Adam Bender, Neil Spring Dave Levin, Bobby Bhattacharjee University of Maryland, College Park In Proc. USENIX SRUTI, 2007 Speaker: Yun Liaw Accountability.

Slides:



Advertisements
Similar presentations
Network Support for Sharing. 2 CABO: Concurrent Architectures are Better than One No single set of protocols or functions –Different applications with.
Advertisements

Holding the Internet Accountable David Andersen, Hari Balakrishnan, Nick Feamster, Teemu Koponen, Daekyeong Moon, Scott Shenker.
Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
Are you secured in the network ?: a quick look at the TCP/IP protocols Based on: A look back at “Security Problems in the TCP/IP Protocol Suite” by Steven.
Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
A Survey of Secure Wireless Ad Hoc Routing
Access control for IP multicast T Petri Jokela
Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing s are designed.
What’s Next: DNSSEC & RPKI Mark Kosters. Why are DNSSEC and RPKI Important Two critical resources – DNS – Routing Hard to tell when it is compromised.
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #4 Mobile Ad-Hoc Networks AODV Routing.
IP: The Internet Protocol
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006.
Rethink the design of the Internet CSCI 780, Fall 2005.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
بسم الله الرحمن الرحيم NETWORK SECURITY Done By: Saad Al-Shahrani Saeed Al-Smazarkah May 2006.
CS335 Networking & Network Administration Tuesday, May 11, 2010.
1 Chapter 13: Representing Identity What is identity Different contexts, environments Pseudonymity and anonymity.
TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.
Wide-area cooperative storage with CFS
Homework #5 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Spam Sonia Jahid University of Illinois Fall 2007.
X-Road (X-tee) A platform-independent secure standard interface between databases and information systems to connect databases and information systems.
Chapter 31 Network Security
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.
Secure Socket Layer (SSL)
8-1Network Security Chapter 8 roadmap 8.1 What is network security? 8.2 Principles of cryptography 8.3 Message integrity, authentication.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
1 Spring Semester 2009, Dept. of Computer Science, Technion Internet Networking recitation #3 Mobile Ad-Hoc Networks AODV Routing.
An efficient secure distributed anonymous routing protocol for mobile and wireless ad hoc networks Authors: A. Boukerche, K. El-Khatib, L. Xu, L. Korba.
Security for the Optimized Link- State Routing Protocol for Wireless Ad Hoc Networks Stephen Asherson Computer Science MSc Student DNA Lab 1.
Information Security Fundamentals Major Information Security Problems and Solutions Department of Computer Science Southern Illinois University Edwardsville.
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
23-1 Last time □ P2P □ Security ♦ Intro ♦ Principles of cryptography.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Ethernet Basics – 8 Routers. Routers and Routing Definition of a router- A device which provides a path from a node on one network or subnet to a node.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Verify that timestamps for debugging and logging messages has been enabled. Verify the severity level of events that are being captured. Verify that the.
The Intranet.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.
JELENA MIRKOVIC (USC) PETER REIHER (UCLA) Building Accountability into the Future Internet In Proc. IEEE NPSec, 2009 Speaker: Yun Liaw.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
IPSec and TLS Lesson Introduction ●IPSec and the Internet key exchange protocol ●Transport layer security protocol.
1 Figure 3-13: Internet Protocol (IP) IP Addresses and Security  IP address spoofing: Sending a message with a false IP address (Figure 3-17)  Gives.
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
1 Secure Key Exchange: Diffie-Hellman Exchange Dr. Rocky K. C. Chang 19 February, 2002.
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
IP Spoofing. What Is IP Spoofing Putting a fake IP address in the IP header field for source address (requires root)
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.
1 Network Security. 2 Security Services Confidentiality: protection of any information from being exposed to unintended entities. –Information content.
Zueyong Zhu† and J. William Atwood‡
Computer Communication & Networks
Defending Against DDoS
Internet Networking recitation #4
Internet Protocol: Connectionless Datagram Delivery
Defending Against DDoS
* Essential Network Security Book Slides.
IIT Indore © Neminath Hubballi
ITIS 6167/8167: Network and Information Security
Presentation transcript:

Adam Bender, Neil Spring Dave Levin, Bobby Bhattacharjee University of Maryland, College Park In Proc. USENIX SRUTI, 2007 Speaker: Yun Liaw Accountability as a Service

Introduction The purpose of accountability: To blame the miscreants, and let everyone else be Spoofed IP – Both IP address and ISP are not reliable Accountability Service Provider To “vouch for” sending traffic generated by endpoints Separate accountability from addressing and routing 3/09/09 Speaker : Yun Liaw 1

Related Work Explicit blocking of unsolicited traffic Implicit blocking of unsolicited traffic Stepping stone detection Approaches to stop spoofed source addresses in 3/09/09 Speaker : Yun Liaw 2

The Accountability Service The role of an accountability service To provide authenticated clients with identifiers that can be used to mark packets accountable Other clients of the service can block unwanted traffic, and report malicious packets to the service Accountability services may differentiate from each other by how much anonymity or accountability level they provide and what the require from their clients 3/09/09 Speaker : Yun Liaw 3

The Accountability Service Hold identities in escrow and reveals in case of severe proven abuse vouch for the traffic of its client Accountability identifiers are independent of destination Accountability identifiers are proxiable Receivers specify what accountability service they accept A victim can ask the network to filter traffic that has specific identifier 3/09/09 Speaker : Yun Liaw 4

Design: Straw-man Protocol Signing Every Packets Every router on the forwarding path can check the certificate, but it is expensive 3/09/09 Speaker : Yun Liaw 5 Service Provider (A) Sender (S) Receiver (R) Keypair: (S pub, S priv ) cert s = {S, S pub }A priv pkt, cert s {pkt}S priv Prove Sender himself

Design: An Efficient protocol Sender S, receiver R agree to use accountability service A Each client C of A has a private key c, public key g c and certification cert c = {C, C pub }A priv Use Diffie-Hellman to create shared key S and R: (g s ) r = (g r ) s S and S’s ISP, P 1 : k s = (g P 1 ) s = (g s ) P 1 Outgoing packets from S: cert s timestamp a hash h R = hash(pkt, timestamp, cert s, g sr ) a hash h 1 = hash(pkt, timestamp, cert s, k s ) 3/09/09 Speaker : Yun Liaw 6

Design: An Efficient protocol 3/09/09 Speaker : Yun Liaw 7 P 1 can cache cert s and k s for fast verification P 1 is expected to check cert s, timestamp, and h 1 Non-checking origination ISP identification Let P 1 insert into each packet from S to R P i ’s AS number and h i = hash(pkt,timestamp, cert s, k i ) If R receives a invalid certification packet, R can show this hashed-by-P 1 packet and cert s to any P i along the path, thereby proving that P 1 did not check the certification “First-hop accountability service ISP” R can ask its ISP P n to block traffic from cert s on its behalf

Design: An Efficient protocol Does not provide non-repudiation property 3/09/09 Speaker : Yun Liaw 8

Discussions and Comments Accountability services can help ISPs to filter unwanted traffic Centralized and trusted authority would limit the scalability Accountability should be held by people, while machines are neutral Bots and zombies The cost of accountability service What is the value and profit that accountability service would bring to us? Is it worth deploying? 3/09/09 Speaker : Yun Liaw 9

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.