Presentation on theme: "Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego."— Presentation transcript:
Network support for DoS Protection Stefan Savage Dept of Computer Science and Engineering UC San Diego
State of the practice Spoofing mitigation –End host SYN cookies –RPF (sparse and loose) –TTL fingerprint filtering Filtering –/32 blackhole –Src address filtering –Dst-based offramp, scrub, re-inject (common features)
Framing the research problem Fundamentally two kinds of approaches –Filtering: filter out evil packets Ideally upstream from victim How to discern evil/good status –CAPTHAs, history, authentication »What if you dont receive pkts? How to attach to packets/requests –Identifiers, capabilities, ad hoc features –Diffusion: spread attack across surface Destination hiding + overlays Replication (e.g., Akamai)
The problem of federation How do you convince someone else (e.g., an ISP) to filter packets destined to you? –DoS threat from control channel Authenticity of request (secure routing helps here) Overload filtering mechanism (1M /32s) –What do I get out of doing this work for you?
Identifiers Basic idea –Characterize bad packets and record their identifiers –Filter based on those identifiers Almost all operational anti-DDoS is this –Dst filtering, src filtering, ttl filtering, cookie filtering, ttl filtering, etc. Life easier if we had a: –Reliable identifier –Naturally tied to source of attack