Presentation is loading. Please wait.

Presentation is loading. Please wait.

Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego.

Published byBenjamin Cochran Modified over 11 years ago

Similar presentations

Presentation on theme: "Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego."— Presentation transcript:

1 Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego

2 State of the practice Spoofing mitigation –End host SYN cookies –RPF (sparse and loose) –TTL fingerprint filtering Filtering –/32 blackhole –Src address filtering –Dst-based offramp, scrub, re-inject (common features)

3 Framing the research problem Fundamentally two kinds of approaches –Filtering: filter out evil packets Ideally upstream from victim How to discern evil/good status –CAPTHAs, history, authentication »What if you dont receive pkts? How to attach to packets/requests –Identifiers, capabilities, ad hoc features –Diffusion: spread attack across surface Destination hiding + overlays Replication (e.g., Akamai)

4 The problem of federation How do you convince someone else (e.g., an ISP) to filter packets destined to you? –DoS threat from control channel Authenticity of request (secure routing helps here) Overload filtering mechanism (1M /32s) –What do I get out of doing this work for you?

5 Identifiers Basic idea –Characterize bad packets and record their identifiers –Filter based on those identifiers Almost all operational anti-DDoS is this –Dst filtering, src filtering, ttl filtering, cookie filtering, ttl filtering, etc. Life easier if we had a: –Reliable identifier –Naturally tied to source of attack

Download ppt "Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego."

Similar presentations

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June 28 2007.

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June
Architectural issues for network-layer identifiers Stefan Savage Dept of Computer Science & Engineering UC San Diego.

Architectural issues for network-layer identifiers Stefan Savage Dept of Computer Science & Engineering UC San Diego.
06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.

06-Sep-2006Copyright (C) 2006 Internet Initiative Japan Inc.1 Prevent DoS using IP source address spoofing MATSUZAKI ‘maz’ Yoshinobu.
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.
NS-H0503-02/11041 Attacks. NS-H0503-02/11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing emails are designed.

Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing s are designed.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.

Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering.
Network Threats and Mitigation Networking Essentials Chapter 14 Spring, 2013.

Network Threats and Mitigation Networking Essentials Chapter 14 Spring, 2013.
Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.

Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.
Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.

Network Attacks. Network Trust Issues – TCP Congestion control – IP Src Spoofing – Wireless transmission Denial of Service Attacks – TCP-SYN – Name Servers.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Lesson 1: Understanding Browsers. This unit is a set of investigations into how to protect against digital threats, and how to detect digital crimes.

Lesson 1: Understanding Browsers. This unit is a set of investigations into how to protect against digital threats, and how to detect digital crimes.

Similar presentations

Ads by Google