Presentation is loading. Please wait.

Presentation is loading. Please wait.

IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.

Published byDashawn Haworth Modified over 9 years ago

Similar presentations

Presentation on theme: "IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented."— Presentation transcript:

1 IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented

2 Introduction IP traceback problem –The problem of identifying the source of the offending packets (DoS and DDoS attacks) –Source: zombie; reflector; spoofed addresses …etc. Solution –Rely on the routers (PPM) Only for DOS –Rely on the ingress routers only (DPM and DFM) for DDoS and DoS. –Centralized management (log of packet infor.) Large overhead, complex, not scalable

3 DoS and DDoS Attacks

4 Why Cloud Computing? Cloud Computing is Traditional Distributed Environment (TDE). Cloud Computing is vulnerable to any attack targeting TDEs. DoS and DDoS are targeting TDEs. DoS and DDoS targeting the availability of a service. The Cost in cloud computing will be greater.

5 Deterministic Packet Marking (DPM) Each packet is marked when it enters the network Only mark Incoming packets Mark : address information of this interface 16 bit ID + 1 bit Flag

6

7 Coding of a mark Flag =0  address bits 0~15 Flag =1  address bits 16~31 Randomly setting flag value How many packet are enough ? –n : the number of received packets –The probability of successfully generate the ingress IP address is greater than –2 packets  75% ; 4 packets  93.75% 6 packets  98.43% ; 10 packets  99.9% 6 packets  98.43% ; 10 packets  99.9%

8 Pros Simple to implement Introduces no bandwidth Practically no processing overhead suitable for a variety of attacks [not just (D)DoS] Backward compatible with equipment which does not implement it does not have inherent security flaws Do not reveal internet topology No mark spoofing Scalable

9 Schematics Pad Ideal hash

10 Reconstruction Area Area each area has k segments Each segment has bits area

11 DPM Limitations DPM Limitations Can not handle the fragmentation/ reassembly problem All packets need to be marked Can trace the attack only to ingress router Can handle up to 2058 attack sources Does not support IPv6 implementation

12 Deterministic Flow Marking Based on DPM Only the first K packets need to be marked Can trace the attack to the attacker’s node Can handle up to 64K attack sources Does not support IPv6 implementation Can not handle subverted router problem

13 DPM VS. DFM

14 Identifiers used by DFM

15 Using the gray fields as marking field in IP header for K=2

16 DFM Limitations DFM Limitations Can not handle the fragmentation/ reassembly problem Does not support IPv6 implementation Using 42-byte signature to authenticate the whole flow

17 The Proposed Solutions Using the IPv6 header Flow Label field to hold the mark Using MD4 algorithm instead of elliptic curve signature within the packet (not assured till now). The fragmentation/reassembly problem is not an issue in IPv6 protocol.

18

19 Conclusion DFM is more practical and efficient than DPM DFM and DPM can not prevent DDoS attack but try to trace the source of it DFM need some improvements to be fully applicable on Intrusion Detection Systems.

20 I have questions …

21 References Vahid A. F. Nur A. Zincir-Heywood, “IP traceback through (authenticated) deterministic flow marking: an empirical evaluation”, EURASIP Journal on Information Security, Vol. 1, No. 5, pp. 1-24, 2013. Xiang, Y., W. Zhou and M. Guo, “Flexible deterministic packet marking: An IP traceback system to find the real source of attacks”, IEEE Transactions on Parallel and Distributed Systems, Vol. 20, No. 4, pp. 567-580, 2009. Andrey Belenky and Nirwan Ansari, “IP Traceback with Deterministic Packet Marking”, IEEE COMMUNICATIONS LETTERS, VOL. 7, NO. 4, pp: 162-164, 2003. Andrey Belenky and Nirwan Ansari, “Tracing Multiple Attackers with Deterministic Packet Marking (DPM)”, pp: 49-52, 2003. Vahid A. F. Nur A. Zincir-Heywood, “On Evaluating IP Traceback Schemes: A Practical Perspective”, IEEE Communications, Pp: 127-134

Download ppt "IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented."

Similar presentations

CS 265 – Project IPv6 Security Aspects Surekha Shinde.

CS 265 – Project IPv6 Security Aspects Surekha Shinde.
IPv6 Keith Wichman. History Based on IPv4 Based on IPv4 Development initiated in 1994 Development initiated in 1994.

IPv6 Keith Wichman. History Based on IPv4 Based on IPv4 Development initiated in 1994 Development initiated in 1994.
IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.

IPv6 Overview Brent Frye EECS710. Overview Google Drive Microsoft Cloud Drive Dropbox Paid-for alternatives 2.
The Future of TCP/IP Always evolving: –New computer and communication technologies More powerful PCs, portables, PDAs ATM, packet-radio, fiber optic, satellite,

The Future of TCP/IP Always evolving: –New computer and communication technologies More powerful PCs, portables, PDAs ATM, packet-radio, fiber optic, satellite,
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.

Chapter 20 Network Layer: Internet Protocol Stephen Kim 20.1.
Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.

Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.

Crypto – chapter 16 - noack Introduction to network stcurity Chapter 16 - Stallings.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
1 K. Salah Module 5.2: Internet Protocol CO vs. CL protocols IP Features –Fragmentation –Routing IP Datagram Format IPv6.

1 K. Salah Module 5.2: Internet Protocol CO vs. CL protocols IP Features –Fragmentation –Routing IP Datagram Format IPv6.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.

An Authentication Service Against Dishonest Users in Mobile Ad Hoc Networks Edith Ngai, Michael R. Lyu, and Roland T. Chin IEEE Aerospace Conference, Big.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Introduction to IP Traceback 交通大學 電信系 李程輝 教授. 2 Outline  Introduction  Ingress Filtering  Packet Marking  Packet Digesting  Summary.

Introduction to IP Traceback 交通大學 電信系 李程輝 教授. 2 Outline  Introduction  Ingress Filtering  Packet Marking  Packet Digesting  Summary.
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last time: finished brief overview.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Similar presentations

Ads by Google