Preventing Denial of Service Attacks

Slides:



Advertisements
Similar presentations
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Advertisements

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
1 Network Security Derived from original slides by Henric Johnson Blekinge Institute of Technology, Sweden From the book by William Stallings.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.
1 Crashing the Net Steven M. Bellovin AT&T Labs Research
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.
A Cost-Based Framework for Analysis of Denial of Service in Networks Author: Catherine Meadows Presenter: Ajay Mahimkar.
1 Defense Strategies for DDoS Attacks Steven M. Bellovin
URP Usage Scenarios for Mobility James Kempf Sun Microsystems, Inc.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
1 Host versus Network Security Steven M. Bellovin
Lecture 17 Page 1 Advanced Network Security Network Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
Introduction to Information Security
Chapter 5 Network Security Protocols in Practice Part I
Advanced Topics in Network Security: IP Spoofing and DDoS CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Outline Basic concepts in computer security
IT443 – Network Security Administration Instructor: Bo Sheng
Network Security Mechanisms
NFD Tunnel Authentication
Distributed Denial of Service (DDoS) Attacks
Outline Basics of network security Definitions Sample attacks
A Wireless LAN Security Protocol
Anonymous Communication
Radius, LDAP, Radius used in Authenticating Users
Why Do We Need More Research?
What is Cyber bullying? Cyber bullying is when a person, or a group of people, uses the internet, mobile phones or other digital technologies to threaten,
PPP – Point to Point Protocol
Filtering Spoofed Packets
Troubleshooting IP Communications
Introduction to Networking
Introduction to Networking
Who should be responsible for risks to basic Internet infrastructure?
The TESLA Broadcast Authentication Protocol CS 218 Fall 2017
COMPUTER PRIVACY.
Security, Cryptography, and Magic
The IP, TCP, UDP protocols
Hannes Tschofenig Henning Schulzrinne M. Shanmugam
What Makes a Network Vulnerable?
Security through Encryption
SSH: SECURE LOGIN CONNECTIONS OVER THE INTERNET
Outline Basics of network security Definitions Sample attacks
Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.
Anonymous Communication
Security Of Wireless Sensor Networks
CDK4: Chapter 7 CDK5: Chapter 11 TvS: Chapter 9
Outline Using cryptography in networks IPSec SSL and TLS.
Topic 5: Communication and the Internet
Outline Network characteristics that affect security
CDK: Chapter 7 TvS: Chapter 9
Advanced Topics in Network Security: IP Spoofing and DDoS CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
What Are Our Security Goals?
Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Outline The spoofing problem Approaches to handle spoofing
Outline Basics of network security Definitions Sample attacks
Anonymous Communication
Symmetric Key Distribution
Digital Signatures Network Security.
Distributed Denial of Service (DDoS) Attacks
Security in Wireless Metropolitan Area Networks (802.16)
Security in Wireless Metropolitan Area Networks (802.16)
Presentation transcript:

Preventing Denial of Service Attacks Steven M. Bellovin smb@research.att.com http://www.research.att.com/~smb

Fudd’s First Law of Opposition “Push something hard enough and it will fall over.” --Firesign Theater, circa 1971.

What is Denial of Service? By enemy action, you don’t have use of your own resources. The enemy -- or a third party -- may or may not have (productive) use of them; that’s irrelevant. Any sort of resource -- CPU, memory, bandwidth, personnel, sleep time -- can be attacked.

Why Does DoS Happen? Denial of Service can occur any time it is cheaper for the enemy to make a request than it is for you to process it. Besides, we’ve rarely designed our systems to resist.

Example: UNIX while true do mkdir x cd x done

Example: Networking TCP uses 3-way handshake Send forged first message to victim; reply goes nowhere. Third message never shows up. Victim’s memory is consumed.

Defenses: First Cut On hosts, limit resources consumed per user. For network protocols, let the network protocol hold the state. What of other attacks?

Cryptographic Authentication Security folks like cryptographic authentication -- it’s quite strong. It’s also expensive, especially if public key crypto is used. When we get ubiquitous crypto, will we get ubiquitous DoS attacks? Must use layered authentication.

Network DoS and DDoS Objective: Consume network bandwidth. A true network security problem -- not solvable by hosts. Network itself must deflect it -- packet flow must be authorized. Can’t use crypto -- it’s too expensive. Use network concepts: return address or input link.

General Rules Everything must be authenticated and authorized. (But what about privacy and anonymity?) Strength and cost of authentication must be commensurate with resource being protected. Can ramp up to strong authentication.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.