Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Slides:

Advertisements

Similar presentations

L. Alchaal & al. Page Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.

Advertisements

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Net security - budi rahardjo Overview of Network Security Budi Rahardjo CISCO seminar 13 March 2002.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

Lecture 6 Overlay Networks CPE 401/601 Computer Network Systems slides are modified from Jennifer Rexford.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Security Firewall Firewall design principle. Firewall Characteristics.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

The End of Internet Architecture Author: Timothy Roscoe Presented by Gross, Zhaosheng Zhu.

Internet Protocol Security (IPSec)

Lecture 15 Denial of Service Attacks

1CS 6401 Peer-to-Peer Networks Outline Overview Gnutella Structured Overlays BitTorrent.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

PacNOG 6: Nadi, Fiji Dealing with DDoS Attacks Hervey Allen Network Startup Resource Center.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

Barracuda Load Balancer Server Availability and Scalability.

1. SOS: Secure Overlay Service (+Mayday) A. D. Keromytis, V. Misra, D. Runbenstein Columbia University Presented by Yingfei Dong.

Intranet, Extranet, Firewall. Intranet and Extranet.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London

1 Pertemuan 13 IDS dan Firewall Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

Network security Further protocols and issues. Protocols: recap There are a few main protocols that govern the internet: – Internet Protocol: IP – Transmission.

Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.

Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.

RON: Resilient Overlay Networks David Andersen, Hari Balakrishnan, Frans Kaashoek, Robert Morris MIT Laboratory for Computer Science

SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.

RON: Resilient Overlay Networks David Andersen, Hari Balakrishnan, Frans Kaashoek, Robert Morris MIT Laboratory for Computer Science

Staff AAA. Radius is not an ISP AAA Option RADIUS TACACS+ Kerberos.

Lecture 18 Page 1 Advanced Network Security Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

Lecture 1 Page 1 CS 239, Fall 2010 Distributed Denial of Service Attacks and Defenses CS 239 Advanced Topics in Computer Security Peter Reiher September.

Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.

GORAN OSIM AND TIM MYERS CPSC 424 DDOS AND THE SYSADMIN.

Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.

Distributed Denial of Service Attacks

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Resilient Overlay Networks Robert Morris Frans Kaashoek and Hari Balakrishnan MIT LCS

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

McLean HIGHER COMPUTER NETWORKING Lesson 13 Denial of Service Attacks Description of the denial of service attack: effect: disruption or denial of.

Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.

Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:

TCP Security Vulnerabilities Phil Cayton CSE

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

1 Distributed Denial of Service Attacks. Potential Damage of DDoS Attacks l The Problem: Massive distributed DoS attacks have the potential to severely.

DoS/DDoS attack and defense

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

Network Virtualization Sandip Chakraborty. In routing table we keep both the next hop IP (gateway) as well as the default interface. Why do we require.

Lecture 17 Page 1 CS 236, Spring 2008 Distributed Denial of Service (DDoS) Attacks Goal: Prevent a network site from doing its normal business Method:

17/10/031 Euronetlab – Implementation of Teredo

By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

Distributed Denial of Service (DDoS) Attacks

Computer Data Security & Privacy

Outline Basics of network security Definitions Sample attacks

Lecture 3: Secure Network Architecture

EE 122: Lecture 22 (Overlay Networks)

Distributed Denial of Service (DDoS) Attacks

Presentation transcript:

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS

What is a Denial of Service Attack? Goal: make a service unusable. How: overload a server, router, network link. Focus: bandwidth attacks (“trinoo”, “tfn”).

Logical View of Attack Net Attacker Master Victim Slave Control Traffic Attack Traffic

Attack Targets App O/S Other Customers Other ISPs Customer’s LAN Customer’s Router ISP Router Link Host

Attacks use IP Packets IP Header: Source Address Destination Address User Data Routers forward each packet independently. Routers don’t know about connections. Complexity is in end hosts; routers are simple.

Outline Case study: Yahoo. –What happened. –Analysis. Our framework for defense: RON.

Case Study: Yahoo Attack Early February Took Yahoo off the net for hours.

Yahoo’s Point of View ISP Router Yahoo’s Router 1 Gbit/second of Ping Response packets.

Yahoo Attack Overview Yahoo’s ISP Yahoo Other ISPs Co-location Centers

Attack Packet Generation Co-location Center MS1S2…Sn Internet Ping, DST=bcast, SRC=Yahoo Ping Responses, DST=Yahoo Leader Slaves

What did the attack depend on? Pervasive insecure hosts. Fake IP source addresses. Use of hosts as amplifiers. Weak router software. Difficulty of diagnosis.

Pervasive Insecure Hosts Required for disguise and to generate enough traffic. How do they break in? –Buffer overruns. –Typically Solaris and Linux. –Highly automated. Defenses? –Better programming practices. –Disable services by default. –Firewalls, intrusion detection. –Motivation for deployment is not strong.

Fake IP Source Addresses Two uses: –Hide the source of attack. –Part of weapon. Example: SYN flooding. Defense: –Ingress/egress filtering. –But motivation for deployment is not strong.

Ingress Filtering ISP 1 ISP 3 ISP 2 Site 1 Victim Site 2 Attacker SRC=Site2

Use of Hosts as Amplifiers Attackers need this: –To avoid using their own machines. –To generate lots of traffic. –To avoid detection via load monitoring. Two approaches: –Break into 1000s of machines. –Trick legitimate machines into generating traffic.

Weak Router Software Routers themselves are often victims. Why? –Forwarding and management compete for CPU. –Control and data traffic compete for net b/w. Solutions? –Simplify and partition.

Difficulty of Diagnosis Very little automatic support for traffic analysis and correlation. –Is the high load legitimate? –What does the attack consist of? –Where does the attack come from? –How ask upstream routers to discard attack packets? Defense: distributed analysis system.

Why are these attacks easy? Internet built around end-to-end principle: –Most functions done by end hosts. –Examples: reliable delivery. Advantages: –Simplifies network core. Example: IP packet forwarding. Example: it’s easy to start an ISP. –Anyone can introduce new services. Result: lots of innovation.

Why is defense hard? End-to-end principle conflicts with: –Centralized control. –Centralized monitoring. –Separation of data from control traffic. –Mandatory authentication. –Mandatory accounting.

RON Project End-to-end framework for: –Cooperative statistics collection. –Cooperative reaction to attacks. –Fault-tolerant control and data routing. How: resilient overlay network (RON). Funded by DARPA/IA/FTN.

What is an Overlay Network? ISP1 ISP2 N1 N4 N3 N5 N2 Better routing functions built in end hosts. Can be used to build distributed defenses.

Why Distributed Defenses? Presence of attack obvious near victim. –Not obvious near sources of attack. –But control is easier near sources. Identifying attackers requires cooperation. –Asymmetric routing. –Fake source addresses.

Why Distribution is Hard RON itself is a target. Authorized communication between RON nodes. Bandwidth attacks on RON nodes. Application-level DoS attacks. Political / deployment problems. –Needs cooperation? Or single-organization?

Monitoring Scenario Backbone B1 Backbone B2 N1 N4 N3 N5 N2 Attacker Victim 1. Measure 2. Communicate 3. Control

Fault-Tolerant Routing Use Internet to connect multiple sites. Inter-ISP routing: –Ignores link quality. –Ignores many available paths due to policy. –Chooses only one path. –Reacts slowly. RON allows end-system control of routing.

Fault-tolerant Routing (2) Backbone B1 Backbone B2 Peering Point Q N1 N4 N3 N5 Peering Point P N2 Attacker

Peer-to-Peer Networking Multi-organization overlays. Early work: Gnutella and FreeNet. –Data replicated at many sites. –Queries traverse reliable overlay. –Explicit protection of virtual infrastructure.

Summary Raise the bar: –Improve host security. –Make it hard to fake IP addresses. Experiment with RON-like and peer-to-peer architectures.