Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deployable Filtering Architectures Against Denial-of-Service Attacks Department of Computer Science University College London Telephone: +44 (0)20 7679.

Published byJulian Flynn Modified over 8 years ago

Similar presentations

Presentation on theme: "Deployable Filtering Architectures Against Denial-of-Service Attacks Department of Computer Science University College London Telephone: +44 (0)20 7679."— Presentation transcript:

1 Deployable Filtering Architectures Against Denial-of-Service Attacks Department of Computer Science University College London Telephone: +44 (0)20 7679 0401 Fax: +44 (0)20 7679 1397 Electronic Mail: f.huici@cs.ucl.ac.ukf.huici@cs.ucl.ac.uk URL: http://www.cs.ucl.ac.uk/staff/f.huici/ Felipe Huici Transfer Report February 4, 2007

2 Introduction ► Attacks increasing in size and frequency  About 8,000 per day according to Symantec  Botnets reportedly as big as 1,500,000 nodes ► Motivation behind them has changed  Initially perpetrated by “script kiddies” to show off  Now carried out by professional criminals in extortion schemes ► Solution is needed if Internet is to continue to grow

3 Related Work ► Research Field  Proposals often have difficult deployment issues  Initial deployment incentives unclear or misaligned ► Commercial Field  Solutions prohibitively expensive for many  Do not scale to architectural levels ► Still no solution to large, distributed DoS attacks despite years of work

4 12 Servers ISP Network Routing and Tunneling E-BGP: Advertise S E-BGP Advertise S I-BGP 3 Malicious traffic Monitor Request Filter SSS Normal traffic

5 Edge-to-Edge Architecture D1 D2 F2 F1G1 Host H1 Host H2 Host H3 Server Router Decapsulator Encapsulator Legacy ISP A ISP B ISP C ISP D Legacy ISP E ISP FISP G B1 C1 G1

6 Terminus Architecture B1 B2 B3 B4 A1 A2 A3 A4 Client BP1 BP2 BP3 BP4 Border patrol BM1 BM2 Border manager S IDS FM Filter manager Router C1 B1 A1 D1 E1 F1 F2 D2 ISP A ISP B Legacy ISP C ISP D ISP E ISP F

7 Research Progress ► Design and implementation of encapsulator and decapsulator using Click ► Encapsulator experiments  Basic forwarding  Forwarding plus IP-in-IP encapsulation  Filtering performance  Filter look-up performance  CPU cache trashing ► Decapsulator experiments  Basic forwarding  Forwarding plus decasulation

8 Future Experiment Plan (I) ► Baseline experiments  Click packet generation and counting  Click and Linux basic forwarding performance ► Encapsulator / Border Patrol experiments  Performance when number of decapsulators increases  Scalability of number of filters held  Performance under different mixes of traffic  Design and implementation of different filter types

9 Future Experiment Plan (II) ► Decapsulator / Filter Manager experiments  Performance when dealing with filtering requests  Performance of filter manager when receiving large rate of requests ► Border Manager experiments  Performance when receiving large rate of requests ► Architectural Experiments

10 Time Table # Weeks Dates Task Description 2 3 rd week Feb – 4 th week Feb Baseline experiments 8 1 st week March – 4 th week April Encapsulator and border patrol experiments 3 1 st week May – 3 rd week May Filtering protocol 5 4 th week May – 4 th week June Decapsulator and filter manager experiments 2 1 st week July – 2 nd week July Border manager experiments 10 3 rd week July – 4 th week Sept Architectural experiments 2 1 st week Oct – 2 nd week Oct Buffer time 12 3 rd week Oct – 2 nd week Jan 08 Thesis write-up 1 3 rd week Jan 08 Thesis submission

Download ppt "Deployable Filtering Architectures Against Denial-of-Service Attacks Department of Computer Science University College London Telephone: +44 (0)20 7679."

Similar presentations

Push Technology Humie Leung Annabelle Huo. Introduction Push technology is a set of technologies used to send information to a client without the client.

Push Technology Humie Leung Annabelle Huo. Introduction Push technology is a set of technologies used to send information to a client without the client.
Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
L. Alchaal & al. Page 1 2002 Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.

L. Alchaal & al. Page Offering a Multicast Delivery Service in a Programmable Secure IP VPN Environment Lina ALCHAAL Netcelo S.A., Echirolles INRIA.
 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.

 IPv6 Has built in security via IPsec (Internet Protocol Security). ◦ IPsec Operates at OSI layer 3 or internet layer of the Internet Protocol Suite.
Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.

Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
EEC-484/584 Computer Networks Lecture 6 Wenbing Zhao

EEC-484/584 Computer Networks Lecture 6 Wenbing Zhao
1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson

1 In VINI Veritas: Realistic and Controlled Network Experimentation Jennifer Rexford with Andy Bavier, Nick Feamster, Mark Huang, and Larry Peterson
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
A Routing Control Platform for Managing IP Networks Jennifer Rexford Computer Science Department Princeton University

A Routing Control Platform for Managing IP Networks Jennifer Rexford Computer Science Department Princeton University
Internet Cache Pollution Attacks and Countermeasures Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen Electrical Engineering and Computer Science.

Internet Cache Pollution Attacks and Countermeasures Yan Gao, Leiwen Deng, Aleksandar Kuzmanovic, and Yan Chen Electrical Engineering and Computer Science.
1 Design and implementation of a Routing Control Platform Matthew Caesar, Donald Caldwell, Nick Feamster, Jennifer Rexford, Aman Shaikh, Jacobus van der.

1 Design and implementation of a Routing Control Platform Matthew Caesar, Donald Caldwell, Nick Feamster, Jennifer Rexford, Aman Shaikh, Jacobus van der.
A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University

A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University
1 Routing as a Service Karthik Lakshminarayanan (with Ion Stoica and Scott Shenker) Sahara/i3 retreat, January 2004.

1 Routing as a Service Karthik Lakshminarayanan (with Ion Stoica and Scott Shenker) Sahara/i3 retreat, January 2004.
Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.

Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.
A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University

A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University
A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University

A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University

Similar presentations

Ads by Google