Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Published byLeona Mitchell Modified over 9 years ago

Similar presentations

Presentation on theme: "Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS."— Presentation transcript:

1 Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS

2 What is a Denial of Service Attack? Goal: make a service unusable. How: overload a server, router, network link. Focus: bandwidth attacks (“trinoo”, “tfn”).

3 Logical View of Attack Net Attacker Master Victim Slave Control Traffic Attack Traffic

4 Attack Targets App O/S Other Customers Other ISPs Customer’s LAN Customer’s Router ISP Router Link Host

5 Attacks use IP Packets IP Header: Source Address Destination Address User Data Routers forward each packet independently. Routers don’t know about connections. Complexity is in end hosts; routers are simple.

6 Outline Case study: Yahoo. –What happened. –Analysis. Our framework for defense: RON.

7 Case Study: Yahoo Attack Early February 2000. Took Yahoo off the net for hours.

8 Yahoo’s Point of View ISP Router Yahoo’s Router 1 Gbit/second of Ping Response packets. www.yahoo.com

9 Yahoo Attack Overview Yahoo’s ISP Yahoo Other ISPs Co-location Centers

10 Attack Packet Generation Co-location Center MS1S2…Sn Internet Ping, DST=bcast, SRC=Yahoo Ping Responses, DST=Yahoo Leader Slaves

11 What did the attack depend on? Pervasive insecure hosts. Fake IP source addresses. Use of hosts as amplifiers. Weak router software. Difficulty of diagnosis.

12 Pervasive Insecure Hosts Required for disguise and to generate enough traffic. How do they break in? –Buffer overruns. –Typically Solaris and Linux. –Highly automated. Defenses? –Better programming practices. –Disable services by default. –Firewalls, intrusion detection. –Motivation for deployment is not strong.

13 Fake IP Source Addresses Two uses: –Hide the source of attack. –Part of weapon. Example: SYN flooding. Defense: –Ingress/egress filtering. –But motivation for deployment is not strong.

14 Ingress Filtering ISP 1 ISP 3 ISP 2 Site 1 Victim Site 2 Attacker SRC=Site2

15 Use of Hosts as Amplifiers Attackers need this: –To avoid using their own machines. –To generate lots of traffic. –To avoid detection via load monitoring. Two approaches: –Break into 1000s of machines. –Trick legitimate machines into generating traffic.

16 Weak Router Software Routers themselves are often victims. Why? –Forwarding and management compete for CPU. –Control and data traffic compete for net b/w. Solutions? –Simplify and partition.

17 Difficulty of Diagnosis Very little automatic support for traffic analysis and correlation. –Is the high load legitimate? –What does the attack consist of? –Where does the attack come from? –How ask upstream routers to discard attack packets? Defense: distributed analysis system.

18 Why are these attacks easy? Internet built around end-to-end principle: –Most functions done by end hosts. –Examples: reliable delivery. Advantages: –Simplifies network core. Example: IP packet forwarding. Example: it’s easy to start an ISP. –Anyone can introduce new services. Result: lots of innovation.

19 Why is defense hard? End-to-end principle conflicts with: –Centralized control. –Centralized monitoring. –Separation of data from control traffic. –Mandatory authentication. –Mandatory accounting.

20 RON Project End-to-end framework for: –Cooperative statistics collection. –Cooperative reaction to attacks. –Fault-tolerant control and data routing. How: resilient overlay network (RON). Funded by DARPA/IA/FTN.

21 What is an Overlay Network? ISP1 ISP2 N1 N4 N3 N5 N2 Better routing functions built in end hosts. Can be used to build distributed defenses.

22 Why Distributed Defenses? Presence of attack obvious near victim. –Not obvious near sources of attack. –But control is easier near sources. Identifying attackers requires cooperation. –Asymmetric routing. –Fake source addresses.

23 Why Distribution is Hard RON itself is a target. Authorized communication between RON nodes. Bandwidth attacks on RON nodes. Application-level DoS attacks. Political / deployment problems. –Needs cooperation? Or single-organization?

24 Monitoring Scenario Backbone B1 Backbone B2 N1 N4 N3 N5 N2 Attacker Victim 1. Measure 2. Communicate 3. Control

25 Fault-Tolerant Routing Use Internet to connect multiple sites. Inter-ISP routing: –Ignores link quality. –Ignores many available paths due to policy. –Chooses only one path. –Reacts slowly. RON allows end-system control of routing.

26 Fault-tolerant Routing (2) Backbone B1 Backbone B2 Peering Point Q N1 N4 N3 N5 Peering Point P N2 Attacker

27 Peer-to-Peer Networking Multi-organization overlays. Early work: Gnutella and FreeNet. –Data replicated at many sites. –Queries traverse reliable overlay. –Explicit protection of virtual infrastructure.

28 Summary Raise the bar: –Improve host security. –Make it hard to fake IP addresses. Experiment with RON-like and peer-to-peer architectures.

Download ppt "Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS."

Similar presentations

L. Alchaal & al. Page 1 2002 Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.

L. Alchaal & al. Page Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 6 Overlay Networks CPE 401/601 Computer Network Systems slides are modified from Jennifer Rexford.

Lecture 6 Overlay Networks CPE 401/601 Computer Network Systems slides are modified from Jennifer Rexford.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
The End of Internet Architecture Author: Timothy Roscoe Presented by Gross, Zhaosheng Zhu.

The End of Internet Architecture Author: Timothy Roscoe Presented by Gross, Zhaosheng Zhu.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
1CS 6401 Peer-to-Peer Networks Outline Overview Gnutella Structured Overlays BitTorrent.

1CS 6401 Peer-to-Peer Networks Outline Overview Gnutella Structured Overlays BitTorrent.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Similar presentations

Ads by Google