Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011."— Presentation transcript:

1 Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011

2 Outline Background Cluster-Based Mitigation Framework Properties Conclusion and Future Work ACM SAC 2011 2

3 Outline Background Cluster-Based Mitigation Framework Properties Conclusion and Future Work 3 ACM SAC 2011

4 DDoS Attacks 4 ACM SAC 2011 Flooding packets to the victim to deplete key resources (bandwidth).

5 Solutions in the literature IP Traceback [sigcomm 2000] Secure Overlay [sigcomm 2002] Network Capability [sigcomm 2005] 5 ACM SAC 2011

6 Targets of the network DDoS are not only end hosts, but also the core network. Who has the responsibility and the knowledge to control the traffic ? 6 We have capabilities ACM SAC 2011

7 Centralized Control VS Distributed Control 7 ACM SAC 2011 Unique unbounded power entityEvery node gets involved in the control Two sides of the trade-off: Either impractical or serious drawbacks Two sides of the trade-off: Either impractical or serious drawbacks

8 Human analogy: Exit and Entry Control A citizen of one country needs a passport and a visa to go to another country. 8 ACM SAC 2011

9 Exit and Entry Control: 9 ACM SAC 2011 Can also define different levels of granularity

10 Outline Background Cluster-Based Mitigation Framework Properties Conclusion and Future Work 10 ACM SAC 2011

11 CluB: A Cluster Based Framework for Mitigating DDoS Attacks Deals with the DDoS problem, filtering malicious traffic in a distributed manner adjusts the granularity of control (e.g. Autonomous System level). Each cluster can adopt its own security policy. Packets need valid tokens to exit, enter, or pass by different clusters. 11 Challenges How the permissions are issued? How the permission-control is carried out? How the permission is implemented? ACM SAC 2011

12 Architecture of CluB Coordinator Checking routers Egress checking Ingress checking Backbone router s Clusters have secret codes to generate valid tokens for the packets Token generation is against replay attacks. 12 ACM SAC 2011

13 Architecture of CluB 13 ACM SAC 2011

14 Architecture of CluB 14 ACM SAC 2011

15 Architecture of CluB 15 ACM SAC 2011

16 Architecture of CluB 16 ACM SAC 2011  The secret code of each cluster changes periodically.  To avoid making checking routers targets of DDoS attacks, they change periodically.

17 Properties Effectiveness: analytically show the limit for probability that malicious packets reach the victim With 32-bit authentication codes, < 10 -18 17 ACM SAC 2011 C1C1 C2C2 C4C4 C3C3 Robustness: we analytically bound the impact of directed flooding attacks to checking routers.

18 Controlling the Granularity of Clusters Security Processing load Traffic Stretch Path Diversity 18 ACM SAC 2011

19 Security and Processing Load High processing load need more checking routers. More checking routers raise security risk. 19 ACM SAC 2011

20 Traffic Stretch Fewer checking routers will bring higher traffic stretch. 20 ACM SAC 2011 The tour for checking

21 Path Diversity Bigger cluster size will reduce the path diversity, however, may raise the security risk. 21 ACM SAC 2011 Probability of path changing Security risk Assumption: Bigger cluster size implies more physical links between neighbor clusters

22 Conclusion and Future Work Integrated solutions may be needed to achieve better filtering against malicious traffic. Accurate identification Efficient filtering Trade-offs between efficiency/overhead and security level. 22 ACM SAC 2011

23 Conclusion and Future Work Holistic study of the parameters. Partial deployment investigation. Change and adjust the structures and sizes of the clusters dynamically. 23 ACM SAC 2011

24 24 The End Thank You ACM SAC 2011

25 25

Download ppt "Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011."

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
Security Issues In Mobile IP

Security Issues In Mobile IP
2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
15-441: Computer Networking Lecture 26: Networking Future.

15-441: Computer Networking Lecture 26: Networking Future.
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.

SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.
On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.

On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.

Similar presentations

Ads by Google