Presentation is loading. Please wait.

Presentation is loading. Please wait.

Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun."— Presentation transcript:

1 Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun Hu Offense: Kiaie, A., Teng, X.

2 Outline Relevance Deployment Scalability

3 Relevance? Portcullis is not solution to DoS Portcullis is solution to solution to DoS Assumes capability systems Weaknesses (from Monday): – Questionable scalability – Does not address adaptive bandwidth issue – Questionable deployment plan

4 Relevance? Is TVA broken? – Portcullis authors argue TVA’s capability setup is broken due to (non-working) fair-queuing – However TVA paper, section 5.4, Figure 11 demonstrates that mechanism other than fair- queuing, expiring capabilities, limit DoS attack effectiveness to 5 seconds – Not good enough? Conclusion: Portcullis solves nonexistent problem?

5 Deployment? Portcullis requires modification of hosts and routers Section 6.1, Figure 3 has nice graph evaluating full deployment – Modification of all hosts and routers Section 6.4, Figure 5 has nice graph evaluating ‘partial’ deployment – Only ISPs upgrade routers – All hosts still need to be modified! Conclusion: Portcullis has no partial deployment, only partial partial deployment

6 Scalability? Theorem 4.1. Under the Portcullis router scheduling policy … legitimate sender utilizing the Portcullis sending policy … successfully transmits a request packet in O(n m ) amount of time in expectation, regardless of the strategy employed by the adversary.

7 Scalability? Theorem 4.1. Under the Portcullis router scheduling policy … legitimate sender utilizing the Portcullis sending policy … successfully transmits a request packet in O(n m ) amount of time in expectation, regardless of the strategy employed by the adversary.

8 Scalability? Attacker’s goal: Conquer and use n m hosts such that O(n m ) > t such that user gives up => effective DDoS

9 Scalability?

10 Figure 3 shows graph (looks more than linear) that says with 20000 attackers, t = 8s Median botnet size = 45000 (source (Thursday, February 16, 2006; 3:12 PM): http://www.washingtonpost.com/wp- dyn/content/article/2006/02/16/AR2006021601388.ht ml) http://www.washingtonpost.com/wp- dyn/content/article/2006/02/16/AR2006021601388.ht ml Assume linear: t(45000) = 45000*8/20000 = 18s Would you give up and go elsewhere if after 18s the page has not loaded? Conclusion: Portcullis has scalability problem? Median likely to be > 45000 now in 2008

11 Scalability? “Our second result states that for any scheduling policy and any sending algorithm, a legitimate sender cannot perform better than the guarantee provided by Theorem 4.1:”

12 Scalability? Interpretation 1: We are on the way to destruction. We have no chance to survive make our time.

13 Scalability? Interpretation 2: Big contribution of this paper is to show that we should not rely on scheduling policy and sending algorithm to solve DoS/DoC problem?

14 Summary Portcullis: – Questionable relevance – Questionable deployment plan given huge cost- benefit ratio (benefit is small) – Questionable scalability

15

Download ppt "Portcullis: Protecting Connection Setup from Denial-of-Capability Attacks Bryan Parno, Dan Wendlandt, Elaine Shi, Adrian Perrig, Bruce Maggs, Yih-Chun."

Similar presentations

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June 28 2007.

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June
Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.

Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.
Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.

Routing and Congestion Problems in General Networks Presented by Jun Zou CAS 744.
Congestion Control Reasons: - too many packets in the network and not enough buffer space S = rate at which packets are generated R = rate at which receivers.

Congestion Control Reasons: - too many packets in the network and not enough buffer space S = rate at which packets are generated R = rate at which receivers.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
A Survey of Secure Wireless Ad Hoc Routing

A Survey of Secure Wireless Ad Hoc Routing
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
LOGO Video Packet Selection and Scheduling for Multipath Streaming IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 3, APRIL 2007 Dan Jurca, Student Member,

LOGO Video Packet Selection and Scheduling for Multipath Streaming IEEE TRANSACTIONS ON MULTIMEDIA, VOL. 9, NO. 3, APRIL 2007 Dan Jurca, Student Member,
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Do we need PCP? Hongyu Gao Yinzhi Cao. Outline Design Goal Underlying Assumption Design Detail Evaluation Deployment Conclusion.

Do we need PCP? Hongyu Gao Yinzhi Cao. Outline Design Goal Underlying Assumption Design Detail Evaluation Deployment Conclusion.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
1 Controlling High Bandwidth Aggregates in the Network.

1 Controlling High Bandwidth Aggregates in the Network.
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.
Self-Citation More than 7 papers at places of least relevance Nothing new except for the problem We stress however that our proposal is somewhat motivated.

Self-Citation More than 7 papers at places of least relevance Nothing new except for the problem We stress however that our proposal is somewhat motivated.
A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.

A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.
EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao

EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao
DDoS Defense by Offense Presented by: Matthew C.H. Ma Damon Chan.

DDoS Defense by Offense Presented by: Matthew C.H. Ma Damon Chan.

Similar presentations

Ads by Google