translation Acknowledgement # translation Un-choke client No State Maintained Verify cookie & establish state

18 Outline Bidirectional Traffic InterceptionBidirectional Traffic Interception Attack Mitigation FunctionalityAttack Mitigation Functionality Dynamic State Management

19 Middlebox introduction –How to capture state for ongoing connections ? –Naïve solution: terminate all ongoing connections and let clients start anew (not transparent!!) –Our solution Add grace period to transparently bootstrap state for ongoing connection –During bootstrap SYN cookies for new connection request Data packets (good or bad) are forwarded to the server State established for data packets for which ACK is seen

20 Dynamic State Management Middlebox removal –What about active connections established via middlebox ? –Naïve solution: terminate all and remove middlebox from the data path (not transparent!!) –Our solution Add grace period during which the connections established via middlebox undergo sequence and acknowledgement numbers translation New connection requests are forwarded to the server (no SYN cookies) No state established for new connections during the removal phase

21 Experimental Setup IXIA Packet Generator IXP End-hosts Cisco Switch XORP for Traffic Interception Intel IXP Network Processor for attack mitigation policies IXIA for attack workload, iperf/httperf for legitimate traffic

22 End-to-end Throughput Middlebox bootstrapped Attack started Throughput drops Middlebox removed Attack stopped Middlebox introduced Removal Phase Attack Mitigation PhaseBootstrap Phase: Spoofed SYN dropped, spoofed data forwarded

23 Conclusion dFence DoS mitigation system –Transparent solution –In-network defense –Shared on-demand infrastructure –Stateful mitigation Can be viewed as providing group insurance service General platform to deploy other network security services such as malware filtering

24 Thank You !

25 Backup Slides

26 Flow Pinning Why Pinning ? –Ensure both directions of flow go through the same middlebox –Ensure that the same middlebox handles the flow even when there are route changes / failures Pin the flow to a home middlebox –Home middlebox = hash 1 (src IP, src port) EXOR hash 2 (dest IP, dest port) –Symmetric

27 Bootstrap Interval T b Too high Severe damage during bootstrap phase Too low Ongoing connections may get terminated Trace analysis shows that majority of connections has packet IATs of the order a few seconds

28 XORP BGP Policy policy-statement next-hop-selection { term 1 { to { network4: 10.0.0.0/24 } then { localpref: 300 } } … protocols { bgp { … import “next-hop-selection” export “next-hop-selection” }

29 Middlebox Attacks & Defenses Exhausting the connection state –Defense: Limit number of connections from any single host Middlebox only maintains state for un-spoofed well-behaved sources Adaptive traffic variation attack –ON/OFF attack pattern –Defense: Avoid rapid introduction & removal of middleboxes Randomize the removal phase time interval Werewolf attack –Behave legitimate at first, get established in middlebox state and then bombard with attack traffic –Defense: Periodic measurement of traffic sending rates & source prefix white-listing

30 End-to-end latency

Download ppt "DFence: Transparent Network- based Denial of Service Mitigation Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang University of Texas."

Similar presentations

IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP)
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:

1 A TCAM-based solution for integrated traffic anomaly detection and policy filtering Author: Zhijun Wang, Hao Che, Jiannong Cao, Jingshan Wang Publisher:
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Security - Systems Design Considerations. Layer 2 Design L2 Control protocols - 802.1q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.

Security - Systems Design Considerations. Layer 2 Design L2 Control protocols q, STP and ARP 802.1q for Ethernet switches to exchange VLAN info.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.

Slide 1 Attacks on TCP/IP. slide 2 Security Issues in TCP/IP uNetwork packets pass by untrusted hosts Eavesdropping (packet sniffing) uIP addresses are.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
1 Web Proxies Dr. Rocky K. C. Chang 6 November 2005.

1 Web Proxies Dr. Rocky K. C. Chang 6 November 2005.

Similar presentations

Ads by Google