Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Slides:

Advertisements

Similar presentations

On the Necessity of Handling DDoS Traffic in the Middle of the Network Peter Reiher UCLA Computer Communications Workshop October 22, 2008.

Advertisements

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

IP Forwarding Relates to Lab 3.

6.033: Intro to Computer Networks Layering & Routing Dina Katabi & Sam Madden Some slides are contributed by N. McKewon, J. Rexford, I. Stoica.

Use Cases for I2RS I2RS Interim Meeting Nicolai Leymann, Deutsche Telekom AG

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Security and Privacy on the Internet Fall Survey Presentation by Costel Iftimie.

Color Aware Switch algorithm implementation The Computer Communication Lab (236340) Spring 2008.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

4-1 Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving side, delivers.

1 Controlling High Bandwidth Aggregates in the Network.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

10 - Network Layer. Network layer r transport segment from sending to receiving host r on sending side encapsulates segments into datagrams r on rcving.

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

MPLS and Traffic Engineering

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.

Path Protection in MPLS Networks Using Segment Based Approach.

Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.5 Routing algorithms m Link state m Distance.

Controlling High Bandwidth Aggregates in the Network Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker AT&T.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

© Jörg Liebeherr ECE 1545 Forwarding in IP Networks.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Distributed Denial of Service Attack and Prevention Andrew Barkley Quoc Thong Le Gia Matt Dingfield Yashodhan Gokhale.

Steps Towards a DoS-resistant Internet Architecture Mark Handley Adam Greenhalgh CII/University College London.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

Routing protocols Basic Routing Routing Information Protocol (RIP) Open Shortest Path First (OSPF)

Othman Othman M.M., Koji Okamura Kyushu University 1.

Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Distributed Denial of Service Attacks

Multimedia & Mobile Communications Lab.

1 Defense Strategies for DDoS Attacks Steven M. Bellovin

DDoS Defense: Utilizing P2P architecture By Joshua Aslan Smith.

Univ. of TehranComputer Network1 Advanced topics in Computer Networks University of Tehran Dept. of EE and Computer Engineering By: Dr. Nasser Yazdani.

An End-to-End Service Architecture r Provide assured service, premium service, and best effort service (RFC 2638) Assured service: provide reliable service.

Internet Traffic Engineering Motivation: –The Fish problem, congested links. –Two properties of IP routing Destination based Local optimization TE: optimizing.

Network Processing Systems Design

Configuration for routing example

MZR: A Multicast Protocol based on Zone Routing

Error and Control Messages in the Internet Protocol

IP Forwarding Covers the principles of end-to-end datagram delivery in IP networks.

Defending Against DDoS

CS4470 Computer Networking Protocols

A DoS-limiting Network Architecture

Chapter 5 The Network Layer.

IP Forwarding Relates to Lab 3.

IP Forwarding Relates to Lab 3.

Defending Against DDoS

Preventing Internet Denial-of-Service with Capabilities

Internet Control Message Protocol Version 4 (ICMPv4)

IP Forwarding Relates to Lab 3.

Link-State Routing Protocols

IP Forwarding Relates to Lab 3.

Network Layer I have learned from life no matter how far you go

EE 122: Lecture 7 Ion Stoica September 18, 2001.

Link-State Routing Protocols

DDoS Attack and Its Defense

IP Forwarding Relates to Lab 3.

Networking and Network Protocols (Part2)

IP Forwarding Relates to Lab 3.

Chapter 1 Introduction Networking Architecture Overview.

Presentation transcript:

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack

Introduction DDoS attacks – Disturbance to the global internet. How do DDoS attacks occur? Congestion could be caused by flash crowds too. Non malicious during 2000 Sydney Olympics. Victim can do nothing to protect itself. Can anything be done inside the network to defend?

What is Pushback? Pushback - Defense against DDoS. A mechanism that allows a router to request adjacent upstream routers to limit the rate of traffic. Concept - Aggregate congestion control (ACC). Aggregate - Subset of traffic with identifiable property. Congestion Signature - Set of properties of the aggregate identified as causing problems.

DDoS attack in progress R2R3 R4 R5R6 R7 R8 D R1 Red - Bad traffic Green - Good traffic

Partial view of a router Match congestion Signature ? Rate Limiter Pushbackd Input Queues Output Queues N Y Update Congestion signature Adjust Local ACC D D pushback P

Dropped Packet Report Is sent by the rate-limiter to the Pushback daemon. Output interface Magic Number IP Destination address Input interface Timestamp Packet size Reason

How does the Pushback daemon identify an attack and the victim? Algorithm Step1: If (w i > 1.2 * w o ) then attack is in progress. Step2: Dropped packets are grouped according to the longest matching prefix in the routing table. Step3: The prefix with the highest number of dropped packets is the set to be used in step4. Step4: The set in step3 is scanned to find the host to which most of the packets are destined to. Step5: If (w i – w b > 1.2 * w o ) then repeat steps 2 to 5.

Pushback Request The Pushback daemon uses a pushback request to tell the upstream links about the prefix to rate- limit. Pushback request is as shown below. Depth of Requesting Node RLS-ID Expiration time Bandwidth Limit Congestion Signature

Pushback Response Sends responses downstream. The response is very similar to request as shown here. Depth of Requesting Node Time in effect Bandwidth Used Congestion Signature RLS-ID

Conclusion Successfully implemented in the lab under FreeBSD operating system. Deployment becomes complex as it requires lot of resources. Any Questions?