Presentation is loading. Please wait.

Presentation is loading. Please wait.

SOS: Secure Overlay Services A.Keromytis, V. Misra, and D. Rubenstein Presented by Tsirbas Rafail.

Published byShanon Smith Modified over 8 years ago

Similar presentations

Presentation on theme: "SOS: Secure Overlay Services A.Keromytis, V. Misra, and D. Rubenstein Presented by Tsirbas Rafail."— Presentation transcript:

1 SOS: Secure Overlay Services A.Keromytis, V. Misra, and D. Rubenstein Presented by Tsirbas Rafail

2 The main components Target Legitimate user Attacker

3 The basic idea DoS attacks succeed because the target is easy to find SOS Idea: Create an overlay and send the traffic through it

4 The Goal Allow already approved users to communicate with a target Prevent attackers packets from reaching the target The solution must be easy to distribute

5 1 st Step - Filter Routers near target filter packets according to their IP address – Legitimate users’ IP addresses allowed through – Illegitimate users’ IP addresses aren’t Problems: I)“good” and “bad” user share the same IP address II)”bad” user knows “good” user’s IP III)”good” user changes IP frequently Target Filter

6 2 nd Step - Proxy Install Proxies outside the filter whose IP addresses are permitted through the filter – Proxy only lets verified packets from legitimate sources through the filter Problem: I)Attacker pretends to be the proxy II)Attacker attacks the proxy Proxy Target

7 3 rd Step – Secret Servlet Keep the identity of the proxy secret – Name it Secret Servlet – Secret Servlet is known only by the target, and a few other points in the network

8 4 th Step – Overlays Send traffic to the secret servlet via a network overlay – Nodes: Devices – Paths: IP paths Verification can be performed inside each node Node Network overlay

9 5 th Step – SOAP Secure Overlay Access Points – Receive unverified packets and verify(IPsec,TLS) – Large number of SOAPS – Distributed firewall Node soap

10 Routing inside SOS Random route until secure servlet is reached(Inefficient) Instead use Chord service(hash function) Reaches a unique node called beacon Secret servlet, target inform beacon Node soap Node beac on

11 Overview of SOS User Node soap Node beac on Node Secure Servlet Target Secure Servlet Secure Servlet Secure Servlet beac on

12 Attacking SOS You can not directly attack target Attack secret servlet Attack beacons Attack other overlay nodes

13 Attacking Analysis Static Attack N # of nodes in the overlay SOAP = 10 Beacon = 10 Secure Servlet = 10 In order to have a successful DoS attack almost all overlay nodes must be compromised!

14 Attacking Analysis Static Attack In order to have a successful DoS attack number of beacons must be quite small!

15 Attacking Analysis Dynamic Attacks – SOS detects & removes attacked nodes – Attacker shifts from a removed node to an active one

16 Conclusions SOS protects a target from DoS attacks How? – Filter around the target – Hidden proxies – Network overlay for legitimate users to reach hidden proxies

Download ppt "SOS: Secure Overlay Services A.Keromytis, V. Misra, and D. Rubenstein Presented by Tsirbas Rafail."

Similar presentations

Quiz 1 Posted on DEN 8 multiple-choice questions

Quiz 1 Posted on DEN 8 multiple-choice questions
October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.

October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.

You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.
Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,

Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,
1 SOS: Secure Overlay Services Angelos Keromytis, Dept. of Computer Science Vishal Misra, Dept. of Computer Science Dan Rubenstein, Dept. of Electrical.

1 SOS: Secure Overlay Services Angelos Keromytis, Dept. of Computer Science Vishal Misra, Dept. of Computer Science Dan Rubenstein, Dept. of Electrical.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff +1 312 362-5878 DePaul University Chicago, IL 60604.

Security Forum 2001John Kristoff - DePaul University1 Network Firewalls John Kristoff DePaul University Chicago, IL
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.

Secure Overlay Services Adam Hathcock Information Assurance Lab Auburn University.
Using Overlays to Improve Security Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University SPIE ITCom Conference on Scalability and.

Using Overlays to Improve Security Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University SPIE ITCom Conference on Scalability and.
Firewalls CS591 Topics in Internet Security November 15 1999 Steve Miskovitz, Steve Peckham, Kan Hayashi.

Firewalls CS591 Topics in Internet Security November Steve Miskovitz, Steve Peckham, Kan Hayashi.

Similar presentations

Ads by Google