Presentation is loading. Please wait.

Presentation is loading. Please wait.

DaaS: DDoS Mitigation-as-a-Service 2011 IEEE/IPSJ International Symposium on Applications and the Internet Author: Soon Hin Khor & Akihiro Nakao Speaker:

Published byAudrey Richard Modified over 9 years ago

Similar presentations

Presentation on theme: "DaaS: DDoS Mitigation-as-a-Service 2011 IEEE/IPSJ International Symposium on Applications and the Internet Author: Soon Hin Khor & Akihiro Nakao Speaker:"— Presentation transcript:

1 DaaS: DDoS Mitigation-as-a-Service 2011 IEEE/IPSJ International Symposium on Applications and the Internet Author: Soon Hin Khor & Akihiro Nakao Speaker: 101065511 沈祈恩 1

2 Outline INTRODUCTION DESIGN ARCHITECTURE EVALUATION CONCLUSION 2

3 Outline INTRODUCTION DESIGN ARCHITECTURE EVALUATION CONCLUSION 3

4 INTRODUCTION DaaS is a service that protects a server against all 3 types of Distributed Denial-of-Service (DDoS) – Arbitrary packet (Network Layer) – Legit user-mimicking (Application Layer) – Economic attacks (EDDoS). 4

5 INTRODUCTION Most research concur that using widely distributed Internet-edge or core intermediaries that possess more resource than DDoS bots, receive traffic on behalf of a server is an effective technique to overcome the three issues. 5

6 INTRODUCTION For defense against application-layer DDoS, a Proof- of Work (PoW) mechanism empowers legit clients (legits, forshort) to attain differentiated service based on the difficulty of PoW "puzzles" solved. 6

7 Outline INTRODUCTION DESIGN ARCHITECTURE EVALUATION CONCLUSION 7

8 DESIGN On-Demand Idle Resource Pool : – DaaS’s framework can recruit any existing or future system/service as an intermediary. – Ex: IRC, Amazon’s S3, forums 8

9 DESIGN Ephemeral Initial Channels : – Channels: a named entity on an intermediary. EX: a channel name on IRC, a storage bucket in S3. – I-Channel: Ephemeral initial channels. – C-Channel: Communication channels. 9

10 DESIGN Prioritize traffic: – Prioritize existing connection traffic over initial connection request traffic. – Prioritize among the initial connection requests using sPoW(self-proof-of-work). Prioritizing by puzzle difficulty. 10

11 Outline INTRODUCTION DESIGN ARCHITECTURE EVALUATION CONCLUSION 11

12 ARCHITECTURE DaaS consists of a framework and sPoW. Implemented as DaaS name servers, client- side and server-side components 12

13 ARCHITECTURE 13

14 14 DaaS utilizes highly scalable Cloud #1 as a metered intermediary to protect a metered-server in Cloud #2.

15 15  A client that wants to contact the server performs a DNS resolution to obtain the location of the client-side component on the CDN

16 16  Proceeds to download it together with the server-side component’s public key embedded in its SSL certificate

17 17  The client-side component then performs a DaaS name resolution, specifying the server host name and the puzzle difficulty, k, to obtain a crypto-puzzle for the server.

18 18  The DaaS name server forwards the puzzle request to the server-side puzzle generator

19 19  The server side component randomly creates an ephemeral i-channel

20 20  Server encrypts the channel details and sends back both the encrypted details and the encryption key with k bits undisclosed as the crypto-puzzle.

21 21  The client-side component brute-forces and recovers the i- channel details, submits an initial connection request includes a randomly generated secret key, encrypted using the server- side component’s public key through i-channel.

22 22  If the initial connection request is not handled within a timeout period, it can request for a more difficult crypto- puzzle and re-submit the connection request through the higher priority i-channel.

23 23  The server-side component receives the initial connection request

24 24  Server creates a c-channel

25 25  Server encrypts the channel details using the client generated secret key and sends the information back to the client-side component

26 26  Server also informs the name server to invalidate the cached puzzle associated with that consumed i-channel.

27 ARCHITECTURE Hide DaaS server detail: – Using intermediary and multipath stack of client/server side component. 27

28 ARCHITECTURE Enable any system/service to be used as an intermediary: – Using different intermediary plug-in to enable communication between client and server. 28

29 ARCHITECTURE sPoW Threats : – Puzzle Generation Resource Exhaustion: Bots request a lot of puzzles without solving them. leads to: 1. processing power exhaustion 2. network connectivity exhaustion – Solution: Channel Sharing. 29

30 ARCHITECTURE sPoW Threats : – PoW Violation with Channel Sharing: Clients can obtain high priority service by reusing high priority channels discovered by others. – Solution: Only the quickest puzzle solver being successful in connection request submission. 30

31 ARCHITECTURE sPoW Threats : – Puzzle Level Inflation: attckers can inflate puzzle difficulty by repeatedly requesting for the most difficult puzzles results in clients having to solve unnecessarily high-level puzzles to submit connection – Solution: requires the algorithm to track puzzle resolution capacity of the user-base (legits and bots) within a designated period. 31

32 ARCHITECTURE Puzzle Level Inflation: – Detecting algorithm: if the sum of required capacity to solve all open puzzles in the current period exceeds the user- base puzzle resolution capability estimated in the last period—a possible attack indicator. 32

33 33 C: Server capacity for i-channle handling r t: capacity required to solve all unique puzzles for open i- channels in the current period. s t -1: estimated user-base capacity in the previous period. k_lowest: the lowest protection level of the channel

34 Outline INTRODUCTION DESIGN ARCHITECTURE EVALUATION CONCLUSION 34

35 35 Average transmission time of various file sizes through different intermediary types

36 36 Average transmission time of various file sizes through I3 and IRC when different percentages of multipaths fail due to congestion.

37 37

38 38

39 Outline INTRODUCTION DESIGN ARCHITECTURE EVALUATION CONCLUSION 39

40 CONCLUSION Contribution: Employs sPoW, a unique scheme to enable legits to compete and reduce indistinguishable DDoS. Advantage: 1. Shield the location of server 2. sPoW frees a server from traffic verification burden. Disadvantage: 1. Didn’t give a clear explanation of how to utilize systems as intermediaries. 2. Have to implements many kinds of intermediaries plug-in. 3. Clients have to install many plug-in of intermediaries. 4. Cost burden to other system/service. 40

41 Thank you Q&A 41

Download ppt "DaaS: DDoS Mitigation-as-a-Service 2011 IEEE/IPSJ International Symposium on Applications and the Internet Author: Soon Hin Khor & Akihiro Nakao Speaker:"

Similar presentations

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.

Cryptography and Network Security 2 nd Edition by William Stallings Note: Lecture slides by Lawrie Brown and Henric Johnson, Modified by Andrew Yang.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Chapter 1 – Introduction

Chapter 1 – Introduction
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Michael Walfish, Mythili Vutukuru, Hari Balakrishanan, David Karger, Scott Shankar DDos Defense by Offense.

Michael Walfish, Mythili Vutukuru, Hari Balakrishanan, David Karger, Scott Shankar DDos Defense by Offense.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Network Coding for Large Scale Content Distribution Christos Gkantsidis Georgia Institute of Technology Pablo Rodriguez Microsoft Research IEEE INFOCOM.

Network Coding for Large Scale Content Distribution Christos Gkantsidis Georgia Institute of Technology Pablo Rodriguez Microsoft Research IEEE INFOCOM.
Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not.

Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not.
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Applied Cryptography for Network Security

Applied Cryptography for Network Security
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,

Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Similar presentations

Ads by Google