Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

Published byKathleen Rogers Modified over 9 years ago

Similar presentations

Presentation on theme: "Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004."— Presentation transcript:

1 Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004

2 Why DDoS is hard to prevent Internet –Limited resources –Security highly interdependent

3 ISP? The problem with DDOS security is this: if you implement DDOS security, it does not protect your network, it merely prevents your network from harming others. Why would an ISP spend extra time and effort implementing a security protocol that was good for everyone else... but not for them? by simul, Kuro5hin.org (targeted by DDoS attacks), February 4, 2004

4 Defenses IP spoofing –Egress filtering –Keep routing state for each packet –New type of control message (ICMP) –Embed traceback information into IP header Bandwidth flooding –Use Overlay Networks to debug input –Push back to preserve bandwidth –Equip your host with gobs of bandwidth and the appliances can mitigate the effect

5 Problem Statement Use IP traceback to defend IP spoofing –Packets having the same routing path with the attacker packets will be dropped Challenges –The average Internet routing path length is around 15, so reconstruct the path will take 60 bytes –Where to put the traceback information?

6 PI Overview Model the Internet as a binary tree rooted at the victim node The router mark 0 or 1 in IP identification field based on past path information

7 IP Header Identification field (16 bits) –IP identification is only used for fragmentation, which constitutes less than 0.25% of the packets in Internet

8 Pi Marking - Basic Marking Scheme Marking Scheme –Each router marks n bits into IP Identification field Marking Location –TTL (mod 16/n) indexes location in field to mark Marking Function –Last n bits of hash (eg. MD5) of router IP address The following slides are adapted from Abraham Yaar’s Oakland 2003 slides

9 Pi Marking - Example

10 Pi Marking Scheme - TTL Attack Final TTL Pointer Final TTL Pointer Problem –Attacker shifts markings by modifying initial TTL Note - marking bits and order haven’t changed, just location in the marking field Solution –Victim uses final TTL to justify packet contents using bit rotation

11 Pi Marking - IP Fragmentation Problem –Mark values in IP Identification field breaks fragmentation Solution –Don’t mark packets that may ever get fragmented, or are fragments themselves –During DDoS attack, drop packets not satisfying this predicate

12 Pi Filtering – Basic Scheme Basic Scheme –Drop all packets with Pi marks matching that of any attack packets Assumption –Victim can identify attack packets Implementation Overhead –Memory: Bit vector of length 2 16 (8kB) if (BitVec[PiMark] == 0) then accept() else drop(); –Computation: O(1) per packet

13 Pi Filtering - Thresholds Problem –Single attacker causes multiple users’ rejections Solution –Assume, for a particular Pi mark, i: a i = number of attack packets u i = number of legitimate users’ packets –Victim chooses threshold, t, such that if: then all packets with Pi mark i are dropped

14 Experiment Results – Basic Filter DDoS protection –Accepted: 60% of user traffic 17% attacker traffic Downward slope due to “marking saturation” –All markings flagged as attacker

15 Experiment Results – Threshold Filter Thresholds Work! –Victim increases false positives to decrease false negatives Greater attack traffic requires greater threshold values

16 Comments Review of the goal –The same routing path yields the same marking –Different routing path has little probability to overlap Question –Why bother using rotated marking instead of a simple hash function?

17 DDoS Attacks IP spoofing Bandwidth flooding Back to Zhanxiang

Download ppt "Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004."

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.

IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.

Stefan Savage, David Wetherall, Anna Karlin and Tom Anderson University of Washington- Seattle, WA Presented by Mohammad Hajjat- Purdue University Slides.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.

Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
15-441: Computer Networking Lecture 26: Networking Future.

15-441: Computer Networking Lecture 26: Networking Future.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Examining IP Header Fields

Examining IP Header Fields
Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.

Path identification by hagay avraham the third Composers : Abraham Yaar,Adrian Perrig and Dawn Song.
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.

Similar presentations

Ads by Google