Presentation is loading. Please wait.

Presentation is loading. Please wait.

Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London

Published byDonald Hamilton Modified over 9 years ago

Similar presentations

Presentation on theme: "Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London"— Presentation transcript:

1 Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London http://nrg.cs.ucl.ac.uk/mjh/servernets.pdf

2 Background: Using Addressing to Combat DoS Attacks In previous work, we suggested that many of unwanted modes of operation of the Internet could be prevented by simple changes to the addressing architecture. http://www.cs.ucl.ac.uk/staff/M.Handley/papers/dos-arch.pdf Unfortunately these changes would be hard to deploy in practice.  Needs IPv6, HIP, large-scale agreement on the solution.

3 Towards deployable solutions. To be deployable in the near term, a solution needs to satisfy the following criteria:  Feasible with IPv4.  Use off-the-shelf hardware.  No changes to most Internet hosts.  No changes to most Internet routers.  Use existing routing protocols.

4 Towards evolvable solutions It is important that in providing short-term solutions we don’t sacrifice the future evolution of the Internet. Anything that goes in the middle of the network should be:  Application independent.  Impose minimal dependencies on transport protocols.

5 Goals Defend servers against DoS attacks.  Opt-in. Servers have to choose to be defended. Shut down unwanted traffic in the network as close to the source of that traffic as possible.  Server decides certain traffic is unwanted.  Requests traffic is shut down.  Network filters traffic. Only network filtering can defend against link-flooding attacks.

6 Very Simple Architectural Overview Place control points in the network that are capable of performing IP-level filtering.  Cause unwanted traffic to our servers to traverse these control points.  Provide a signalling mechanism to allow the servers to request certain traffic is filtered. Problem 1: How to determine which control point can shut down certain traffic? Problem 2: How to ensure that only the recipient of unwanted traffic can request its filtering.

7 Revised Architectural Overview Place control points in the network. Cause all traffic to server subnets to traverse at least one control point.  Control points mark the traffic with their identity. Receivers can see which control points are on the path from sender.  Can request correct control point to install filter.

8 Constraints To provide a protocol-independent solution, we must primarily work at the IP layer. The main IP-layer tools available to us are:  Addressing  Routing  Encapsulaton

9 Using these tools... Addressing  To identify server subnets. Routing  To limit and control the paths to the server subnets.  To direct traffic through control points near to the source of the traffic. Encapsulation  To record information about the control points traversed on the path from client to server.

10 Incremental Deployment First we’ll sketch out how servernets might be deployed in a single ISP.  Can only push back as far as ISP border.  Useful for large ISPs with many peering points, as attack has not yet fully converged. Next we’ll explain how cooperating ISPs can deploy multi-ISP servernets.  Greater benefits as pushback can be much closer to attack source.

11 S 12 Border Router Local Router Server ISP Network Normal ISP Routing E-BGP I-BGP + OSPF 3 Traffic Source

12 S 12 Server ISP Network Encapsulation E-BGP: Advertise S E-BGP Advertise S I-BGP 3 Traffic Source Monitor Request Filter

13 S 12 Server ISP Network Routing I-BGP Net S Nexthop D, “servernet” “no export” I-BGP Net S Nexthop D, “servernet” “no export” 3 D E1 E2 S not advertised E-BGP Net S Nexthop E1 E-BGP Net S Nexthop E1 E-BGP Net S Nexthop E2 E-BGP Net S Nexthop E2 Key Points: Only route from outside to S is via an encapsulator. Net D is not externally advertised at all. Key Points: Only route from outside to S is via an encapsulator. Net D is not externally advertised at all.

14 S 1 Server Routing for Internal Clients I-BGP Net S Nexthop D, “servernet” “no export” I-BGP Net S Nexthop D, “servernet” “no export” 3 D E1 E2 C Client Local DoS attack? OSPF: Net S via E1 OSPF: Net S via E1 OSPF: Net S via E2 OSPF: Net S via E2

15 S Server D1 R1 I-BGP Net S Nexthop D, “servernet” “no export” I-BGP Net S Nexthop D, “servernet” “no export” R2 I-BGP Net S Nexthop R1, “servernet” “servernet-transit” “no export” I-BGP Net S Nexthop R1, “servernet” “servernet-transit” “no export” Multi-ISP Servernets I-BGP Net S Nexthop R1, “servernet” “servernet-transit” “no export” I-BGP Net S Nexthop R1, “servernet” “servernet-transit” “no export” To rest of world (external clients) E-BGP Net S, R1 “servernet” “no export” E-BGP Net S, R1 “servernet” “no export”

16 S Server D1 R1 R2 Multi-ISP Servernets I-BGP Net S Nexthop R1, “servernet” “servernet-transit” “no export” I-BGP Net S Nexthop R1, “servernet” “servernet-transit” “no export” Client

17 Protection Provide defense against non-spoofed traffic for servers that opt-in.  Automatic mechanism reduces costs for ISP.  Lower collateral damage for ISP. Assumes a detection mechanism exists that can identify bad traffic sources. What about spoofed traffic?

18 Attack landscape Currently most DoS attacks are not spoofed.  No need to! Servernets change the landscape. Attackers will then need to:  Spoof source addresses.  Disguise their attack traffic to fly below the detection threshold.

19 Spoofing The existence of servernets would provide stronger motivation for deployment of ingress filtering.  Currently there’s limited gain from doing so. Servernet encapsulators are a natural place to perform source address validation.  Only current ways to do this are hacks, but future extensions to protocol stack could provide simple address authentication.  Eg. ICMP nonce-exchange.  This is a longer-term solution.

20 Implement and test the scheme in the lab.  Software implementation on fast PC hardware.  Goal is to encap/decap and firewall at 1Gb/s.  Already in progress (3 to 6 months). Deploy the scheme in the wild.  Industrial collaborators are most welcome. Future work

Download ppt "Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London"

Similar presentations

IPSec.

IPSec.
Secure Mobile IP Communication

Secure Mobile IP Communication
Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Firewall Configuration Strategies

Firewall Configuration Strategies
1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006.

Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University

A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Department Of Computer Engineering

Department Of Computer Engineering
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.

Edge Protection 111. The Old World: Network Edge Core routers individually secured Every router accessible from outside “outside” Core telnet snmp.

Similar presentations

Ads by Google