Download presentation
Presentation is loading. Please wait.
Published byDominic Blevins Modified over 10 years ago
1
The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University
2
NSL Capacity and Path Diversity POTS/ISDN T1 10M Ethernet OC3 OC192 OC12 Increasing Traffic Aggregation Increasing SW Service Deploy- ment Times Increasing Preference for SW Restriction to Control Plane More Nodes DDoS seems to be largely a last-3-hops problem Informal survey of ISPs shows 20-40Gbps per POP Many redundant paths (some are better than the route- converged path!) Similar characteristics likely to hold for any future Internet Unless we abandon statistical mux model and adopt single- authority/ISP (think phone network) FiOS or similar network upgrades unlikely to significantly change the situation (wireless may make things worse!) Must be intelligent about traffic monitoring/admission/handling Intelligence inside the network is hard to come by Decreasing cycles/bps
3
NSL Indirection and Diffusion Send the traffic to the intelligence Put the intelligence where you can (technology, cost/benefit, deployment limitations) Intelligence be pretty invasive, e.g., full-blown authentication, payment, CAPTCHA, attestation... Intelligence must not be point of vulnerability Scalable, distributed, restricted interface (attack surface) But: easier proposition than same and doing it at line speeds inside the network Diffusion helps to eliminate single-failure points Challenges: interference, sensing, knowledge, guarantees? Intelligence must be efficient Performance, reliability, low-cost (shared & on-demand?) Transparent vs. explicit intelligence/indirection Complement intelligence with simple in-network mechanisms Routing, limited filtering abilities, deflections, ??? Use what you can, where it makes sense (to paraphrase e2e)
4
NSL Simple Filtering
5
NSL SOS/WebSOS [SIGCOMM2002, CCS2003]
6
NSL Human-centric Authentication [CCS2003]
7
NSL Diffusion [CCS2005]
8
NSL Local Perimeter Establishment [IAMCOM2007] Limited-scope PushBack (inside home ISP only) Much simpler trust issues, pay-per-use possibility [ACNS2004] RSVP might do the trick, too...
9
NSL Backup Slides
10
NSL MOVE [NDSS2005]
11
NSL MOVE [NDSS2005] Attack
12
NSL MOVE [NDSS2005] Attack
13
NSL Old fashioned DoS Attack
14
NSL New Attack: Stalker Attack
15
NSL New Attack: Stalker Attack
16
NSL New Attack: Stalker Attack
17
NSL New Attack: Stalker Attack
18
NSL New Attack: Sweeping Attack
19
NSL New Attack: Sweeping Attack
20
NSL New Attack: Sweeping Attack
21
NSL Latency with Diffusion Client Packet Replication Overlay / Direct End-to-End Latency with Client Packet Replication
22
NSL Resilience & Latency End-to-End Latency vs Node Failure Text No Repl. 1.5x 2x 3x
23
NSL Resilience & Throughput Throughput vs Node Failure KB/Sec % Node Failure
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.