Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Protecting Network Quality of Service against Denial of Service Attacks Douglas S. Reeves S. Felix Wu Chandru Sargor N. C. State University / MCNC October.

Published byBennett Strickland Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Protecting Network Quality of Service against Denial of Service Attacks Douglas S. Reeves S. Felix Wu Chandru Sargor N. C. State University / MCNC October."— Presentation transcript:

1 1 Protecting Network Quality of Service against Denial of Service Attacks Douglas S. Reeves S. Felix Wu Chandru Sargor N. C. State University / MCNC October 6, 1999 Tolerant Networks Program BAA99-10 Kickoff Meeting

2 2 Quality of Service - a New Capability for Packet-Switching n New services  Guaranteed minimum bandwidth  Guaranteed maximum delay  Guaranteed maximum loss rate n Guaranteeing QoS for a “flow” requires providing adequate resources

3 3 SRC DST Tspec = 5M ADspec = 5M Reserve 3M Reserve 3M That looks fine to me ….. ADspec = 4MADspec = 3M PATH PATH messages RESV messages IntServ / RSVP Operation

4 4 DiffServ SRC1DST1 DST2 SRC2 Service Agreement and Traffic Agreement DATA flow

5 5 Quality of Service - A New Vulnerability n Normal users will try to get maximum QoS without regard to others n Malicious users will try to deny quality of service for others

6 6 The ARQOS Project ¶Selective verification of reservation signaling (SVR) ·Congestion pricing of scarce resources ($$$) ¸Monitoring of data flows, and integration with intrusion detection (IDS)

7 7 SVR: Attacking ADSpec Reserve 200M Reserve 5M That looks fine to me ….. SRC DST ADSpec = 5M ADSpec = 200M

8 8 SVR: IETF RSVP Security Current solution proposed by Fred Baker n All routers, even including those not on the path, share the same “key table” n Hop-by-hop authentication of messages –outsiders tampering with packets will be detected, but corrupted insiders will not be detected

9 9 A & B trust each other; If A is compromised and sends a faulty ADSpec, there is no way for B to know about it Sharing a secret key SVR: IETF RSVP Security (cont.) B A ADSpec

10 10 SVR: Our Approach SRC DST ADSpec = 5M ADSpec = 200M Correlation and Verification of the Correctness Properties

11 11 SVR: Our Approach Response Protocol Properties Observed Messages Verification

12 12 SVR: Verification of Reservations n No need to introduce new features to RSVP, other existing protocols n Do not need to install verification agents in every router n Capable of detecting insider attacks

13 13 SVR vs. IETF Proposal (hop-by-hop) SVR vs. IETF Proposal (hop-by-hop) Countermeasures Hop-by-Hop SVR detects detects Attack 1-1 Outsider on-path Insider RSVP Attack 1-2 Outsider on-path Insider RSVP Attack 2-1 Outsider on-path Insider RSVP Attack 2-2 Outsider on-path Insider RSVP Attack 3-1 Outsider on-path Insider RSVP Attack 3-2 Outsider off-path Insider RSVP Attack 4 Outsider on-path Insider RSVP

14 14 SVR: Status n Identified types of possible attacks on RSVP signals n Solutions for detecting the most important types of attacks n Now implementing attacks and solutions

15 15 $$$: Competing for Services Network Resources "You can have 5M, 2M, or 1M, at no cost; what do you want, and for how long?” 5M “We all want 5M, from now on!” Users: Service Provider: 5M

16 16 $$$: Providing Adequate Resources n Service provider: "I don't know if it will pay to increase the available resources" < wait until it's clearly absolutely necessary?

17 17 $$$: Influencing Behavior n Disincentives for bad behavior -- users incur costs for resource usage n Incentives for good behavior -- profits for service providers

18 18 $$$: Competition (cont.) “5M costs $3/min, 2M costs $2/min, 1M costs $1/min.” Users: Service Provider: 5M @$3 2M @$2 5M @$3 1M @$1 5M @$3 1M @$1 Network Resources

19 19 $$$: Pricing of Resources n Price is right when demand = supply n Flexibility –combinations of resources and services –User endowments for non-monetary goals n How are prices set, by whom, and how are they distributed?

20 20 $$$: Goals n Fairness, or maximization of utility & revenue? n The time and data scales for which this is useful

21 21 $$$: Goals and Assumptions n Fairness vs. “maximum aggregate utility” n The time and data scales for which this is useful n Real money, or play money? n Charging senders, or receivers n The overhead of billing and accounting

22 22 $$$: Status n Pricing method n Integration with RSVP n Integration with DiffServ n Infrastructure

23 23 IDS: Attacks on the Data Flow n From a malicious host (external to network) –spoof high priority data flow packets –send large amounts of data to ingress router to overload it n From a compromised ingress router –admit/discard traffic in violation of service agreement –inappropriate marking of admitted traffic

24 24 IDS: Possible Attacks (cont.) –delay/drop packets from selected flows –generate additional traffic to degrade overall network QoS n From a compromised core router –randomly re-mark flows –delay/drop packets from selected flows –generate additional traffic to degrade overall network QoS

25 25 IDS: Intrusion Detection System Filtering Engine Profile-Based Analyzer Decision Module IDS MIB SNMPv3 Rule-Based Analyzer Network Security Management Entity

26 26 IDS: Detecting Re-marked Packets n Downstream IDS will detect anomalous change in IP header –raise alarm via SNMP n Security management entity will receive alarms from IDS entities and correlate them n Security management entity will query other routers on the path to isolate compromised router

27 27 IDS: Status n Enhance JiNao implementation to make it protocol independent –originally targeted for OSPF attack detection –now can be used to detect attacks against any protocol n Identification of data flow attacks n Preliminary design of IDS system

28 28 Conclusions n Started August ‘99 n Implementing RSVP / DiffServ testbed n Exploring collaborations with vendors

Download ppt "1 Protecting Network Quality of Service against Denial of Service Attacks Douglas S. Reeves S. Felix Wu Chandru Sargor N. C. State University / MCNC October."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Quality of Service CS 457 Presentation Xue Gu Nov 15, 2001.

Quality of Service CS 457 Presentation Xue Gu Nov 15, 2001.
Spring 2003CS 4611 Quality of Service Outline Realtime Applications Integrated Services Differentiated Services.

Spring 2003CS 4611 Quality of Service Outline Realtime Applications Integrated Services Differentiated Services.
1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Spring 2000CS 4611 Quality of Service Outline Realtime Applications Integrated Services Differentiated Services.

Spring 2000CS 4611 Quality of Service Outline Realtime Applications Integrated Services Differentiated Services.
RSVP/Diffserv Yoram Bernet - Microsoft Raj Yavatkar - Intel.

RSVP/Diffserv Yoram Bernet - Microsoft Raj Yavatkar - Intel.
NS-H0503-02/11041 Attacks. NS-H0503-02/11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
Traffic Shaping Why traffic shaping? Isochronous shaping

Traffic Shaping Why traffic shaping? Isochronous shaping
CSE 30264 Computer Networks Prof. Aaron Striegel Department of Computer Science & Engineering University of Notre Dame Lecture 20 – March 25, 2010.

CSE Computer Networks Prof. Aaron Striegel Department of Computer Science & Engineering University of Notre Dame Lecture 20 – March 25, 2010.
IPv6 Technology and Advanced Services 19/10/2004 IPv6 Technology and Advanced Services IPv6 Quality of Service Dimitris Primpas

IPv6 Technology and Advanced Services 19/10/2004 IPv6 Technology and Advanced Services IPv6 Quality of Service Dimitris Primpas
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
CPSC 601.43 Topics in Multimedia Networking A Mechanism for Equitable Bandwidth Allocation under QoS and Budget Constraints D. Sivakumar IBM Almaden Research.

CPSC Topics in Multimedia Networking A Mechanism for Equitable Bandwidth Allocation under QoS and Budget Constraints D. Sivakumar IBM Almaden Research.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
ACN: IntServ and DiffServ1 Integrated Service (IntServ) versus Differentiated Service (Diffserv) Information taken from Kurose and Ross textbook “ Computer.

ACN: IntServ and DiffServ1 Integrated Service (IntServ) versus Differentiated Service (Diffserv) Information taken from Kurose and Ross textbook “ Computer.
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
A General approach to MPLS Path Protection using Segments Ashish Gupta Ashish Gupta.

A General approach to MPLS Path Protection using Segments Ashish Gupta Ashish Gupta.
1 Quality of Service Outline Realtime Applications Integrated Services Differentiated Services.

1 Quality of Service Outline Realtime Applications Integrated Services Differentiated Services.
Multicast Communication

Multicast Communication

Similar presentations

Ads by Google