Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 1 Resource Limitations  Don’t allow an individual attack machine to.

Published byBerniece Stevenson Modified over 9 years ago

Similar presentations

Presentation on theme: "CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 1 Resource Limitations  Don’t allow an individual attack machine to."— Presentation transcript:

1 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 1 Resource Limitations  Don’t allow an individual attack machine to use many of a target’s resources  Requires:  Authentication, or  Making the sender do special work (puzzles)  Authentication schemes are often expensive for the receiver  Existing legitimate senders largely not set up to handle doing special work  Can still be overcome with a large enough army of zombies

2 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 2 Hiding From the Attacker  Make it hard for anyone but legitimate clients to deliver messages at all  E.g., keep your machine’s identity obscure  A possible solution for some potential targets  But not for others, like public web servers  To the extent that approach relies on secrecy, it’s fragile  Some such approaches don’t require secrecy

3 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 3 Resource Multiplication  As attacker demands more resources, supply them  Essentially, never allow resources to be depleted  Not always possible, usually expensive  Not clear that defender can keep ahead of the attacker  But still a good step against limited attacks  Has sometimes worked in practice  And sometimes not  More advanced versions might use Akamai-like techniques

4 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 4 Trace and Stop Attacks  Figure out which machines attacks come from  Go to those machines (or near them) and stop the attacks  Tracing is trivial if IP source addresses aren’t spoofed  Tracing may be possible even if they are spoofed  May not have ability/authority to do anything once you’ve found the attack machines  Not too helpful if attacker has a vast supply of machines

5 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 5 Filtering Attack Streams  The basis for most defensive approaches  Addresses the core of the problem by limiting the amount of work presented to target  Key question is:  What do you drop?  Good solutions drop all (and only) attack traffic  Less good solutions drop some (or all) of everything

6 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 6 Filtering vs. Rate Limiting  Filtering drops packets with particular characteristics  If you get the characteristics right, you do little collateral damage  But no guarantee you have dropped enough  Rate limiting drops packets on basis of amount of traffic  Can thus assure target is not overwhelmed  But may drop some good traffic  Not really a hard-and-fast distinction

7 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 7 Where Do You Filter? Near the target? Near the source? In the network core? In multiple places?

8 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 8 Implications of Filtering Location Choices  Near target  Near source  In core

9 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 9 Implications of Filtering Location Choices  Near target  Easier to detect attack  Sees everything  May be hard to prevent collateral damage  May be hard to handle attack volume  Near source  In core

10 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 10 Implications of Filtering Location Choices  Near target  Near source  May be hard to detect attack  Doesn’t see everything  Easier to prevent collateral damage  Easier to handle attack volume  In core

11 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 11 Implications of Filtering Location Choices  Near target  Near source  In core  Easier to handle attack volume  Sees everything (with sufficient deployment)  May be hard to prevent collateral damage  May be hard to detect attack

12 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 12 How Do You Detect Attacks?  Have database of attack signatures  Detect anomalous behavior  By measuring some parameters for a long time and setting a baseline  Detecting when their values are abnormally high  By defining which behavior must be obeyed starting from some protocol specification

13 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 13 How Do You Filter?  Devise filters that encompass most of anomalous traffic  Drop everything but give priority to legitimate- looking traffic  It has some parameter values  It has certain behavior

14 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 14 DDoS Defense Challenges  Need for a distributed response  Economic and social factors  Lack of detailed attack information  Lack of defense system benchmarks  Difficulty of large-scale testing  Moving target

15 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 15 Sample Research Approaches  Pushback  Traceback  D-WARD  Netbouncer  SOS  Proof-of-work systems  Distributed solutions  Cossack  DefCOM

16 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 16 Pushback 1  Goal: Preferentially drop attack traffic to relieve congestion  Local ACC: Enable core routers to respond to congestion locally by:  Profiling traffic dropped by RED  Identifying high-bandwidth aggregates  Preferentially dropping aggregate traffic to enforce desired bandwidth limit  Pushback: A router identifies the upstream neighbors that forward the aggregate traffic to it, requests that they deploy rate-limit 1 ”Controlling high bandwidth aggregates in the network,” Mahajan, Bellovin, Floyd, Paxson, Shenker, ACM CCR, July 2002

17 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 17 Pushback Example P P P P

18 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 18 Pushback Example P P P P

19 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 19 Pushback Example P P P P

20 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 20 Pushback Example P P P P

21 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 21 Pushback Example P P P P

22 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 22 Can it work?  Even a few core routers are able to control high- volume attacks  Separation of traffic aggregates improves current situation  Only traffic for the victim is dropped  Drops affect a portion containing the attack traffic  Likely to successfully control the attack, relieving congestion in the Internet  Will inflict collateral damage on legitimate traffic

23 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 23 Advantages and Limitations +Routers are well equipped to handle high traffic volumes +Deployment at a few core routers can affect many traffic flows, due to core topology +Simple operation, no overhead for routers +Pushback minimizes collateral damage by placing response close to the sources –Pushback only works in contiguous deployment –Collateral damage is inflicted by response, whenever attack traffic is not clearly different than legitimate traffic –Deployment requires modification of existing core routers and likely purchase of new hardware

24 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 24 Traceback 1  Goal: locate the agent machines  Each packet header may carry a mark, containing:  EdgeID (IP addresses of the routers) specifying an edge it has traversed  The distance from the edge  Routers mark packets probabilistically  If a router detects half-marked packet (containing only one IP address) it will complete the mark  Due to limited space in IP header (fragment offset field) EdgeID is fragmented  Victim under attack reconstructs the path from the marked packets 1 “Practical network support for IP Traceback,” Savage, Wetherall, Karlin, Anderson, ACM SIGCOMM 2000

25 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 25 Traceback Example T T T T T

26 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 26 Traceback Example T T T T T

27 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 27 Traceback and IP Spoofing  Strictly speaking, traceback does nothing to stop DDoS attacks  It only identifies attackers’ location  Within a subnet, at least  If IP spoofing were not possible in the Internet, traceback would not be necessary  There are approaches under development to largely prevent IP spoofing

28 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 28 Can it work?  Incrementally deployable, a few disjoint routers can provide beneficial information  Moderate router overhead (packet modification)  A few thousand packets are needed even for long path reconstruction  Does not work well for highly distributed attacks  Path reassembly is computationally demanding, and is not 100% accurate:  Path information cannot be used for legal purposes  Routers close to the sources can efficiently block attack traffic, minimizing collateral damage

29 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 29 Advantages and Limitations +Incrementally deployable +Effective for non-distributed attacks and for highly overlapping attack paths +Facilitates locating routers close to the sources –Packet marking incurs overhead at routers, must be performed at slow path –Path reassembly is complex and prone to errors –Reassembly of distributed attack paths is prohibitively expensive –Packet marks can be forged by the attacker –Only identifies the agent machines

30 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 30 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize and favor the legitimate traffic  Source-end, inline defense system  Gathers statistics on flows and connections, compares them with protocol-based models:  Mismatching flow statistics indicate attack  Matching connection statistics indicate legitimate traffic  Dynamic and selective rate-limit algorithm:  Fast decrease to relieve the victim  Fast increase when the attack stops and on false alarms  Detects and forwards legitimate connection packets 1 “Attacking DDoS at the source,” Mirkovic, Prier, Reiher, ICNP 2002

31 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 31 Flows and Connections

32 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 32 D-WARD Overview

33 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 33 D-WARD Overview

34 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 34 D-WARD Overview

35 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 35 Can it work?  Extensive experiments indicate:  Fast detection of a wide range of attacks  Effective control of the attack traffic  Extremely low collateral damage  Fast removal of rate limit when attack stops  Small processing and memory overhead  Effectively stops attacks from deploying networks  Only effective in actually stopping attacks if deployed at most/all potential attacking networks  May provide synergistic benefits with other defenses

36 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 36 Advantages and Limitations +Fast detection and control of wide range of attacks +Extremely low collateral damage +Low number of false positives +Stops attacks as soon as possible –Attackers can perform successful attacks from unprotected networks –Deployment motivation is low

37 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 37 Netbouncer 1  Goal: detect legitimate clients and only serve their packets  Victim-end, inline defense system deployed in front of the choke point  Keeps a list of legitimate clients:  Only packets from these clients are served  Unknown clients receive a challenge to prove their legitimacy, several levels of legitimacy tests  Various QoS techniques are applied to assure fair sharing of resources by legitimate client traffic  Legitimacy of a client expires after a certain interval 1 “NetBouncer: Client-legitimacy-based High-performance DDoS Filtering, ” Thomas, Mark, Johnson. Croall, DISCEX 2003

38 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 38 Netbouncer Overview N Legitimacy list

39 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 39 Netbouncer Overview N Legitimacy list

40 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 40 Netbouncer Overview N Legitimacy list

41 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 41 Netbouncer Overview N Legitimacy list

42 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 42 Can it work?  Successfully defeats spoofed attacks  Ensures fair sharing of resources among clients that have proved to be legitimate  All legitimacy tests are stateless – defense system cannot be target of state-consumption attacks  Some legitimate clients do not support certain legitimacy tests (i.e. ping test)  Legitimate client identity can be misused for attacks  Large number of agents can still degrade service to legitimate clients, creating “flash crowd” effect

43 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 43 Advantages and Limitations +Ensures good service to legitimate clients in the majority of cases +Does not require modifications of clients or servers +Stateless legitimacy tests ensure resiliency to DoS attacks on Netbouncer +Realistic deployment model: Autonomous solution, close to the victim –Attackers can perform successful attacks by: –Misusing identities of legitimate clients –Recruiting a large number of agents –Some legitimate clients will not be validated –Challenge generation may exhaust defense

Download ppt "CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 12 – 3/24/05 1 Resource Limitations  Don’t allow an individual attack machine to."

Similar presentations

Denial of Service. Denial of Service Attacks Unlike other forms of computer attacks, goal isnt access or theft of information or services The goal is.

Denial of Service. Denial of Service Attacks Unlike other forms of computer attacks, goal isnt access or theft of information or services The goal is.
Quiz 1 Posted on DEN 8 multiple-choice questions

Quiz 1 Posted on DEN 8 multiple-choice questions
Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
Random Flow Network Modeling and Simulations for DDoS Attack Mitigation Jiejun Kong, Mansoor Mirza, James Shu, Christian Yoedhana, Mario Gerla, Songwu.

Random Flow Network Modeling and Simulations for DDoS Attack Mitigation Jiejun Kong, Mansoor Mirza, James Shu, Christian Yoedhana, Mario Gerla, Songwu.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.

IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.

Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.

You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.
1 Controlling High Bandwidth Aggregates in the Network.

1 Controlling High Bandwidth Aggregates in the Network.
ACN: IntServ and DiffServ1 Integrated Service (IntServ) versus Differentiated Service (Diffserv) Information taken from Kurose and Ross textbook “ Computer.

ACN: IntServ and DiffServ1 Integrated Service (IntServ) versus Differentiated Service (Diffserv) Information taken from Kurose and Ross textbook “ Computer.
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.

DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.

Similar presentations

Ads by Google