Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University.

Published byDominic Blevins Modified over 10 years ago

Similar presentations

Presentation on theme: "The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University."— Presentation transcript:

1 The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University

2 NSL Capacity and Path Diversity POTS/ISDN T1 10M Ethernet OC3 OC192 OC12 Increasing Traffic Aggregation Increasing SW Service Deploy- ment Times Increasing Preference for SW Restriction to Control Plane More Nodes DDoS seems to be largely a last-3-hops problem Informal survey of ISPs shows 20-40Gbps per POP Many redundant paths (some are better than the route- converged path!) Similar characteristics likely to hold for any future Internet Unless we abandon statistical mux model and adopt single- authority/ISP (think phone network) FiOS or similar network upgrades unlikely to significantly change the situation (wireless may make things worse!) Must be intelligent about traffic monitoring/admission/handling Intelligence inside the network is hard to come by Decreasing cycles/bps

3 NSL Indirection and Diffusion Send the traffic to the intelligence Put the intelligence where you can (technology, cost/benefit, deployment limitations) Intelligence be pretty invasive, e.g., full-blown authentication, payment, CAPTCHA, attestation... Intelligence must not be point of vulnerability Scalable, distributed, restricted interface (attack surface) But: easier proposition than same and doing it at line speeds inside the network Diffusion helps to eliminate single-failure points Challenges: interference, sensing, knowledge, guarantees? Intelligence must be efficient Performance, reliability, low-cost (shared & on-demand?) Transparent vs. explicit intelligence/indirection Complement intelligence with simple in-network mechanisms Routing, limited filtering abilities, deflections, ??? Use what you can, where it makes sense (to paraphrase e2e)

4 NSL Simple Filtering

5 NSL SOS/WebSOS [SIGCOMM2002, CCS2003]

6 NSL Human-centric Authentication [CCS2003]

7 NSL Diffusion [CCS2005]

8 NSL Local Perimeter Establishment [IAMCOM2007] Limited-scope PushBack (inside home ISP only) Much simpler trust issues, pay-per-use possibility [ACNS2004] RSVP might do the trick, too...

9 NSL Backup Slides

10 NSL MOVE [NDSS2005]

11 NSL MOVE [NDSS2005] Attack

12 NSL MOVE [NDSS2005] Attack

13 NSL Old fashioned DoS Attack

14 NSL New Attack: Stalker Attack

15 NSL New Attack: Stalker Attack

16 NSL New Attack: Stalker Attack

17 NSL New Attack: Stalker Attack

18 NSL New Attack: Sweeping Attack

19 NSL New Attack: Sweeping Attack

20 NSL New Attack: Sweeping Attack

21 NSL Latency with Diffusion Client Packet Replication Overlay / Direct End-to-End Latency with Client Packet Replication

22 NSL Resilience & Latency End-to-End Latency vs Node Failure Text No Repl. 1.5x 2x 3x

23 NSL Resilience & Throughput Throughput vs Node Failure KB/Sec % Node Failure

Download ppt "The Role of Indirection and Diffusion in DDoS Defense Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University."

Similar presentations

An Overview of Peer-to-Peer Sami Rollins

An Overview of Peer-to-Peer Sami Rollins
Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego.

Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego.
Using Network Virtualization Techniques for Scalable Routing Nick Feamster, Georgia Tech Lixin Gao, UMass Amherst Jennifer Rexford, Princeton University.

Using Network Virtualization Techniques for Scalable Routing Nick Feamster, Georgia Tech Lixin Gao, UMass Amherst Jennifer Rexford, Princeton University.
Packet Switching vs. Circuit Switching

Packet Switching vs. Circuit Switching
Perspective on Overlay Networks Panel: Challenges of Computing on a Massive Scale Ben Y. Zhao FuDiCo 2002.

Perspective on Overlay Networks Panel: Challenges of Computing on a Massive Scale Ben Y. Zhao FuDiCo 2002.
AT&T Multi-protocol Label Switching Private Network Transport Service (MPLS PNT) National Communications Tel: 866-624-2008 Email: Sales@nationalcommunicationsgroup.com.

AT&T Multi-protocol Label Switching Private Network Transport Service (MPLS PNT) National Communications Tel:
Barracuda Link Balancer Link Reliability and Bandwidth Optimization.

Barracuda Link Balancer Link Reliability and Bandwidth Optimization.
2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
Self-Managing Anycast Routing for DNS

Self-Managing Anycast Routing for DNS
SCION: Scalability, Control and Isolation On Next-Generation Networks

SCION: Scalability, Control and Isolation On Next-Generation Networks
Denial of Service in Sensor Networks Szymon Olesiak.

Denial of Service in Sensor Networks Szymon Olesiak.
Barath Raghavan, Kashi Vishwanath, Sriram Ramabhadran, Kenneth Yocum, Alex C. Snoeren Defense: Rejaie Johnson, Xian Yi Teng.

Barath Raghavan, Kashi Vishwanath, Sriram Ramabhadran, Kenneth Yocum, Alex C. Snoeren Defense: Rejaie Johnson, Xian Yi Teng.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
CSE 6590 Department of Computer Science & Engineering York University 1 Introduction to Wireless Ad-hoc Networking 5/4/2015 2:17 PM.

CSE 6590 Department of Computer Science & Engineering York University 1 Introduction to Wireless Ad-hoc Networking 5/4/2015 2:17 PM.
Packet Switching Vs Circuit Switching Packet-switched and circuit-switched networks use two different technologies for sending messages and data from one.

Packet Switching Vs Circuit Switching Packet-switched and circuit-switched networks use two different technologies for sending messages and data from one.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.

Web Caching Schemes1 A Survey of Web Caching Schemes for the Internet Jia Wang.
Networks and Distributed Systems: Project Ideas

Networks and Distributed Systems: Project Ideas
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.
New Routing Architectures Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

New Routing Architectures Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Similar presentations

Ads by Google