Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

Published bySybil Horn Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014."— Presentation transcript:

1 Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014

2 Lecture 20 Page 2 Advanced Network Security Outline Basic DDoS defense approaches Some example DDoS defenses

3 Lecture 20 Page 3 Advanced Network Security Basic Approaches to DDoS Defense Don’t let it happen at all Add resources to stay ahead of it Track attack streams to their source –And, presumably, stop them Filter attacks to remove attack traffic

4 Lecture 20 Page 4 Advanced Network Security Prevention It would be nice if attackers could not perpetrate DDoS attacks at all How to prevent them? –Hygiene approaches –Resource limitations –Hide from the attackers

5 Lecture 20 Page 5 Advanced Network Security Hygiene Approaches 1.Make protocols less susceptible to DDoS 2.Make computers harder to enlist as zombies 3.Close holes at potential targets that can be used for DDoS All these are good and worthy approaches None of them are enough in isolation Hygiene alone hasn’t solved any other computer security problem, and won’t solve this one, either

6 Lecture 20 Page 6 Advanced Network Security Resource Limitations Don’t allow an individual attack machine to use many of a target’s resources Requires: –Authentication, or –Making the sender do special work (puzzles) Authentication schemes are often expensive for the receiver Existing legitimate senders largely not set up to handle doing special work Can still be overcome with a large enough army of zombies

7 Lecture 20 Page 7 Advanced Network Security Hiding From the Attacker Make it hard for anyone but legitimate clients to deliver messages at all E.g., keep your machine’s identity obscure A possible solution for some potential targets –But not for others, like public web servers To the extent that approach relies on secrecy, it’s fragile –Some approaches don’t require secrecy

8 Lecture 20 Page 8 Advanced Network Security Resource Multiplication As attacker demands more resources, supply them Not always possible and usually expensive Not clear that defender can keep ahead of the attacker But still a good step against limited attacks –Has sometimes worked in practice –And sometimes not More advanced versions use Akamai-like techniques

9 Lecture 20 Page 9 Advanced Network Security Trace and Stop Attacks Figure out which machines attacks come from Go to those machines (or near them) and stop the attacks Tracing is trivial if IP source addresses aren’t spoofed –Tracing may be possible even if they are spoofed May not have ability/authority to do anything once you’ve found the attack machines Not too helpful if attacker has a vast supply of machines

10 Lecture 20 Page 10 Advanced Network Security Filtering Attack Streams The basis for most defensive approaches Addresses the core of the problem by limiting the amount of work presented to target Key question is: –What do you drop? Good solutions drop all (and only) attack traffic Less good solutions drop some (or all) of everything

11 Lecture 20 Page 11 Advanced Network Security Filtering Versus Rate Limiting Filtering drops packets with particular characteristics –If you get the characteristics right, you do little collateral damage –But no guarantee you have dropped enough Rate limiting drops packets on basis of amount of traffic –Can thus assure target is not overwhelmed –But may drop some good traffic Not really a hard-and-fast distinction

12 Lecture 20 Page 12 Advanced Network Security 12 Where Do You Filter? Near the target? Near the source? In the network core? In multiple places?

13 Lecture 20 Page 13 Advanced Network Security Implications of Filtering Location Choices Near target Near source In core

14 Lecture 20 Page 14 Advanced Network Security Implications of Filtering Location Choices Near target –Easier to detect attack –Sees everything –May be hard to prevent collateral damage –May be hard to handle attack volume –Good deployment incentive Near source In core

15 Lecture 20 Page 15 Advanced Network Security Implications of Filtering Location Choices Near target Near source –May be hard to detect attack –Doesn’t see everything –Easier to prevent collateral damage –Easier to handle attack volume –Poor deployment incentive In core

16 Lecture 20 Page 16 Advanced Network Security Implications of Filtering Location Choices Near target Near source In core –Easier to handle attack volume –Sees everything (with sufficient deployment) –May be hard to prevent collateral damage –May be hard to detect attack –Poor deployment incentive

17 Lecture 20 Page 17 Advanced Network Security Example Defenses Pushback DWard Netbouncer SOS Defcom

18 Lecture 20 Page 18 Advanced Network Security Pushback Goal: Preferentially drop attack traffic to relieve congestion Enable core routers to respond to congestion locally by: –Profiling traffic dropped by RED –Identifying high-bandwidth aggregates –Preferentially dropping aggregate traffic to enforce desired bandwidth limit Pushback: A router identifies the upstream neighbors that forward the aggregate traffic to it, requests that they deploy rate-limit

19 Lecture 20 Page 19 Advanced Network Security 19 Pushback Example P P P P

20 Lecture 20 Page 20 Advanced Network Security 20 Pushback Example P P P P

21 Lecture 20 Page 21 Advanced Network Security 21 Pushback Example P P P P

22 Lecture 20 Page 22 Advanced Network Security 22 Pushback Example P P P P

23 Lecture 20 Page 23 Advanced Network Security 23 Pushback Example P P P P

24 Lecture 20 Page 24 Advanced Network Security 24 Pushback Example P P P P

25 Lecture 20 Page 25 Advanced Network Security Can it work? Even a few core routers are able to control high-volume attacks Separation of traffic aggregates improves current situation –Only traffic for the victim is dropped –Drops affect part of traffic that contains the attack traffic Likely to successfully control the attack, relieving congestion in the Internet Will inflict collateral damage on legitimate traffic

26 Lecture 20 Page 26 Advanced Network Security Advantages and Limitations +Routers can handle high traffic volumes +Deployment at a few core routers can affect many traffic flows, due to core topology +Simple operation, no overhead for routers +Pushback minimizes collateral damage by placing response close to the sources –Pushback only works in contiguous deployment –Collateral damage is inflicted whenever attack traffic is not clearly separate from legitimate traffic –Deployment requires modification of existing core routers and likely purchase of new hardware

Download ppt "Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014."

Similar presentations

On the Necessity of Handling DDoS Traffic in the Middle of the Network Peter Reiher UCLA Computer Communications Workshop October 22, 2008.

On the Necessity of Handling DDoS Traffic in the Middle of the Network Peter Reiher UCLA Computer Communications Workshop October 22, 2008.
Denial of Service. Denial of Service Attacks Unlike other forms of computer attacks, goal isnt access or theft of information or services The goal is.

Denial of Service. Denial of Service Attacks Unlike other forms of computer attacks, goal isnt access or theft of information or services The goal is.
Quiz 1 Posted on DEN 8 multiple-choice questions

Quiz 1 Posted on DEN 8 multiple-choice questions
Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
Lecture 8 Page 1 CS 236, Spring 2008 Distributed Denial of Service Attacks CS 236 Advanced Computer Security Peter Reiher May 20, 2008.

Lecture 8 Page 1 CS 236, Spring 2008 Distributed Denial of Service Attacks CS 236 Advanced Computer Security Peter Reiher May 20, 2008.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.

You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
1 Controlling High Bandwidth Aggregates in the Network.

1 Controlling High Bandwidth Aggregates in the Network.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.

DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.
Max Robinson Jelena Mirković DR. Peter Reiher DefCOM Motivation Distributed denial-of-service attacks require a distributed solution. Detection is more.

Max Robinson Jelena Mirković DR. Peter Reiher DefCOM Motivation Distributed denial-of-service attacks require a distributed solution. Detection is more.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Denial of Service. Denial of Service Attacks Unlike other forms of computer attacks, goal isn’t access or theft of information or services The goal is.

Denial of Service. Denial of Service Attacks Unlike other forms of computer attacks, goal isn’t access or theft of information or services The goal is.
------ An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

Similar presentations

Ads by Google