Presentation is loading. Please wait.

Presentation is loading. Please wait.

Papers covered ● K. Lakshminarayanan, D. Adkins, A. Perrig, I. Stoica, “Taming IP Packet Flooding Attacks”, HotNets-II. ● M. Handley, A. Greenhalgh, “Steps.

Published byGilbert Jackson Modified over 8 years ago

Similar presentations

Presentation on theme: "Papers covered ● K. Lakshminarayanan, D. Adkins, A. Perrig, I. Stoica, “Taming IP Packet Flooding Attacks”, HotNets-II. ● M. Handley, A. Greenhalgh, “Steps."— Presentation transcript:

1 Papers covered ● K. Lakshminarayanan, D. Adkins, A. Perrig, I. Stoica, “Taming IP Packet Flooding Attacks”, HotNets-II. ● M. Handley, A. Greenhalgh, “Steps Towards a DoS- resistant Internet Architecture”, FDNA 2004.

2 Goals ● Host-based control over packets received – Avoid receiving packets at arbitrary ports – Contain traffic of an application under a flooding attack to protect other traffic (isolation) – Protect traffic of established connections – Throttle rate of opening new connections

3 Two main approaches ● More radical, more elegant – Use indirection layer (i3-based) ● Less radical, less elegant – Use special filters at edge ISP (IP-based)

4 i3 ● Rendezvous primitive built on top of a DHT (content- addressable network) ● Key lookup done in a distributed p2p manner

5 i3-based approach ● Sources send packets to logical identifier – Receivers express interest in packets by inserting triggers – Given a packet, i3 looks to see if there is an associated trigger to forward packet to – Receiver removes trigger if not interested in packet ● Example use – Servers have well-known public triggers – Clients contact servers via public triggers to establish dynamic private triggers – Subsequent communication via private triggers

6 i3-based goals achieved ● Avoid receiving packets at arbitrary ports – IP addresses hidden and identifiers of public triggers are the only information exposed ● Contain traffic of an application under a flooding attack to protect other traffic (isolation) – Differential dropping/prioritization of public triggers under attack (similar to WFQ or CBQ) ● Protect traffic of established connections – Differential dropping/prioritization of private vs public triggers ● Throttle rate of opening new connections – Redirect public trigger to a gatekeeper that issues puzzles (approach in paper is weak => see last week's IP puzzle paper)

7 IP-based approach ● Provide configurable white lists of allowed communication at edge ISP (akin to NAT traversal) – Edge routers maintain per-flow state for destinations – Effectively placing a customer “firewall” upstream ● Assumptions – Edge ISP with enough bandwidth to support arbitrary volumes of attack traffic – Edge ISP willing to allow dynamic customer filters

8 IP-based goals achieved ● Avoid receiving packets at arbitrary ports – Port forward only those on white-list (i.e. firewall) ● Contain traffic of an application under a flooding attack to protect other traffic (isolation) – Differential dropping/prioritization of flows (similar to WFQ or CBQ) ● Protect traffic of established connections – Differential dropping/prioritization of established vs. new traffic (via per-flow state kept in router) ● Throttle rate of opening new connections – Redirect via DNS to send traffic to a puzzle-issuing gatekeeper

9 i3 vs IP ● i3 good – Filtering done at arbitrary points in network versus at access link – Does not require help from ISP ● i3 bad – Need support for i3 – Can i3 itself be flooded? May not be efficient enough

10 Papers covered ● K. Lakshminarayanan, D. Adkins, A. Perrig, I. Stoica, “Taming IP Packet Flooding Attacks”, HotNets-II. ● M. Handley, A. Greenhalgh, “Steps Towards a DoS- resistant Internet Architecture”, FDNA 2004.

11 Defenses ● Increase end-system software security ● Reduce ability for worms/viruses to spread ● Prevent source-address spoofing ● Prevent reflection attacks ● Router-based push-back (need previous two defenses) ● Wide-area service distribution ● Receiver control of incoming connection attempts ● Traffic isolation of critical communication (i.e. route updates)

12 Model ● Should be a separation between route advertisement and service advertisement ● Routers should have a model that routes only valid service requests (not just valid IP addresses) and nothing else – Removes client-to-client worms since clients should not advertise any services – Prevents reflector attacks since routers can throw out invalid service requests

13 Step 1 ● Separate client and server addresses – Only allow client to server communication (no client-client or server-server) – Formalize asymmetry and enforce in the network – Impact ● Slows worm propagation – Must go from client to server to client to server ● Prevents reflector attacks on servers – Must have server=>client=>server – But, client can throw out requests from bogus servers since it knows all valid requests it has – Some benefits lost when hosts need both client and server addresses (p2p, VoIP)

14 Step 2 ● Non-global client addresses – Prevents clients from giving up their location and becoming targets themselves – Construct address domain-to-domain as packets travel to server (easy traceback) – Impact ● Source-address spoofing impossible for clients (packet always reveals path making traceback/pushback easy) ● Makes paths symmetric at the domain level ● Allows ISP to determine attacks via asymmetry in requests and responses (?) ● Reflection attacks prevented (since no spoofing) ● Changeable client addresses require some stable ID above IP (i.e. HIP)

15 Step 3 ● RPF checking of server addresses – Path-based client addresses do not prevent servers from spoofing servers – Server-to-client communication must follow reverse of domains from client-to-server ● Allows boundary routers to perform a reverse-path forwarding check on source address of server-to-client packets ● Prevents one server from spoofing a response of another server – Impact ● Makes it hard to launch blind DoS attacks on on-going communications even if connection ID can be inferred (i.e. TCP RST)

16 Step 4 ● State setup bit – Separate out traffic that requires state to be set up (i.e. TCP SYNs) – Provides generic protocol-independent indication of special packets – Stateful firewalls can validate packets before instantiating state – Packets without this bit set can be dropped if no state found – Impact ● Server addresses can not send packets with state-setup bit set (mechanism to enforce separation of clients and servers) ● Sites might rate-limit outgoing packets with bit set (?) ● Problem: Who is setting this bit? Can they be trusted?

17 Step 5 ● Nonce exchange and puzzles – Nonce echoing – IP puzzles based on state-setup bit – See last week's slides

18 Step 6 ● Middlewalls – Firewalls are too close to systems being protected – Use pushback to put filters into the core – Have it also issue puzzles – Path symmetry enables middlewalls to validate that filtering requests are authentic (i.e. not spoofed) – Problems ● Lots of network state to keep track of bad flows ● Problems with multiple firewalls in a path interacting ● Multiple round-trips per request ● Same problems with IP puzzles and multiple issuers

19 Step 7 ● Source-specific multicast+ – Traditional IP multicast impossible to protect ● Senders with ability to instantiate forwarding state ● Senders sending to existing mcast group without consent of receivers – Use source-specific multicast groups ● Receivers join to specific source (no way for sender to be malicious without participation from many receivers) ● Problem – Receivers joining a lot of non-existent groups – Receivers joining a bunch of high-bandwidth sources ● Solutions – Cryptographically generated addresses – Two-pass join mechanism (validate group liveness before instantiating state) – Threshold for number of SSM groups one can join

20 Collateral damage ● Loss of symmetry – Clients vs. servers (P2P, VoIP) – Require client-client communication ● Ugly workaround using brokers and borrowed server addresses ● Reintroduces some of the DoS vlunerabilities that were removed ● Tranisition – Evolve to explicit separation (start with client, server, unrestricted) – DNS ● Distribute top level entries via multicast ● Minimize relaying – SMTP, NNTP, SIP ● Same as with DNS

Download ppt "Papers covered ● K. Lakshminarayanan, D. Adkins, A. Perrig, I. Stoica, “Taming IP Packet Flooding Attacks”, HotNets-II. ● M. Handley, A. Greenhalgh, “Steps."

Similar presentations

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.

CCNPv5 Minimizing Service Loss and Data Theft in a Campus Network 1 Minimizing Service Loss and Data Theft in a Switched BCMSN Module 8 – Sec 2.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday 26.09.2005 C. Today I³SI³HIPHI³.

1/32 Internet Architecture Lukas Banach Tutors: Holger Karl Christian Dannewitz Monday C. Today I³SI³HIPHI³.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.

What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Chapter 4 IP Multicast Professor Rick Han University of Colorado at Boulder

Chapter 4 IP Multicast Professor Rick Han University of Colorado at Boulder
Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.

Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
1 IP Multicasting. 2 IP Multicasting: Motivation Problem: Want to deliver a packet from a source to multiple receivers Applications: –Streaming of Continuous.

1 IP Multicasting. 2 IP Multicasting: Motivation Problem: Want to deliver a packet from a source to multiple receivers Applications: –Streaming of Continuous.
CS 268: Lecture 25 Internet Indirection Infrastructure Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.

CS 268: Lecture 25 Internet Indirection Infrastructure Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.

Towards a More Functional and Secure Network Infrastructure Dan Adkins, Karthik Lakshminarayanan, Adrian Perrig (CMU), and Ion Stoica.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Anonymizing Network Technologies Some slides modified from Dingledine, Mathewson, Syverson, Xinwen Fu, and Yinglin Sun Presenter: Chris Zachor 03/23/2011.

Similar presentations

Ads by Google