Download presentation
Presentation is loading. Please wait.
Published byRaina Poucher Modified over 9 years ago
1
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1 Goal: detect attacks, reduce the attack traffic, recognize and favor the legitimate traffic Source-end, inline defense system Gathers statistics on flows and connections, compares them with protocol-based models: Mismatching flow statistics indicate attack Matching connection statistics indicate legitimate traffic Dynamic and selective rate-limit algorithm: Fast decrease to relieve the victim Fast increase when the attack stops and on false alarms Detects and forwards legitimate connection packets 1 “Attacking DDoS at the source,” Mirkovic, Prier, Reiher, ICNP 2002
2
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 2 Flows And Connections
3
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 3 D-WARD Overview
4
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 4 D-WARD Overview
5
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 5 D-WARD Overview
6
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 6 Can It Work? Extensive experiments indicate: Fast detection of a wide range of attacks Effective control of the attack traffic Extremely low collateral damage Fast removal of rate limit when attack stops Small processing and memory overhead Effectively stops attacks from deploying networks Only effective in actually stopping attacks if deployed at most/all potential attacking networks May provide synergistic benefits with other defenses
7
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 7 Advantages And Limitations +Fast detection and control of wide range of attacks +Extremely low collateral damage +Low number of false positives +Stops attacks as soon as possible –Attackers can perform successful attacks from unprotected networks –Deployment motivation is low
8
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 8 Netbouncer 1 Goal: detect legitimate clients and only serve their packets Victim-end, inline defense system deployed in front of the choke point Keeps a list of legitimate clients: Only packets from these clients are served Unknown clients receive a challenge to prove their legitimacy, several levels of legitimacy tests Various QoS techniques are applied to assure fair sharing of resources by legitimate client traffic Legitimacy of a client expires after a certain interval 1 “NetBouncer: Client-legitimacy-based High-performance DDoS Filtering, ” Thomas, Mark, Johnson. Croall, DISCEX 2003
9
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 9 Netbouncer Overview N Legitimacy list
10
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 10 Netbouncer Overview N Legitimacy list
11
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 11 Netbouncer Overview N Legitimacy list
12
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 12 Netbouncer Overview N Legitimacy list
13
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 13 Can It Work? Successfully defeats spoofed attacks Ensures fair sharing of resources among clients that have proved to be legitimate All legitimacy tests are stateless – defense system cannot be target of state-consumption attacks Some legitimate clients do not support certain legitimacy tests (i.e. ping test) Legitimate client identity can be misused for attacks Large number of agents can still degrade service to legitimate clients, creating “flash crowd” effect
14
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 14 Advantages And Limitations +Ensures good service to legitimate clients in the majority of cases +Does not require modifications of clients or servers +Stateless legitimacy tests ensure resiliency to DoS attacks on Netbouncer +Realistic deployment model: Autonomous solution, close to the victim –Attackers can perform successful attacks by: –Misusing identities of legitimate clients –Recruiting a large number of agents –Some legitimate clients will not be validated –Challenge generation may exhaust defense
15
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 15 SOS 1 Goal: route only “verified user” traffic to the server, drop everything else Clients use overlay network to reach the server Clients are authenticated at the overlay entrance, their packets are routed to proxies Small set of proxies are “approved” to reach the server, all other traffic is heavily filtered out 1 “ SOS: Secure Overlay Services, ” Keromytis, Misra, Rubensteain, ACM SIGCOMM 2002
16
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 16 SOS User first contacts nodes that can check its legitimacy and let him access the overlay – access points An overlay node uses Chord overlay routing protocol to send user’s packets to a beacon Beacon sends packets to a secret servlet Secret servlets tunnel packets to the firewall Firewall only lets through packets with an IP of a secret servlet Secret servlet’s identity has to be hidden, because their source address is a passport for the realm beyond the firewall Beacons are nodes that know the identity of secret servlets If a node fails, other nodes can take its role
17
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 17 SOS Overview SS F B B AP Access Point Beacon Secure Servlet Firewall
18
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 18 SOS Overview SS F B B AP Access Point Beacon Secure Servlet Firewall
19
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 19 SOS Overview SS F B B AP Access Point Beacon Secure Servlet Firewall
20
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 20 SOS Overview SS F B B AP Access Point Beacon Secure Servlet Firewall
21
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 21 Can It Work? SOS successfully protects communication with a private server: Access points can distinguish legitimate from attack communications Overlay protects traffic flow Firewall drops attack packets Redundancy in the overlay and secrecy of the path to the target provide security against DoS attacks on SOS
22
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 22 Advantages And Limitations +Ensures communication of “verified user” with the victim +Resilient to overlay node failure +Resilient to DoS on the defense system –Does not work for public service –Clients must be aware of overlay and use it to access the victim –Traffic routed through the overlay travels on suboptimal path –Still allows brute force attack on links leading to the firewall –If the attacker can find it
23
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 23 Client Puzzles 1 Goal: defend against connection depletion attacks When under attack: Server distributes small cryptographic puzzles to clients requesting service Clients spend resources to solve the puzzles Correct solution, submitted on time, leads to state allocation and connection establishment Non-validated connection packets are dropped Puzzle generation is stateless Client cannot reuse puzzle solutions Attacker cannot make use of intercepted packets 1 “Client puzzles: A cryptographic countermeasure against connection depletion attacks, ” Juels, Brainard, NDSS 1999
24
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 24 Client Puzzles Overview
25
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 25 Client Puzzles Overview
26
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 26 Client Puzzles Overview
27
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 27 Can It Work? Client puzzles guarantee that each client has spent a certain amount of resources Server determines the difficulty of the puzzle according to its resource consumption Effectively server controls its resource consumption Protocol is safe against replay or interception attacks Other flooding attacks will still work
28
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 28 Advantages And Limitations +Forces the attacker to spend resources, protects server resources from depletion +Attacker can only generate a certain number of successful connections from one agent machine +Low overhead on server –Requires client modification –Will not work against highly distributed attacks –Will not work against bandwidth consumption attacks –Puzzle verification consumes server resources
29
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 29 COSSACK 1 Goal: detect the attack, place response near the sources COSSACK watchdogs are located at edge networks and organized into a multicast tree Client watchdog detects the attack, notifies all involved sources via multicast tree Sources join victim-specific group and exchange information Involved sources perform smart filtering to control attack traffic 1 “COSSACK: Coordinated Suppression of Simultaneous Attacks, ” Papadopoulos, Lindell, Mehringer, Hussain, Govindan, DISCEX 2003
30
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 30 COSSACK Overview W W W W W W
31
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 31 COSSACK Overview W W W W W W
32
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 32 COSSACK Overview W W W W W W
33
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 33 COSSACK Overview W W W W W W
34
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 34 Can It Work? Victim-end detection is very accurate Source-end response effectively stops attack, minimizes collateral damage COSSACK should successfully detect and stop flooding attacks from protected networks May inflict collateral damage if attack is similar to legitimate traffic
35
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 35 Advantages And Limitations +Accurate detection at the victim, effective response at the source +No changes are required at client machines –Multicast communication is not scalable –Attacks from unprotected networks cannot be stopped –Collateral damage will be inflicted if attack is similar to legitimate traffic
36
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 36 DefCOM 1 Goal: detect the attack, rate-limit the attack traffic, forward legitimate traffic DefCOM nodes build an overlay network Three types of nodes: Alert generator – detect the attack, inform other nodes Classifier – separate legitimate from suspicious traffic, forward legitimate packets marked with legitimate mark, rate-limit suspicious packets, mark them with monitored mark Rate-limiter – rate limit all traffic to the victim, give the highest priority to legitimate, then to marked traffic Alert generators and classifiers deployed at the edge, rate-limiters deployed at the core 1 “Forming alliance for DDoS defense, ” Mirkovic, Robinson, Reiher, Kuenning, NSPW 2003
37
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 37 DefCOM Overview AG C C RL Alert Generator Rate-Limiter Classifier Overlay
38
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 38 DefCOM Overview AG C C RL Alert Generator Rate-Limiter Classifier Overlay
39
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 39 DefCOM Overview AG C C RL Alert Generator Rate-Limiter Classifier Overlay
40
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 40 DefCOM Overview AG C C RL Alert Generator Rate-Limiter Classifier Overlay
41
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 41 DefCOM Overview AG C C RL Alert Generator Rate-Limiter Classifier Overlay
42
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 42 DefCOM Overview AG C C RL Alert Generator Rate-Limiter Classifier Overlay
43
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 43 Can It Work? Victim-end detection is very accurate Source-end response effectively stops attacks Rate-limiters in the core handle attacks from networks that do not have classifier nodes Classifiers minimize collateral damage DefCOM should successfully stop flooding attacks, while guaranteeing good service to legitimate traffic
44
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 44 Advantages And Limitations +All actions are performed where they are most successful: +Accurate detection at the victim +Rate-limiting in the core +Traffic differentiation at the source +Selective response provides low collateral damage +Core nodes handle attacks from legacy networks +Overlay architecture provides scalability +Only a few deployment points are needed –Only effective with some core router deployment –Compromised overlay nodes can damage operation
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.