Presentation is loading. Please wait.

Presentation is loading. Please wait.

Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007.

Published byWilliam Nathaniel Kennedy Modified over 8 years ago

Similar presentations

Presentation on theme: "Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007."— Presentation transcript:

1 Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007

2 Botnets A botnet is a large group of infected computers controlled by a hacker A botnet is a large group of infected computers controlled by a hacker Used to Used to Send spam Send spam Steal personal information Steal personal information Launch DDoS attacks Launch DDoS attacks Extortion/Protection Rackets Extortion/Protection Rackets Attack rivals Attack rivals

3

4 Botnets are Big Total bots: Total bots: 6 million [Symantec] 6 million [Symantec] 150 million [Vint Cerf] 150 million [Vint Cerf] Single botnets have numbered 1.5 million Single botnets have numbered 1.5 million Average upload bandwidth: 3 Mb/s Average upload bandwidth: 3 Mb/s Back of the envelope: 4.5-450 Tb/s Back of the envelope: 4.5-450 Tb/s Flood many core links, small-medium ISPs Flood many core links, small-medium ISPs

5 How DoS Works

6

7

8 Our Approach Swarm of machines forward traffic Swarm of machines forward traffic Explicitly request each packet Explicitly request each packet Attacks must down all mailboxes and thus all paths Attacks must down all mailboxes and thus all paths

9 Mailboxes A large number of machines offer to carry traffic for certain destinations A large number of machines offer to carry traffic for certain destinations Rather than immediately forward it, they buffer traffic until a request is received Rather than immediately forward it, they buffer traffic until a request is received This building block provides two key advantages This building block provides two key advantages Filtering logic is left at the destination Filtering logic is left at the destination The system as a whole is fail-stop The system as a whole is fail-stop

10 The Mailbox

11 Many Mailboxes Send traffic randomly among mailboxes Send traffic randomly among mailboxes

12 Many Mailboxes Send traffic randomly among mailboxes Send traffic randomly among mailboxes Botnet can take down one mailbox Botnet can take down one mailbox

13 Many Mailboxes Send traffic randomly among mailboxes Send traffic randomly among mailboxes Botnet can take down one mailbox Botnet can take down one mailbox But communication continues But communication continues

14 Many Mailboxes Send traffic randomly among mailboxes Send traffic randomly among mailboxes Botnet can take down one mailbox Botnet can take down one mailbox But communication continues But communication continues Diluted attacks against all mailboxes fail Diluted attacks against all mailboxes fail

15 Remaining Details Attackers can ignore the mailboxes and just attack the server (Filtering Ring) Attackers can ignore the mailboxes and just attack the server (Filtering Ring)

16 Remaining Details Attackers can ignore the mailboxes and just attack the server (Filtering Ring) Attackers can ignore the mailboxes and just attack the server (Filtering Ring) Before a connection starts, the server has no idea to request packets (General Requests) Before a connection starts, the server has no idea to request packets (General Requests)

17 Filtering Ring Keeps a list of requested packets Keeps a list of requested packets Drops all unrequested packets Drops all unrequested packets Protects thin access links Protects thin access links Deployed in depth to counter “insider attacks” Deployed in depth to counter “insider attacks”

18 General Requests First packets unexpected => can’t request First packets unexpected => can’t request Filtering ring prevents unrequested packets from reaching the server Filtering ring prevents unrequested packets from reaching the server Solution: Issue some small number of general requests to the mailboxes Solution: Issue some small number of general requests to the mailboxes Allow “first packets” through the filtering ring Allow “first packets” through the filtering ring Provides admission control Provides admission control Limit access by auth tokens & crypto-puzzles Limit access by auth tokens & crypto-puzzles

19 Complete System Lookup mailboxes for a server from a distributed name service (CoDoNs) Lookup mailboxes for a server from a distributed name service (CoDoNs) Contact one mailbox for a puzzle Contact one mailbox for a puzzle Present a solution and wait Present a solution and wait Mailbox forwards solution to the server Mailbox forwards solution to the server Server responds and begins to request packets Server responds and begins to request packets

20 Key Features Unilaterally Deployable Unilaterally Deployable Pay Akamai for mailboxes Pay Akamai for mailboxes Pay upstream ISP to install filtering ring Pay upstream ISP to install filtering ring Server is in complete control Server is in complete control Explicitly asks for each packet Explicitly asks for each packet Is not required to trust any given mailbox Is not required to trust any given mailbox System is fail-stop System is fail-stop

21 Latency

22 DoS Resilience Established connection Established connection

23 DoS Resilience Established connection Established connection Attack kills some mailboxes Attack kills some mailboxes

24 DoS Resilience Established connection Established connection Attack kills some mailboxes Attack kills some mailboxes “Goodput” decreases “Goodput” decreases

25 DoS Resilience Established connection Established connection Attack kills some mailboxes Attack kills some mailboxes “Goodput” decreases “Goodput” decreases Client sends faster (more redundantly) to compensate Client sends faster (more redundantly) to compensate

26 DoS Resilience

27 Conclusions We have presented a system to mitigate Denial of Service attacks which can be unilaterally deployed today We have presented a system to mitigate Denial of Service attacks which can be unilaterally deployed today Performance is reasonable with few optimizations, still room for improvement Performance is reasonable with few optimizations, still room for improvement Can scale to deal with the massive botnets of today and tomorrow Can scale to deal with the massive botnets of today and tomorrow

28 Questions?

Download ppt "Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy, Tom Anderson Affiliates Day, 2007."

Similar presentations

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June 28 2007.

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June
2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.

Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.

Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
(4.4) Internet Protocols Layered approach to Internet Software 1.

(4.4) Internet Protocols Layered approach to Internet Software 1.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.

Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Michael Walfish, Mythili Vutukuru, Hari Balakrishanan, David Karger, Scott Shankar DDos Defense by Offense.

Michael Walfish, Mythili Vutukuru, Hari Balakrishanan, David Karger, Scott Shankar DDos Defense by Offense.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
DDoS Defense by Offense Presented by: Matthew C.H. Ma Damon Chan.

DDoS Defense by Offense Presented by: Matthew C.H. Ma Damon Chan.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.

Paul Solomine Security of P2P Systems. P2P Systems Used to download copyrighted files illegally. The RIAA is watching you… Spyware! General users become.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.

Similar presentations

Ads by Google