Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Published byRosalind Todd Modified over 9 years ago

Similar presentations

Presentation on theme: "1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University."— Presentation transcript:

1 1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University

2 2 Outline Introduction Architecture Performance Analysis Implementation Discussion

3 3 Introduction/Motivation 9/11 events  The Internet vs. Phone Network  Communication paths between the “important” sites and Emergency Response Teams Trends of DDoS Attacks  Previous Reactive Approaches  Proactive Mechanisms

4 4 Attack Trends [CERT’01] Trend 6 - Increasing threat from infrastructure attacks, type 1 Distributed denial of service, …. The degree of automation  Manual Attacks - early DDoS attacks  Semi-Automatic Attacks - Attacks with communications between masters and slaves  Automatic Attacks - Just issue a single command High-impact, low-effort

5 5 Distributed Denial of Service Attacks (DDOS) Attacker logs into Master and signals slaves to launch an attack on a specific target address (victim). Slaves then respond by initiating TCP, UDP, ICMP or Smurf attack on victim.

6 6 What makes DDoS attacks possible? Internet security is highly interdependent Internet resources are limited Power of many is greater that power few Intelligence and resources are not collocated

7 7 What to Do About DDoS? Detection  Intrusion detection systems Traceback (unfortunately, not to the attacks)  Link Testing  ICMP Traceback  Hash-based Traceback  Probabilistic Marking Prevention  Traffic monitoring e.g., ICMP packets, SYN packets  Ingress filtering on the routers  GovNet – A separate network

8 8 Objective of Secure Overlay Services Motivated by ERT scenario Focus on protecting a site that stores information that is difficult to replicate Secure communication on top of today’s existing IP infrastructure from DDoS attacks Does NOT solve the general DoS problems

9 9 Assumptions 4. The attacker can not acquire sufficient resources to severely disrupt large portions pf the backbone 1.Pre-determined subset of clients scattered through the wide-area network(WAN) 3. The attacker does not have unobstructed access to the network core 2. A set of users want to prevent access to this info and will launch DoS attack upon any network points whose jamming will archive this goal

10 10 Basic SOS Architecture

11 11 Architecture Descriptions SOS is a network overlay Nodes are known to the public Communications between overlay nodes are assumed to remain secure The user’s packets must be authenticated and authorized by SOS before traffic is allowed to flow though the overlay

12 12 Filtered region Establish filters at the ISP’s POP routers attaching to the ISP backbone Distinguish and drop illegitimate packets Issues  IP address changes and user roles changes  IP spoofing

13 13 Secret Servlets A subset of nods, N s, selected by the target to act as forwarding proxies The filters only allow packets whose source address matches n  N s Hide the identities of the proxies to prevent IP spoofing or attacks aiming at proxies Activated by the target’s message Challenge: reach a secret servlet without revealing the servlet’s ID to the nodes that wish to reach it. Random next hop O(N/Ns)

14 14 SOAP: Secure Overlay Access Point Receive and verify traffic Authentication tools: IPSec/TLS A large number of SOAPs make a distributed firewall Effects on DoS – increase the amount of resources/bandwidth to deny connectivity to legitimate clients How to map SOAPs to different users?

15 15 Routing through the Overlay Chord service (www.cs.umn.edu/~he/iss/)www.cs.umn.edu/~he/iss/ Each Overlay node contains O(logN) identifiers Chord delivers the packet to one of several beacons, which knows the secret servlet’s identity. Beacon’s identifier is mapped by hashing the target’s IP address Multiple hash functions produce different paths.

16 16 Against the DoS attacks An access point is attacked. The source point can choose an alternative access point A node within the overlay is attacked Chord service self-heals A secret servlet’s identifier is discovered and the servlet is targeted as an attack point The target chooses an alternative set of secret servlets

17 17 Performance Analysis (1) Varying number of Attacks and nodes in the overlay # of nodes attacked P (Attack Success)

18 18 Load of attack traffic Performance Analysis (2) Blocking probability for legitimate traffic as a function of attack traffic load Blocking probability for legitimate traffic

19 19 Performance Analysis (3) Performance gains of increasing the capacity of the attacked node Bandwidth increase factor Bandwidth Gain

20 20 Performance Analysis (4) Performance gains of increasing the anonymity of the attacked node Size of the overlay Randomization Gain

21 21 Implementation Filtering  high and medium routers(performance & cost)  high-speed packet classification Authentication and authorization of sources  IPSec  Public Key Infrastructure/Certificate Tunneling  IP-in-IP encapsulation  GRE encapsulation  IPSec in tunnel mode

22 22 Discussions Attacks from inside the overlay  security management oversights  development bugs  potential damage from inside A shared overlay  multiple organizations utilize a shared overlay  A breach in one org. security would not lead to breaches in other networks Timely delivery  Latency (10 times lager, preliminary simulations)  Trade security with performance

23 23 Thanks!

24 24

25 25

26 26

27 27

28 28

29 29

Download ppt "1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University."

Similar presentations

2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
Denial of Service, Firewalls, and Intrusion Detection

Denial of Service, Firewalls, and Intrusion Detection
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
1 SOS: Secure Overlay Services Angelos Keromytis, Dept. of Computer Science Vishal Misra, Dept. of Computer Science Dan Rubenstein, Dept. of Electrical.

1 SOS: Secure Overlay Services Angelos Keromytis, Dept. of Computer Science Vishal Misra, Dept. of Computer Science Dan Rubenstein, Dept. of Electrical.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.

Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.
Using Overlays to Improve Security Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University SPIE ITCom Conference on Scalability and.

Using Overlays to Improve Security Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University SPIE ITCom Conference on Scalability and.

Similar presentations

Ads by Google