Presentation is loading. Please wait.

Presentation is loading. Please wait.

04/12/2001ecs289k, spring 20011 ecs298k Distributed Denial of Services lecture #5 Dr. S. Felix Wu Computer Science Department University of California,

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "04/12/2001ecs289k, spring 20011 ecs298k Distributed Denial of Services lecture #5 Dr. S. Felix Wu Computer Science Department University of California,"— Presentation transcript:

1 04/12/2001ecs289k, spring 20011 ecs298k Distributed Denial of Services lecture #5 Dr. S. Felix Wu Computer Science Department University of California, Davis http://www.cs.ucdavis.edu/~wu/ wu@cs.ucdavis.edu

2 04/12/2001ecs289k, spring 20012 Internet Source Accountability NCSU AOL UUNet Header src: AOL dst:NCSU Payload …………….. A B Egress filtering???

3 04/12/2001ecs289k, spring 20013 The Plain DDOS Model (1999-2000) Masters Slaves Victim... ISP.com ::::. Attackers src: random dst: victim

4 04/12/2001ecs289k, spring 20014 Reflector Use a legitimate network server/client as the reflector to avoid being traced. (stepping stone). Reflector VictimSlave Service Request Packet src: Victim dst: Reflector Service Reply Packet src: Reflector dst: Victim

5 04/12/2001ecs289k, spring 20015 The Reflective DDOS Model (2000) Masters Slaves Victim... ISP.com ::::. Reflectors Attackers src: victim dst: reflector src: reflector dst: victim

6 04/12/2001ecs289k, spring 20016 What is the problem? Egress/ingress filtering possible?? Push-back Rate-Limiter Locating the slaves (compromized hosts in Universities, e.g.) is a good first step. Probably easiest to find. Cut them off to help. Further track down masters and “the attacker.”

7 04/12/2001ecs289k, spring 20017 What have been proposed? Egress filtering using routing information –Lixia Zhang (UCLA), Van Jacobson (Packet Design),… Probabilistic Packet Marking –Steve Savage (UWa/UCSD), UCB, Purdue, UCD…. DECIDUOUS. ICMP Traceback Messages –IETF

8 04/12/2001ecs289k, spring 20018 Packet Marking in DDoS Masters Slaves Victim... ISP.com ::::. Attackers src: random dst: victim

9 04/12/2001ecs289k, spring 20019 Marking procedure at router R: for each packet w let x be a random number from [0..1) if x < p then write R into w.start and 0 into w.distance else if w.distance == 0 then write R into w.end increment w.distance A5R9 R8 R4 R7 R6 R3 R 5 R2 R1 A6 verhlenTOSTotal Length Identificationflagsoffset Time to liveProtocol Header checksum Source IP address Destination IP address offsetDistanceEdge fragment 02 37 8 15

10 04/12/2001ecs289k, spring 200110 Masters Slaves Victim... ISP.com ::::. Reflectors Attackers src: victim dst: reflector src: reflector dst: victim ??? Find a special honey-pot reflectors???

11 04/12/2001ecs289k, spring 200111 ICMP Traceback For a very small probability or very few packets (about 1 in 20,000), each router will send the destination a new ICMP message indicating the previous hop for that packet. Net traffic increase at endpoint is about 0.1% -- probably acceptable.

12 04/12/2001ecs289k, spring 200112 Original iTrace Masters Slaves Victim... ISP.com ::::. Attackers src: random dst: victim

13 04/12/2001ecs289k, spring 200113 iTrace in Reflective DDOS Masters Slaves Victim... ISP.com ::::. Reflectors Attackers src: victim dst: reflector src: reflector dst: victim

14 04/12/2001ecs289k, spring 200114 Improved ICMP Traceback For a very few packets (about 1 in 20,000), each router will send the destination and the source a new ICMP message indicating the previous hop for that packet. Net traffic increase at endpoint is about 0.2% -- probably acceptable.

15 04/12/2001ecs289k, spring 200115 Reflector VictimSlave Service Request Packet src: Victim dst: Reflector Service Reply Packet src: Reflector dst: Victim source Traceback Messages Who has spoofed me??

16 04/12/2001ecs289k, spring 200116 Improved iTrace Masters Slaves Victim... ISP.com ::::. Reflectors Attackers src: victim dst: reflector src: reflector dst: victim

17 04/12/2001ecs289k, spring 200117 What we believe…. Egress filtering is very important!! –We need to develop technical solutions to filter packets efficiently and accurately!! Probabilistic Marking will not work!! –It can not handle “reflective DDoS”! iTrace-based solutions can complement egress filtering. –With a fixed probability, we might not be able to reliably identify the final true sources/slaves. –How do I know if this is my own packet or spoofed packet?

18 04/12/2001ecs289k, spring 200118 Each slave emits a “relatively small” amount of attack packets Masters Slaves Victim... ISP.com ::::. Attackers src: random dst: victim This will be a problem for any “static” probabilistic schemes.

19 04/12/2001ecs289k, spring 200119 Reflector VictimSlave Service Request Packet src: Victim dst: Reflector Service Reply Packet src: Reflector dst: Victim source Traceback Messages Who has spoofed me??

20 04/12/2001ecs289k, spring 200120 VictimISP Service Request Packet src: Victim dst: www.yahoo.com source Traceback Messages Is that really me??? How can I tell??

21 04/12/2001ecs289k, spring 200121 Maybe it is my friend... Masters Slaves Victim... ISP.com ::::. Attackers src: random dst: victim Are you sure that this is from a slave or not? customers

22 04/12/2001ecs289k, spring 200122 iTrace Packet Analyzer Are those problems (I just raised) realistic? In today’s Internet, how likely I will receive iTrace packets for “innocent” packets? How to correlate the iTrace packets to determine: –how many slaves? –where are they? –How reliable is the answer? If static, what should be the “best” prob?

23 04/12/2001ecs289k, spring 200123 Magic Marks: concept src/dst IP addresses the rest….. an outgoing packet src/dst IP addresses 128 bit digest HMAC selector 16 bit mark src/dst IP addresses the rest….. 16 bit mark iTrace message either a SRC itrace or DST itrace... Private key

24 04/12/2001ecs289k, spring 200124 Magic Marks: design src/dst IP addresses the rest….. an outgoing packet Src IP address plus N bits (N=8) of the dst IP address 128 bit digest HMAC selector 16 bit marks Private key Pre-compute the Marking table with 2 N entries! Mark Table look-up

25 04/12/2001ecs289k, spring 200125 A scenario src/dst IP addresses the rest….. 16 bit mark dst iTrace message src/dst IP addresses the rest….. 16 bit mark verify message 16 bit mark src response (Y/N)

Download ppt "04/12/2001ecs289k, spring 20011 ecs298k Distributed Denial of Services lecture #5 Dr. S. Felix Wu Computer Science Department University of California,"

Similar presentations

CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
CS 457 – Lecture 16 Global Internet - BGP Spring 2012.

CS 457 – Lecture 16 Global Internet - BGP Spring 2012.
Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College

2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,

NETWORK SECURITY EE122 Section 12. QUESTION 1 SYN SYN ACK ACK Data RST ACK time A B Data RST ABRUPT TERMINATION  A sends a RESET (RST) to B  E.g.,
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
02/15/2007ecs2361 Tracing & Traceability S. Felix Wu UC Davis

02/15/2007ecs2361 Tracing & Traceability S. Felix Wu UC Davis
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
08/02/2001S. Felix Wu and Dan Massey1 iTrace Probability: 1/20,000 For routers closer to the victim, useful iTrace messages will be produced very frequently.

08/02/2001S. Felix Wu and Dan Massey1 iTrace Probability: 1/20,000 For routers closer to the victim, useful iTrace messages will be produced very frequently.
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
CS335 Networking & Network Administration Tuesday, May 11, 2010.

CS335 Networking & Network Administration Tuesday, May 11, 2010.
04/22/2001ecs289K: Intention Driven iTrace1 ecs298k Intention-Driven iTrace lecture #6 Dr. S. Felix Wu Computer Science Department University of California,

04/22/2001ecs289K: Intention Driven iTrace1 ecs298k Intention-Driven iTrace lecture #6 Dr. S. Felix Wu Computer Science Department University of California,
03/19/2001ICMP Traceback Working Group, IETF'50, Minneapolis, MN 1 Intention-Driven iTrace S. Felix “Last Minutes” Wu UC Davis

03/19/2001ICMP Traceback Working Group, IETF'50, Minneapolis, MN 1 Intention-Driven iTrace S. Felix “Last Minutes” Wu UC Davis
04/05/20011 ecs298k: Routing in General... lecture #2 Dr. S. Felix Wu Computer Science Department University of California, Davis

04/05/20011 ecs298k: Routing in General... lecture #2 Dr. S. Felix Wu Computer Science Department University of California, Davis
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
EEC-484/584 Computer Networks Lecture 11 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 11 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
EEC-484/584 Computer Networks Lecture 11 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.

EEC-484/584 Computer Networks Lecture 11 Wenbing Zhao (Part of the slides are based on Drs. Kurose & Ross ’ s slides for their Computer.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Similar presentations

Ads by Google