Presentation is loading. Please wait.

Presentation is loading. Please wait.

CenterTrack An IP Overlay Network for Tracking Denial-of-Service Floods Robert Stone Internet Security Engineer UUNET Technologies NANOG17 October 5, 1999.

Published byLillian Blankenship Modified over 9 years ago

Similar presentations

Presentation on theme: "CenterTrack An IP Overlay Network for Tracking Denial-of-Service Floods Robert Stone Internet Security Engineer UUNET Technologies NANOG17 October 5, 1999."— Presentation transcript:

1 CenterTrack An IP Overlay Network for Tracking Denial-of-Service Floods Robert Stone Internet Security Engineer UUNET Technologies NANOG17 October 5, 1999

2 Copyright 1999, UUNET Technologies2 Problem s Malicious individuals frequently launch Denial-of- Service flood attacks, using bogus source addresses. s Ingress filtering is extremely difficult in large networks. s Tracking DoS attacks is difficult on large networks with high speed, cutting edge, very busy routers.

3 October 5, 1999Copyright 1999, UUNET Technologies3 Definitions s Input debugging is any feature that allows one to determine where packets matching a particular pattern were received as input to a router. s A tracking hop refers to an individual use of input debugging on a router.

4 October 5, 1999Copyright 1999, UUNET Technologies4 Possible Solutions s Hop-by-hop tracking Requires input debugging on every router.Requires input debugging on every router. At most, requires d tracking hops where d = maximum hop diameter of the backbone.At most, requires d tracking hops where d = maximum hop diameter of the backbone. Used by DoSTrackUsed by DoSTrack v a

5 October 5, 1999Copyright 1999, UUNET Technologies5 Possible Solutions s Per-interface traffic flow monitoring. Requires traffic flow monitoring feature at edge.Requires traffic flow monitoring feature at edge. For large networks, requires many data collectors in the field.For large networks, requires many data collectors in the field. LOTS of data!LOTS of data! No “hops”, but collectors must be queried.No “hops”, but collectors must be queried. a v c c c c

6 October 5, 1999Copyright 1999, UUNET Technologies6 Possible Solutions s Hop-by-hop using overlay network Requires input debugging and IP tunnel support on edge routers and special “CenterTrack” routers.Requires input debugging and IP tunnel support on edge routers and special “CenterTrack” routers. Traffic for victim is rerouted through the overlay network.Traffic for victim is rerouted through the overlay network. Never requires more than d t + 1 hops.Never requires more than d t + 1 hops. IP Tunnels v a

7 October 5, 1999Copyright 1999, UUNET Technologies7 Why CenterTrack? s Required features and resources exist today in commercially available router hardware and software. s Requires a relatively small amount of extra hardware. s Also allows for packet capture at smaller number of locations.

8 October 5, 1999Copyright 1999, UUNET Technologies8 Network Map TR1.HUB1TR1.HUB2 XR1.HUB1XR1.HUB2 GW1.HUB1GW2.HUB1GW1.HUB2GW2.HUB2 CT1.HUB1CT1.HUB2 AS 65445 AS 65444 Tunnels Layer 2

9 October 5, 1999Copyright 1999, UUNET Technologies9 Inter-CT Tunnels CT1.HUB1CT1.HUB2 AS 65445 Tunnels Layer 2 AS 65444 OL-Loopback Primary Loopback used for tunnel termination. P-Loopback Overlay Loopback used instead of tunnel interface address

10 October 5, 1999Copyright 1999, UUNET Technologies10 Inter-CT Tunnel Routing CT1.HUB1CT1.HUB2 AS 65445 Tunnels Layer 2 AS 65444 OL-Loopback IBGP IS-IS P-Loopback

11 October 5, 1999Copyright 1999, UUNET Technologies11 CT-to-Edge Tunnels GW1.HUB1 CT1.HUB1 AS 65445 AS 65444 Tunnel Layer 2 OL-Loopback P-Loopback Overlay Loopback Statically Routed Through Tunnel

12 October 5, 1999Copyright 1999, UUNET Technologies12 CT-to-Edge Tunnel Routing GW1.HUB1 CT1.HUB1 AS 65445 AS 65444 Tunnel Layer 2 OL-Loopback P-Loopback Deny all announcements from GW. Announce all local routes except Primary Loopbacks. Accept all routes from CT. Set local pref high. Don’t announce anything. EBGP Session

13 October 5, 1999Copyright 1999, UUNET Technologies13 Using CenterTrack GW1.HUB1GW2.HUB1GW1.HUB2GW2.HUB2 CT1.HUB1CT1.HUB2 AS 65445 AS 65444 Tunnels Layer 2 Victim Static Routes Added

14 October 5, 1999Copyright 1999, UUNET Technologies14 Using CenterTrack GW1.HUB1GW2.HUB1GW1.HUB2GW2.HUB2 CT1.HUB1CT1.HUB2 AS 65445 AS 65444 Tunnels Layer 2 Attacker Victim New Path Through CenterTrack

15 October 5, 1999Copyright 1999, UUNET Technologies15 CenterTrack Design Points s IP tunnels Unaffected by Layer 2 changes.Unaffected by Layer 2 changes. Dynamic routing more difficult.Dynamic routing more difficult. Lack of IP tunnel support on some routers.Lack of IP tunnel support on some routers. s BGP Better administrative control than IGP.Better administrative control than IGP. Less dangerous.Less dangerous.

16 October 5, 1999Copyright 1999, UUNET Technologies16 Scalability Issues 0 20 40 60 80 100 120 140 160 180 200 220 200400600800100012001400160018002000 CT Router Adjacencies Required Edge Routers 10 15 20 30 # of CT Routers 100 Full Mesh

17 October 5, 1999Copyright 1999, UUNET Technologies17 Scalability Issues 0 5000 10000 15000 20000 25000 30000 35000 40000 406080100120140160180200 Limit on # of Edge Routers CT Router Capacity (Adjacencies) Single Full Mesh 2 Level Hierarchy (Single Top Level Router)

18 October 5, 1999Copyright 1999, UUNET Technologies18 Conclusion s CenterTrack disadvantages Still requires input debugging at edge.Still requires input debugging at edge. Not free.Not free. Changes route. (Attackers might notice.)Changes route. (Attackers might notice.) s CenterTrack advantages Eliminates need for transit router input debugging.Eliminates need for transit router input debugging. Required features available.Required features available. Is not too expensive.Is not too expensive. Scales well.Scales well. Is vendor independent, other than input debugging.Is vendor independent, other than input debugging.

19 October 5, 1999Copyright 1999, UUNET Technologies19 Acknowledgements Contributors: Eric Brandwine Clarissa Cook Ken Dahl Vijay Gill Robert Noland Matthew Sibley

Download ppt "CenterTrack An IP Overlay Network for Tracking Denial-of-Service Floods Robert Stone Internet Security Engineer UUNET Technologies NANOG17 October 5, 1999."

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.

Release 5.1, Revision 0 Copyright © 2001, Juniper Networks, Inc. Advanced Juniper Networks Routing Module 9: Static Routes & Routing Table Groups.
Deployment of MPLS VPN in Large ISP Networks

Deployment of MPLS VPN in Large ISP Networks
Routing Basics.

Routing Basics.
Technical Aspects of Peering Session 4. Overview Peering checklist/requirements Peering step by step Peering arrangements and options Exercises.

Technical Aspects of Peering Session 4. Overview Peering checklist/requirements Peering step by step Peering arrangements and options Exercises.
CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.

CS540/TE630 Computer Network Architecture Spring 2009 Tu/Th 10:30am-Noon Sue Moon.
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Monitoring and Troubleshooting IBGP in a Transit AS.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—2-1 BGP Transit Autonomous Systems Monitoring and Troubleshooting IBGP in a Transit AS.
The need for BGP AfNOG Workshops Philip Smith. “Keeping Local Traffic Local”

The need for BGP AfNOG Workshops Philip Smith. “Keeping Local Traffic Local”
Best Practices for ISPs

Best Practices for ISPs
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Designing Networks with Route Reflectors.

© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—6-1 Scaling Service Provider Networks Designing Networks with Route Reflectors.
15-441: Computer Networking Lecture 26: Networking Future.

15-441: Computer Networking Lecture 26: Networking Future.
Mobility in the Internet Part II CS 444N, Spring 2002 Instructor: Mary Baker Computer Science Department Stanford University.

Mobility in the Internet Part II CS 444N, Spring 2002 Instructor: Mary Baker Computer Science Department Stanford University.
CS682 Session 6 Prof. Katz. Firewalls An intelligent router? Used as a traffic control mechanism Based on information in the Layer 3 and 4 headers Administrator.

CS682 Session 6 Prof. Katz. Firewalls An intelligent router? Used as a traffic control mechanism Based on information in the Layer 3 and 4 headers Administrator.
CS335 Networking & Network Administration Tuesday, May 18, 2010.

CS335 Networking & Network Administration Tuesday, May 18, 2010.
Chapter 10 Introduction to Wide Area Networks Data Communications and Computer Networks: A Business User’s Approach.

Chapter 10 Introduction to Wide Area Networks Data Communications and Computer Networks: A Business User’s Approach.
Impact of BGP Dynamics on Intra-Domain Traffic Patterns in the Sprint IP Backbone Sharad Agarwal, Chen-Nee Chuah, Supratik Bhattacharyya, Christophe Diot.

Impact of BGP Dynamics on Intra-Domain Traffic Patterns in the Sprint IP Backbone Sharad Agarwal, Chen-Nee Chuah, Supratik Bhattacharyya, Christophe Diot.
Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.

Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.
© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.

© 2009 Cisco Systems, Inc. All rights reserved. ROUTE v1.0—6-1 Connecting an Enterprise Network to an ISP Network Considering the Advantages of Using BGP.
MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,

MPLS L3 and L2 VPNs Virtual Private Network –Connect sites of a customer over a public infrastructure Requires: –Isolation of traffic Terminology –PE,
Kevin Miller Carnegie Mellon University Three Practical Ways to Improve Your Network.

Kevin Miller Carnegie Mellon University Three Practical Ways to Improve Your Network.

Similar presentations

Ads by Google