Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1/24 Denial of Service Elusion (DoSE): Keeping Clients Connected for Less Paul Wood, Christopher Gutierrez, Saurabh Bagchi School of Electrical and.

Published byLoraine Stevenson Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1/24 Denial of Service Elusion (DoSE): Keeping Clients Connected for Less Paul Wood, Christopher Gutierrez, Saurabh Bagchi School of Electrical and."— Presentation transcript:

1 Slide 1/24 Denial of Service Elusion (DoSE): Keeping Clients Connected for Less Paul Wood, Christopher Gutierrez, Saurabh Bagchi School of Electrical and Computer Engineering Department of Computer Science Purdue University Presentation available at: engineering.purdue.edu/dcsl

2 Slide 2/24 Outline Problem Motivation Prior Work DoSE Overview Experimental Results Conclusions

3 Slide 3/24 Denial of Service: The Lingering Threat Attacks almost impossible to stop at end users

4 Slide 4/24 Ease of Attack IP + Click

5 Slide 5/24 Attack and Defense Costs $2.99 for an attack Source: liquidweb.com/services/ddos.html $1800 for defense

6 Slide 6/24 Commercial Proxy Service Limitations HTTP/HTTPS Only (No TCP/UDP apps) Server IP leakage: During large attacks DMCA Complaints

7 Slide 7/24 Prior Work for DoS Protection: Overlay Networks Source: Angelos D. Keromytis, Vishal Misra, and Dan Rubenstein. 2002. SOS: secure overlay services. SIGCOMM Comput. Commun. Rev. 32, 4 (August 2002), 61-72. Protection via Proxy/Relay Lacks entry point (SOAP) management, beacon management DoSE: Cloud-Based Relay Management

8 Slide 8/24 Prior Work: MOTAG Q. Jia, H. Wang, D. Fleck, F. Li, A. Stavrou, and W. Powell, “Catch me if you can: A cloud-enabled ddos defense,” in Dependable Systems and Networks (DSN), 2014 Subject to DDoS 1000 Replicas DoSE: Cost-Effective Replica Management

9 Slide 9/24 DoSE Goals Cost-Conscious Defense –Repel DDoS-as-a-Service Self-owned cloud resources –No DMCA leak Commodity Service Usage –No load-balancer customization –Off-the-shelf cloud components

10 Slide 10/24 DoSE Overview Clients access Protected Services via Relays Relays are assigned via CDN Interface Attacks are filtered in remote datacenters

11 Slide 11/24 DoSE Overview Assumptions: CDN DoS-Proof Independent Relay Faults Protected Service IP hidden

12 Slide 12/24 Attacker Model

13 Slide 13/24 Relays EC2 Instances Goals: Hide protected service IP (Relay) Shield service from attacks (Firewall)

14 Slide 14/24 Client Assignment Service Goal: Resilient Client-Relay Assignments Puzzles rate-limit assignments (repeat attacks)

15 Slide 15/24 Attack Mitigation: Risk Assignment Risk: Likelihood client is malicious Risk-Proportional Relay Assignment One unit of risk evenly divided Attacker eventually singled Problem: Growth in the number of relays for ON-OFF attacks Solution: Consolidate number of relays using a parameter

16 Slide 16/24 Cost Reduction via Consolidation Consolidation

17 Slide 17/24 Controlling # Relays versus Speed of Attacker Identification Cumulative Risk per Attack (CRPA) Risk per Relay (RPR) CRPA=1 RPR=0.5 CRPA/RPR=2 CRPA=1 RPR=0.25 CRPA/RPR=4

18 Slide 18/24 Experimental Results: Defending Against Single Attacker Agent-Based MATLAB solution (Open Source release on github) Relay Start Time: 40s CPRA/RPR=3 1000 Clients Single Attack Source UDP Stream 1.Attacker identified in 300 seconds 2.Majority of clients kept online during attack

19 Slide 19/24 Defending Against Single Attacker: Cost Attacker found in 3 rounds 1000 clients CRPA/RPR=30 21 Relays Consumed $0.07 EC2 Spot (Micro) Higher CPRA Faster isolation Lower CRPA Economic sustainability Attacker identified faster with larger CRPA/RPR

20 Slide 20/24 Repeated Attacks Clients:Attackers = 100:1 New clients every 1.6 s Connected for 400 s New attacks every 160 s Fresh insiders Risk-history minimizes disruptions for connected clients

21 Slide 21/24 Success with Larger Attacks 300 Attackers = $0.47 DoSE is cost effective and efficient for most sizes of attacks

22 Slide 22/24 Comparison w/ MOTAG DoSE is less costly and more effective than MOTAG for small attacks

23 Slide 23/24 Costs Assignment and Relays –$2-9/Relay per Month (x3) –$0.008 per 5000 assigns Attack Mitigation –$0.07-$0.47 per Attack Commercial –$1800+ for UDP/TCP MOTAG –$2000+ for 1000 Relays –Additional $ for IP release Retransmission Bandwidth Costs –$0.09/GB –$0.02/GB if Service in Cloud

24 Slide 24/24 Conclusion Low Cost –$0.07-$0.47 Defense/Attack –$2.99+ to launch attack Off-the-Shelf –Unmodified CDN –Simple Linux relays

25 Slide 25/24 Stopping Large Attacks Attack Absorbed by Full Relay Exposure

Download ppt "Slide 1/24 Denial of Service Elusion (DoSE): Keeping Clients Connected for Less Paul Wood, Christopher Gutierrez, Saurabh Bagchi School of Electrical and."

Similar presentations

October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.

October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.
Slides mostly by Sherif Khattab 1 Denial-of-Service [Gligor, 84] ``A group of otherwise-authorized users of a specific service is said to deny service.

Slides mostly by Sherif Khattab 1 Denial-of-Service [Gligor, 84] ``A group of otherwise-authorized users of a specific service is said to deny service.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
Secure Lync mobile Authentication

Secure Lync mobile Authentication
Secure SharePoint mobile connectivity

Secure SharePoint mobile connectivity
The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.

How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Ao-Jan Su and Aleksandar Kuzmanovic Department of EECS Northwestern University Thinning Akamai USENIX/ACM SIGCOMM IMC ’08.

Ao-Jan Su and Aleksandar Kuzmanovic Department of EECS Northwestern University Thinning Akamai USENIX/ACM SIGCOMM IMC ’08.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Chapter 11 Firewalls.

Chapter 11 Firewalls.
MIDDLEWARE SYSTEMS RESEARCH GROUP A Taxonomy for Denial of Service Attacks in Content-based Publish/Subscribe Systems Alex Wun, Alex Cheung, Hans-Arno.

MIDDLEWARE SYSTEMS RESEARCH GROUP A Taxonomy for Denial of Service Attacks in Content-based Publish/Subscribe Systems Alex Wun, Alex Cheung, Hans-Arno.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.

Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

Similar presentations

Ads by Google