Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.

Published byMadilyn Jestice Modified over 9 years ago

Similar presentations

Presentation on theme: "Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha."— Presentation transcript:

1 Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha

2 What is a DoS attack? “An incident in which a user or organization is deprived of the services of a resource they would normally expect to have. Typically, the loss of service is the inability of a particular network service, such as e-mail, to be available or the temporary loss of all network connectivity and services”

3 Fundamental Idea of the Proposal  A destination can grant as much incoming traffic as it wants.  By being able to control the rate of incoming traffics, DoS at the destination can be prevented.

4 RTS Servers vulnerable to DoS E B C A D DoS requires: X compromised hosts to choke bandwidth W BW = W Mbps BW = (z% * W)/k Mbps DoS requires: Y compromised hosts to choke bandwidth (z% * W) / k << W => X >> Y FG A B C GF

5 Distributed DoS attack  Even if the number of hosts behind an RTS (nodes in an AS) is too small to choke RTS bandwidth, distributed attacks are possible from other RTS servers. Compromise d clients

6 Effect of DoS attack on RTS servers  Even though the data channel is free no new connections are allowed since the RTS channel is choked up.

7 RTS-Server attacks only affect new flows?  Yes, but how long can existing flows last? –Example: A Web server Most clients are unknown & untrusted => Should only grant limited bandwidth for a short time (i.e. short hash chains), on the order of minutes After RTS servers are attacked, existing clients can only serve the web for 20 minutes. All new requests are denied.

8 What data rate should a destination grant each client?  Is traffic rate determined per hash chain? Or each key of all chains have the same values, only changed by BGP advertisements? –Not clear from the paper  If rate is changed by BGP advertisements –Too slow to keep up with dynamic traffic loads  If rate is determined per hash chain –Duration of each chain for each client can still make rate adjustment too slow

9 Other (minor) problems Not all clocks run at the same rate: => VP might decides that a token expires before the client thinks so. Even small packets have to carry 64-bit overhead

10 Unnecessary requirement  Why does the paper assume that an attacker cannot snoop the values sent to the source? –If the attacker is not on the same network with the source, then it cannot spoof packets because of ingress/egress filtering. –If the attacker is on the same network as the source, then it can launch other more effective DoS against that client.  If the assumption is valid, then how do you achieve that? –Encrypt packets? – Too expensive, not scalable

11 Policy management problem  Where are the policies maintained? –RTS servers? Too many server applications (millions) to manage. Problems with updating policies –Each application? Applications (client & server) need to be changed.

12 Backup slides

13 RTS Servers vulnerable to DoS Nodes in the Internet Nodes in an AS 30x 100x Attackers need to compromise lesser percent of nodes in the “node pool” to compromise RTS servers Compromised Uncompromised

Download ppt "Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha."

Similar presentations

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Congestion Control Algorithms

Congestion Control Algorithms
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
Doc.: IEEE 802.11-14/0604r1 Submission May 2014 Slide 1 Modeling and Evaluating Variable Bit rate Video Steaming for 802.11ax Date: 2014-05-12 Authors:

Doc.: IEEE /0604r1 Submission May 2014 Slide 1 Modeling and Evaluating Variable Bit rate Video Steaming for ax Date: Authors:
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.

A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Similar presentations

Ads by Google