Presentation is loading. Please wait.

Presentation is loading. Please wait.

Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004.

Published byBeverly Edmund Curtis Modified over 8 years ago

Similar presentations

Presentation on theme: "Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004."— Presentation transcript:

1 Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004

2 DoS & DDoS DoS: “an attack with the purpose of preventing legitimate users from using a victim computing system or network resource” [3] DoS: “an attack with the purpose of preventing legitimate users from using a victim computing system or network resource” [3] DDoS: “A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. “ [4] DDoS: “A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. “ [4] You may have paid for the hardware, but do you really own your network? You may have paid for the hardware, but do you really own your network?

3 Typical Attack Skill SYN Flooding SYN Flooding IP spoofing IP spoofing Bandwidth attack Bandwidth attack Filling victim’s hard disk space Filling victim’s hard disk space …

4 What can DoS lead to? Website Website DNS DNS Mail Server Mail Server Emergency Emergency Many tools are available for DoS attack and teenagers must like to try them.[2] Many tools are available for DoS attack and teenagers must like to try them.[2]

5 Case Study DDoS attack hits clickbank and spamcop.net, by Mirko Zorz, June 25, 2003 DDoS attack hits clickbank and spamcop.net, by Mirko Zorz, June 25, 2003 DDoS attack hits clickbank and spamcop.net DDoS attack hits clickbank and spamcop.net Super Bowl fuels gambling sites' extortion fears, by Paul Roberts, IDG News Service, January 28, 2004 Super Bowl fuels gambling sites' extortion fears, by Paul Roberts, IDG News Service, January 28, 2004 Super Bowl fuels gambling sites' extortion fears Super Bowl fuels gambling sites' extortion fears

6 Defense Two general area: Two general area: Defense against IP spoofing Defense against IP spoofing Defense against bandwidth flooding attack Defense against bandwidth flooding attack Turn to Lingxuan Turn to Lingxuan

7 Against Bandwidth Flooding Attack Goal: stop attacks on their way to the victims Goal: stop attacks on their way to the victims Scheme: SIFF[1] Scheme: SIFF[1]

8 SIFF: Assumptions Marking space in the IP header. Marking space in the IP header. Routers mark every packet. Routers mark every packet. Short-term Route Stability. Short-term Route Stability.

9 Idea Divide all traffic into Divide all traffic into Privileged: Always get transfer Privileged: Always get transfer Unprivileged: Transferred if not affect Privileged packets Unprivileged: Transferred if not affect Privileged packets Unprivileged -------------------> Privileged Unprivileged -------------------> Privileged handshake handshake (to get the privilege token) (to get the privilege token)

10 Idea (cont.) Routers Routers mark packets in hand shakes mark packets in hand shakes match privilege token while forwarding packets match privilege token while forwarding packets Recipient refuse the attack flow by Recipient refuse the attack flow by not providing the privilege token not providing the privilege token or provide a false one or provide a false one

11 Packet Identifier Design Flags field (3-bits). Flags field (3-bits). SF: Packet is non-legacy PT: EXP or DTA CU: Capability reply present or not Capability: Marks modified by routers Capability: Marks modified by routers C-R: recipients to signal to sender a capability C-R: recipients to signal to sender a capability

12 Handshake ClientServer EXP(0) EXP(α) EXP(0) {α} EXP(β){α} DTA(!α){β} Legend: Packet-Type (Capability) {Capability Reply} …… Routers

13 Router Marking Calculation IP of the Interface that at which the packet arrived at IP of the Last-hop router’s outgoing interface Source IP and Destination IP of the packet Keyed Hash Fun Last z bits Marking

14 Marking Scheme for EXP Packets with a capability field of all zeros get marked with an additional 1bit. Packets with a capability field of all zeros get marked with an additional 1bit. Routers push their markings into the least significant bits of the capability field. Routers push their markings into the least significant bits of the capability field.

15 Authentication scheme for DTA Routers check the marking in the least significant bits of the capability field, and rotate it into the most significant bits, if it is equal to what the marking would be for an EXPLORER packet. Routers check the marking in the least significant bits of the capability field, and rotate it into the most significant bits, if it is equal to what the marking would be for an EXPLORER packet. ?

16 Key Switch Why? Why? If the hash fun does not change periodically, an attacker can simply obtain a capability through a seemingly legitimate request, and then use it to flood the server with privileged traffic. If the hash fun does not change periodically, an attacker can simply obtain a capability through a seemingly legitimate request, and then use it to flood the server with privileged traffic. Solution Solution Windowed authentication and marking Windowed authentication and marking

17 Windowed authentication and Marking for DTA Routers check that the marking equals one of the valid markings in its window and always rotate the newest marking in the window into the capability field. Routers check that the marking equals one of the valid markings in its window and always rotate the newest marking in the window into the capability field.

18 Do Guesses work? x: # of markings each router maintains in its window; x: # of markings each router maintains in its window; z: # of bits per router marking; z: # of bits per router marking; P(x, z): probability that a randomly guessed capability will pass a particular router. P(x, z): probability that a randomly guessed capability will pass a particular router.

19 Can Privilege Channel be Established Under Unprivileged Packet Flooding? i: hops of the network; i: hops of the network; ε i : Probability of getting dropped at any one of those routers ε i : Probability of getting dropped at any one of those routers

20 Limitations Depend on mechanism to detect attack Depend on mechanism to detect attack Network with some router not implemented SIFF Network with some router not implemented SIFF Colluding attacker Colluding attacker Host granularity not application granularity Host granularity not application granularity

21 Reference [1] SIFF: A Stateless Internet Flow Filter to Mitigate DDoS Flooding Attacks. With Avi Yaar and Dawn Song. Appears in 2004 IEEE Symposium on Security and Privacy Avi YaarDawn Song2004 IEEE Symposium on Security and PrivacyAvi YaarDawn Song2004 IEEE Symposium on Security and Privacy [2] Tools: http://staff.washington.edu/dittrich/misc/ddos/ http://staff.washington.edu/dittrich/misc/ddos/ [3] David Karig and Ruby Lee, “Remote Denial of Service Attacks and Countermeasures,” Princeton University Department of Electrical Engineering Technical Report CE- L2001-002, October 2001. [4] Lincoln Stein and John N. Stuart. “The World Wide Web Security FAQ”, Version 3.1.2, February 4, 2002. http://www.w3.org/security/faq/ (8 April 2003). http://www.w3.org/security/faq/

Download ppt "Defense Against DDoS Presented by Zhanxiang for [Crab] Apr. 15, 2004."

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.

Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.
2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.

Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.
NS-H0503-02/11041 Attacks. NS-H0503-02/11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.

Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
A DoS-limiting Network Architecture CSCE 715: Fall’06 Presentation by: Amit Jain Shantnu Chaturvedi.

A DoS-limiting Network Architecture CSCE 715: Fall’06 Presentation by: Amit Jain Shantnu Chaturvedi.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.

بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Similar presentations

Ads by Google