Presentation is loading. Please wait.

Presentation is loading. Please wait.

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

Published byBrent Hunt Modified over 9 years ago

Similar presentations

Presentation on theme: "MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA"— Presentation transcript:

1 MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA thomer@lcs.mit.edu Massimiliano Poletto Mazu Networks, Inc., Cambridge, MA, USA maxp@mazunetworks.com

2 Bandwidth attacks Maliciously generated traffic congests links Traffic is typically ICMP, UDP, or TCP IP spoofing: fake IP source addresses Distribution: multiple hosts pounding one victim

3 MULTOPS heuristic Drop packets from sources sending disproportionate flows Normal: proportional packet rates router Attack: disproportional packet rates router

4 Feb 2000: ICMP flood +MULTOPS identifies attackers’ addresses +MULTOPS drops packets from those addresses MULTOPS

5 Implementation challenges Precise identification of malicious addresses Small memory footprint Minimal impact on forwarding performance

6 Naive data-structure 0.0.0.0 18.26.4.9 18.26.4.10 255.255.255.255 00... 1892,450 474460... 02 to-ratefrom-rate 2 32 entries +Identifies individual attackers -Requires too much memory -Most entries are zero or insignificant -Total packet rate per subnet expensive to calculate

7 Less naive data-structure 0.0.0.0/8 18.0.0.0/8 19.0.0.0/8 255.0.0.0/8 00... 20,876309,988 518,234528,238... 0204 to-ratefrom-rate 256 entries +Requires little memory -May not detect small attacks -Prefixes very short; risky to use for dropping policy -Impossible to collect finer grained data

8 MULTOPS /8 subnets /16 subnets /24 subnets IP addresses +Provides packet rates on different aggregation levels +Expands and contracts dynamically +Disregards insignificant subnets and addresses +Memory efficient

9 Algorithm 18.0.0.0/8... 2,7462,986... to-ratefrom-rate... from-rate source: 130.37.24.4 destination: 18.26.4.9 source: 18.26.4.9 destination: 130.37.24.4

10 Expansion 642867150 IP address Update rate for 64.0.0.0/8 Update rate for 64.28.0.0/16; exceeds threshold: create child node Update rate for 64.28.67.0/24 in newly created node Nodes dynamically created to track finer grained packet rates

11 Contraction MULTOPS could run out of memory Attackers may cause this intentionally Impose absolute memory limit Contract stale parts of the tree periodically contract

12 Scenario +MULTOPS drops packets with malicious address prefix Collateral damage depends on length of address prefix MULTOPS

13 MULTOPS dropping decision Drop packet based on 2 criteria Packet rate > 100 packets per second, and Ratio > 1:3 Values determined through experimentation Thomer M. Gil: note: some applications that use non-TCP protocols display proportional behavior, e.g., DNS and NFS Thomer M. Gil: note: some applications that use non-TCP protocols display proportional behavior, e.g., DNS and NFS

14 Randomized source addresses Impossible to identify attackers’ addresses Easy to identify victim’s address Drop packets based on victim’s address 2 MULTOPS to stop both attack types Source-based MULTOPS: non-randomized attacks Destination-based MULTOPS: randomized attacks

15 Reverse orientation +MULTOPS drops packets going to victim +Victim’s network relieved from malicious traffic -MULTOPS drops benign packets going to victim MULTOPS

16 Performance MULTOPS implemented in Click, a modular router Forwarding speed inversely related to size of tree Forwards up to 825,000 packets per second Pentium III, 833MHz PC 256MB main memory, 256KB cache Better performance than reported in paper Simpler mechanism to compute packet rates

17 Cycles per packet for different attacks 16 MB 8 MB 2 MB

18 Status Enhanced MULTOPS used by Mazu Networks Has detected TCP floods on commercial networks Identified a single 8-bit malicious address prefix

19 Future work and problems Different ACK policies change ratio for valid traffic Not all Internet traffic is TCP Asymmetric routes MULTOPS must see traffic in both directions Requires distributed data collection

20 Related work Ingress/egress filtering (RFC2827) IP Traceback (Savage et al.) CenterTrack (Stone) Pushback (Bellovin et al.) RMON, Netflow (Cisco) MULTOPS is complementary

21 Conclusion MULTOPS identifies attacker/victim addresses Effectiveness depends on MULTOPS location on network Randomized source address MULTOPS successfully detects and stops attacks

Download ppt "MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA"

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
1 o Two issues in practice – Scale – Administrative autonomy o Autonomous system (AS) or region o Intra autonomous system routing protocol o Gateway routers.

1 o Two issues in practice – Scale – Administrative autonomy o Autonomous system (AS) or region o Intra autonomous system routing protocol o Gateway routers.
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.

UNIT-IV Computer Network Network Layer. Network Layer Prepared by - ROHIT KOSHTA In the seven-layer OSI model of computer networking, the network layer.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
MOBILITY SUPPORT IN IPv6

MOBILITY SUPPORT IN IPv6
1 Controlling High Bandwidth Aggregates in the Network.

1 Controlling High Bandwidth Aggregates in the Network.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.

Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)
“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.

“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.
DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.

DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.
© J. Liebeherr, All rights reserved 1 IP Multicasting.

© J. Liebeherr, All rights reserved 1 IP Multicasting.
ROUTING ON THE INTERNET COSC 6590 1 14-Aug-15. Routing Protocols  routers receive and forward packets  make decisions based on knowledge of topology.

ROUTING ON THE INTERNET COSC Aug-15. Routing Protocols  routers receive and forward packets  make decisions based on knowledge of topology.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Network Layer Moving datagrams. How do it know? Tom-Tom.

Network Layer Moving datagrams. How do it know? Tom-Tom.

Similar presentations

Ads by Google