Presentation is loading. Please wait.

Presentation is loading. Please wait.

John Kristoff DePaul Security Forum 2003 1 Network Defenses to Denial of Service Attacks John Kristoff +01 312 362-5878.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "John Kristoff DePaul Security Forum 2003 1 Network Defenses to Denial of Service Attacks John Kristoff +01 312 362-5878."— Presentation transcript:

1 John Kristoff DePaul Security Forum 2003 1 Network Defenses to Denial of Service Attacks John Kristoff jtk@depaul.edu +01 312 362-5878

2 John Kristoff DePaul Security Forum 2003 1 DoS attack prevention is difficult Applications, hosts and networks are often significantly oversubscribed. Internet (data) traffic is naturally bursty on all time scales, thus discerning bad traffic from good can be hard. There is no one, easy thing to fix that will make the problem go away. Its been proposed that re-architecting the Internet is a solution, but no one wants to go through that pain.

3 John Kristoff DePaul Security Forum 2003 1 Visualizing DoS Attack Data

4 John Kristoff DePaul Security Forum 2003 1 Visualizing Bottlenecks

5 John Kristoff DePaul Security Forum 2003 1 What are the popular defenses? Block bogon, invalid and attack packets. Monitor traffic thresholds, patterns and trends. Rate limit traffic to help prevent oversubscription. Prevent end hosts from becoming DoS agents. Black hole victim hosts/networks. Maintain good incident response and support staff. As you might guess, no one defense solves it all.*

6 John Kristoff DePaul Security Forum 2003 1 In depth look at packet blocking Blocking invalid/bogon packets from reaching the net is generally considered a best practice. However, it may severely impact forwarding performance and be difficult to manage. Blocking on general attack characteristics may also block and break legitimate applications. Many ISPs mitigated the recent Slammer/Sapphire worm by temporarily blocking UDP port 1434 traffic.

7 John Kristoff DePaul Security Forum 2003 1 Traceback Enabled routers generate or encode trace information to the traced destination. Victims can use trace information to discover the real path back to the original source. Authentication, deployment and practical issues exist.

8 John Kristoff DePaul Security Forum 2003 1 Source path isolation engine Routers keep a hash of all packets passing through and send to a collector. To trace a packet, query the collector based on packet characteristics. SPIE can potentially trace a single packet. Significant scaling and deployment issues.

9 John Kristoff DePaul Security Forum 2003 1 Pushback A mechanism to signal downstream routers to aggressively drop/limit attack traffic. Routers must detect attack traffic. A similar problem shared by signature based filters. If attack traffic is widely distributed, pushback may be ineffective. IMHO, pushback and related techniques are the most interesting and elegant network-based solutions.

10 John Kristoff DePaul Security Forum 2003 1 Slammer/Sapphire the DoS attack

11 John Kristoff DePaul Security Forum 2003 1 Other defenses Legal action. Costly (in more ways than one) and problematic when crossing legislative borders. Mirror and distribute victims. Costly and management intensive. User education? Security Forum 2003! Thanks! Stop by for a visit at http://ntg.depaul.edu/rd/

Download ppt "John Kristoff DePaul Security Forum 2003 1 Network Defenses to Denial of Service Attacks John Kristoff +01 312 362-5878."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Controlling High Bandwidth Aggregates in the Network.

1 Controlling High Bandwidth Aggregates in the Network.
Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff +1 312 362-5878 DePaul University Chicago, IL 60604.

Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff DePaul University Chicago, IL
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 7: Denial-of-Service Attacks.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Similar presentations

Ads by Google