Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack."— Presentation transcript:

1 Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack

2 Introduction DDoS attacks – Disturbance to the global internet. How do DDoS attacks occur? Congestion could be caused by flash crowds too. Non malicious www.Olympics.comwww.Olympics.com during 2000 Sydney Olympics. Victim can do nothing to protect itself. Can anything be done inside the network to defend?

3 What is Pushback? Pushback - Defense against DDoS. A mechanism that allows a router to request adjacent upstream routers to limit the rate of traffic. Concept - Aggregate congestion control (ACC). Aggregate - Subset of traffic with identifiable property. Congestion Signature - Set of properties of the aggregate identified as causing problems.

4 DDoS attack in progress R2R3 R4 R5R6 R7 R8 D R1 Red - Bad traffic Green - Good traffic

5 Partial view of a router Match congestion Signature ? Rate Limiter Pushbackd Input Queues Output Queues N Y Update Congestion signature Adjust Local ACC D D pushback P

6 Dropped Packet Report Is sent by the rate-limiter to the Pushback daemon. Output interface Magic Number IP Destination address Input interface Timestamp Packet size Reason

7 How does the Pushback daemon identify an attack and the victim? Algorithm Step1: If (w i > 1.2 * w o ) then attack is in progress. Step2: Dropped packets are grouped according to the longest matching prefix in the routing table. Step3: The prefix with the highest number of dropped packets is the set to be used in step4. Step4: The set in step3 is scanned to find the host to which most of the packets are destined to. Step5: If (w i – w b > 1.2 * w o ) then repeat steps 2 to 5.

8 Pushback Request The Pushback daemon uses a pushback request to tell the upstream links about the prefix to rate- limit. Pushback request is as shown below. Depth of Requesting Node RLS-ID Expiration time Bandwidth Limit Congestion Signature

9 Pushback Response Sends responses downstream. The response is very similar to request as shown here. Depth of Requesting Node Time in effect Bandwidth Used Congestion Signature RLS-ID

10 Conclusion Successfully implemented in the lab under FreeBSD operating system. Deployment becomes complex as it requires lot of resources. Any Questions?

Download ppt "Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack."

Similar presentations

On the Necessity of Handling DDoS Traffic in the Middle of the Network Peter Reiher UCLA Computer Communications Workshop October 22, 2008.

On the Necessity of Handling DDoS Traffic in the Middle of the Network Peter Reiher UCLA Computer Communications Workshop October 22, 2008.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
IP Forwarding Relates to Lab 3.

IP Forwarding Relates to Lab 3.
6.033: Intro to Computer Networks Layering & Routing Dina Katabi & Sam Madden Some slides are contributed by N. McKewon, J. Rexford, I. Stoica.

6.033: Intro to Computer Networks Layering & Routing Dina Katabi & Sam Madden Some slides are contributed by N. McKewon, J. Rexford, I. Stoica.
Use Cases for I2RS I2RS Interim Meeting Nicolai Leymann, Deutsche Telekom AG 19.04.2013.

Use Cases for I2RS I2RS Interim Meeting Nicolai Leymann, Deutsche Telekom AG
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.

SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Security and Privacy on the Internet Fall 2004 031-60-564 Survey Presentation by Costel Iftimie.

Security and Privacy on the Internet Fall Survey Presentation by Costel Iftimie.
Color Aware Switch algorithm implementation The Computer Communication Lab (236340) Spring 2008.

Color Aware Switch algorithm implementation The Computer Communication Lab (236340) Spring 2008.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side, delivers.

4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side, delivers.
1 Controlling High Bandwidth Aggregates in the Network.

1 Controlling High Bandwidth Aggregates in the Network.
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
10 - Network Layer. Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving.

10 - Network Layer. Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
MPLS and Traffic Engineering

MPLS and Traffic Engineering
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Similar presentations

Ads by Google