Presentation is loading. Please wait.

Presentation is loading. Please wait.

NC STATE UNIVERSITY / MCNC Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu  Fengmin Gong DARPA.

Published byAlan Eaton Modified over 8 years ago

Similar presentations

Presentation on theme: "NC STATE UNIVERSITY / MCNC Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu  Fengmin Gong DARPA."— Presentation transcript:

1 NC STATE UNIVERSITY / MCNC Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu  Fengmin Gong DARPA IA&S Meeting July 20, 2000

2 NC STATE UNIVERSITY / MCNC 2 New Capabilities... Different classes of service for users –how much bandwidth –what quality level (delay, loss rates) Based on trust, need, importance, urgency,.... : Policies!

3 NC STATE UNIVERSITY / MCNC 3 Provided By... Service provider provisions the resources for the expected demand User makes request Network allocates bandwidth amount and quality level, sends response Network enforces amount / quality

4 NC STATE UNIVERSITY / MCNC 4 …Create New Vulnerabilities! Each step can be attacked

5 NC STATE UNIVERSITY / MCNC 5 Attack 1: Excessive User Demands Everyone asks for... –maximum resource amount –premium service Why not?

6 NC STATE UNIVERSITY / MCNC 6 Our Solution: Resource Pricing (An example: Telephone Network)

7 NC STATE UNIVERSITY / MCNC 7 Resource Prices Based on Demand Predicted-load (static) pricing –ex.: provisioning, time-of-day pricing Auction-based (semi-static) pricing –ex.: bandwidth exchanges, time-slot assignment Congestion-based (dynamic) pricing –ex.: congestion control Combined approaches

8 NC STATE UNIVERSITY / MCNC 8 Policy Specification / Enforcement What determines the price? How much can each user pay?

9 NC STATE UNIVERSITY / MCNC 9 Provable Fairness Fairness is the consequence of a policy Achievable... –Pareto optimal –Weighted max-min fair –Proportional fair –Equal QoS –Maximal aggregate utility –Maximum revenue

10 NC STATE UNIVERSITY / MCNC 10 Properties Simple, distributed computation Fast convergence Low overhead

11 NC STATE UNIVERSITY / MCNC 11 Comparison With Other Approaches First-come, first-served –“grab resources early and often” Fixed (absolute) priority –starvation problems Non-weighted fairness (TCP) –everyone is equal? Other resource pricing work –static / centralized, restricted fairness

12 NC STATE UNIVERSITY / MCNC 12 Future Work: Implementation Fall 2000 (management tools: Summer 2001)

13 NC STATE UNIVERSITY / MCNC 13 Fut. Wk.: 3rd Party Authorization Fall 2000

14 NC STATE UNIVERSITY / MCNC 14 Future Work: Service Class Provisioning Given predicted demand for each service class... –how much of each service class should network owner provision? –what price charge for each class? Goals: maximum profit, maximum utility,...? Spring 2001

15 NC STATE UNIVERSITY / MCNC 15 Future Work: Protecting the Pricing Mechanism Vulnerability to attack Protecting… –RSVP –COPS –SIP –Policy server and databases –Authorization server, user database, billing database Spring 2002

16 NC STATE UNIVERSITY / MCNC 16 Impact of This Work Disincentives for "bad" user behavior Ability to flexibly specify and enforce policies Efficient (optimal) allocation Economic incentives for deployment of new services

17 NC STATE UNIVERSITY / MCNC 17 Attack 2: Modify Resource Request / Response Signals RSVP is the control mechanism for QoS Routers can "legally" modify these signals How detect illegal modification?

18 NC STATE UNIVERSITY / MCNC 18 RSVP Attack Examples

19 NC STATE UNIVERSITY / MCNC 19 RSVP Attack Examples

20 NC STATE UNIVERSITY / MCNC 20 RSVP Attack Examples

21 NC STATE UNIVERSITY / MCNC 21 Our Solution: Selective Signing + Auditing 1. Sign at the end-points the message contents that cannot be changed 2. Each router audits fields that can be changed –remember values transmitted downstream –compare with values propagated upstream Has been implemented and tested

22 NC STATE UNIVERSITY / MCNC 22 Comparison With Other Approaches End-to-end signing of complete message contents –Won't work with changeable contents Hop-by-hop signing of message contents –Excessive overhead –Does not detect attacks by corrupted routers

23 NC STATE UNIVERSITY / MCNC 23 Future Work Other attacks –Message dropping –Message insertion –Resource "hoarding" –Summer 2001 Auditing –Integration with intrusion detection –Fall 2001

24 NC STATE UNIVERSITY / MCNC 24 Impact of This Work Practical, more effective detection of DoS attacks on control flow

25 NC STATE UNIVERSITY / MCNC 25 Attack 3: TCP Packet Dropping Congestion causes "normal" packet dropping Can malicious packet dropping (not due to normal congestion) be detected? –due to corrupted routers –due to "unfriendly" users

26 NC STATE UNIVERSITY / MCNC 26 Our Solution Build a profile of normal dropping behavior Compare with observed dropping behavior –statistical techniques –neural net techniques Experiments: 5 sites in 4 countries over several weeks

27 NC STATE UNIVERSITY / MCNC 27 Effectiveness Created several types of dropping attacks –random –periodic –re-transmissions only Measured losses and latency High detection rate (> 80%), low (1%- 5%) false positive rate

28 NC STATE UNIVERSITY / MCNC 28 Impact Attacks will become less obvious; degraded service, not disrupted service First work on monitoring this type of attack

29 NC STATE UNIVERSITY / MCNC 29 Attack 4: Compromised DiffServ Routers

30 NC STATE UNIVERSITY / MCNC 30 Attack Types Dropping one data flow to benefit others Injecting(spoofing, flooding,...) packets to a high priority flow Remarking packets in a data flow Delaying packets in a data flow Compromised ingress, core, or egress routers

31 NC STATE UNIVERSITY / MCNC 31 Approach Monitor router behavior externally Monitoring agents externally controlled by intrusion detection system (IDS) –selectively enabled when needed IDS performs analysis of measurements

32 NC STATE UNIVERSITY / MCNC 32 Monitoring Granularity is Per-Hop-Behavior (PHB, macroflow) Metrics: ingress rate, egress rate, drop rate, delay Passive (packet counting) Active (packet probing)

33 NC STATE UNIVERSITY / MCNC 33 Status Attack analysis Architecture Testbed, measurements Future work –Implement passive monitoring, Fall 2000 –Implement active monitoring, Spring 2001 –Implement analysis, Summer 2001 –Integrate with existing intrusion-detection engine, Year 3

34 NC STATE UNIVERSITY / MCNC 34 Impact First work on detecting and preventing attacks on DiffServ

35 NC STATE UNIVERSITY / MCNC 35 Technology Transfer Code release (pricing simulator, TCP dropping attack analyzer) Patent application on pricing with NEC Collaboration with Nortel on resource authorization Discussions with Enron, NEC, IETF DiffServ WG

36 NC STATE UNIVERSITY / MCNC 36 General Hicks’ “Hot List” of Needs Prevent Denial of Service attacks Automate network bandwidth allocation –reallocate to other, changing priorities

Download ppt "NC STATE UNIVERSITY / MCNC Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu  Fengmin Gong DARPA."

Similar presentations

Congestion Control and Fairness Models Nick Feamster CS 4251 Computer Networking II Spring 2008.

Congestion Control and Fairness Models Nick Feamster CS 4251 Computer Networking II Spring 2008.
Congestion Control and Fairness Models Nick Feamster CS 4251 Computer Networking II Spring 2008.

Congestion Control and Fairness Models Nick Feamster CS 4251 Computer Networking II Spring 2008.
QoS Strategy in DiffServ aware MPLS environment Teerapat Sanguankotchakorn, D.Eng. Telecommunications Program, School of Advanced Technologies Asian Institute.

QoS Strategy in DiffServ aware MPLS environment Teerapat Sanguankotchakorn, D.Eng. Telecommunications Program, School of Advanced Technologies Asian Institute.
Architectures for Congestion-Sensitive Pricing of Network Services Thesis Defense by Murat Yuksel CS Department, RPI July 3 rd, 2002.

Architectures for Congestion-Sensitive Pricing of Network Services Thesis Defense by Murat Yuksel CS Department, RPI July 3 rd, 2002.
CNDS 2001, Phoenix, AZ Simulating the Smart Market Pricing Scheme on Differentiated- Services Architecture Murat Yuksel and Shivkumar Kalyanaraman Rensselaer.

CNDS 2001, Phoenix, AZ Simulating the Smart Market Pricing Scheme on Differentiated- Services Architecture Murat Yuksel and Shivkumar Kalyanaraman Rensselaer.
CS640: Introduction to Computer Networks Mozafar Bag-Mohammadi Lecture 3 TCP Congestion Control.

CS640: Introduction to Computer Networks Mozafar Bag-Mohammadi Lecture 3 TCP Congestion Control.
© 2006 Cisco Systems, Inc. All rights reserved. Module 4: Implement the DiffServ QoS Model Lesson 4.10: Deploying End-to-End QoS.

© 2006 Cisco Systems, Inc. All rights reserved. Module 4: Implement the DiffServ QoS Model Lesson 4.10: Deploying End-to-End QoS.
© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.

© 2006 Cisco Systems, Inc. All rights reserved. Optimizing Converged Cisco Networks (ONT) Module 4: Implement the DiffServ QoS Model.
Network Border Patrol Celio Albuquerque, Brett J. Vickers and Tatsuya Suda Jaideep Vaidya CS590F Fall 2000.

Network Border Patrol Celio Albuquerque, Brett J. Vickers and Tatsuya Suda Jaideep Vaidya CS590F Fall 2000.
Advanced Computer Networking Congestion Control for High Bandwidth-Delay Product Environments (XCP Algorithm) 1.

Advanced Computer Networking Congestion Control for High Bandwidth-Delay Product Environments (XCP Algorithm) 1.
Fundamentals of Computer Security Geetika Sharma Fall 2008.

Fundamentals of Computer Security Geetika Sharma Fall 2008.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.

1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
CPSC 601.43 Topics in Multimedia Networking A Mechanism for Equitable Bandwidth Allocation under QoS and Budget Constraints D. Sivakumar IBM Almaden Research.

CPSC Topics in Multimedia Networking A Mechanism for Equitable Bandwidth Allocation under QoS and Budget Constraints D. Sivakumar IBM Almaden Research.
Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 ECSE-6600: Internet Protocols Informal Quiz #11 Shivkumar Kalyanaraman: GOOGLE: “Shiv RPI”

Shivkumar Kalyanaraman Rensselaer Polytechnic Institute 1 ECSE-6600: Internet Protocols Informal Quiz #11 Shivkumar Kalyanaraman: GOOGLE: “Shiv RPI”
Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.

Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.
A Case for Relative Differentiated Services and the Proportional Differentiation Model Constantinos Dovrolis Parameswaran Ramanathan University of Wisconsin-Madison.

A Case for Relative Differentiated Services and the Proportional Differentiation Model Constantinos Dovrolis Parameswaran Ramanathan University of Wisconsin-Madison.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.

A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.
ACN: IntServ and DiffServ1 Integrated Service (IntServ) versus Differentiated Service (Diffserv) Information taken from Kurose and Ross textbook “ Computer.

ACN: IntServ and DiffServ1 Integrated Service (IntServ) versus Differentiated Service (Diffserv) Information taken from Kurose and Ross textbook “ Computer.
Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

Aleksandar Kuzmanovic & Edward W. Knightly A Performance vs. Trust Perspective in the Design of End-Point Congestion Control Protocols.

Similar presentations

Ads by Google