Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 SENSS Security Service for the Internet Jelena Mirkovic (USC/ISI), Minlan Yu (USC), Ying Zhang (HP Labs), Sivaram Ramanathan (USC)

Published byPosy James Modified over 8 years ago

Similar presentations

Presentation on theme: "1 SENSS Security Service for the Internet Jelena Mirkovic (USC/ISI), Minlan Yu (USC), Ying Zhang (HP Labs), Sivaram Ramanathan (USC)"— Presentation transcript:

1 1 SENSS Security Service for the Internet Jelena Mirkovic (USC/ISI), Minlan Yu (USC), Ying Zhang (HP Labs), Sivaram Ramanathan (USC)

2 Motivation and Insights 2

3 Growing DDoS Attacks* 3 2/3 rd of respondents have experienced at least one DDoS attack 400, 602, 750 Gbps attacks Frequent and large *source Arbor Networks

4 Growing BGP Prefix Hijacking* In 2013, hijacking affected 1,500 prefixes, in 150 cities Live interception attacks are on for more than 60 days Traffic from major companies, govs, ISPs diverted 4 *source Renesys

5 Attack Variants DDoS BGP prefix hijacking – Attacker announces victim’s prefix (origin) or short AS path to the victim (closeness) – Blackholing (drop traffic) or interception (sniff or modify then forward to victim) 5 Direct floodReflectorCrossfire

6 Attack Mitigation Today DDoS – Local device does traffic analysis, sometimes DPI (low- volume and application attacks; cannot handle high- volume or reflected traffic) – Cloud-based defense, traffic goes to cloud for scrubbing (high-volume attacks; takes time to set up, expensive, redirects traffic, special handling for encrypted traffic) BGP prefix hijacking – BGP anycast (distributes prefix presence; takes time to set up, expensive, needs content replication too) Most solutions focus on resource replication and withstand attacks 6

7 SENSS Enables the Victim to … observe own traffic – Going to the victim’ prefixes – Carrying sources from the victim’s prefixes … observe own routes – For the victim’s prefixes … control own traffic – Filter, allow, request bw guarantee … control own routes – Demote a route that may contain a hijacker or correct it 7 In any willing ISP (even non-neighbor)! Aligns control with ownership of traffic/routes Remote ISP must be able to verify the requestor’s authority for a prefix

8 SENSS 8

9 Operation ISPs run SENSS servers Victim identifies ISPs to interact with using public SENSS directory – Sends to each a query – ISPs authenticate prefix ownership, process query, charge the victim and return replies Victim decides which control actions to apply and where – Sends messages about this to chosen ISPs – ISPs authenticate prefix ownership, charge the victim, implement requested actions 9

10 SENSS APIs at ISPs Exposed as Web services – Leverage existing functionalities for robustness (replication), security (HTTPS), charging (e-commerce) Message authentication: Proof of authority for a prefix – Signed proof that owner of a given public key is authorized to speak for a set of prefixes in the SENSS messages – RPKI, extension of SSL certs, … – … or manually populate a DB of known customers and prefixes TLS for communication security Victim can delegate a proxy if it cannot communicate itself 10 neighbor’s AS number (+ geolocation) TypeFieldsAction/Reply Traffic queryFlow, dir, obs_timeList of Traffic filter/allowFlow, dir, tag, durationDeploy filter/allow actions Route queryPrefixList of best paths to prefix Route demotePrefix, segment, durationDemote routes with given segment

11 Example: Isolated Deployment 11 V  A: traffic_query A  V: 1 (D-A), 0.5 (E-A), 5 (F-A), 0.5 (C-A) V  A: traffic_filter(tag=F-A, dest=V) V  A: traffic_allow(dest=VN, sport=53, dport=(1000,2000)) V  A: traffic_filter(dest=V, sport=53) V NATs all DNS traffic through VN, ports 1000-2000 Direct flood Reflector

12 Example: ISP-Only Deployment 12 S periodically collects traffic reports from A,B,C,D,E,F,G,H Analyzes traffic Detects attack on V Identifies E as ingress router, which sends most of the attack to V Deploys blackholing at E for destination V

13 Example: Sparse Deployment 13 V  A, D, G, J, L: traffic_query Assemble the traffic tree from replies V  L: traffic_filter(tag=S2-L, dest=V)

14 Deploying SENSS in an ISP 14

15 What SENSS Can Do For You? Help you defend your customers from DDoS with existing infrastructure Automate DDoS handling within your ISP Help detect and diagnose attacks (separate module) 15

16 Integrating SENSS With Your ISP SENSS is a Web application, which can be ran on any Web server within your ISP: – Admin account requires 2-factor authentication – Use RPKI or set up DB for proof of authority for a prefix – Supply IP addresses of switches SENSS needs traffic/route observation and filtering: – For traffic observation: SDN or SNMP – For traffic filtering: SDN or Flowspec or ACLs – For route observation/filtering: interact with router software (Quagga) 16

17 Deploying SENSS at a customer 17

18 What SENSS Can Do For You? Help you engage your ISP in attack mitigation in an automated fashion Help detect and diagnose attacks (separate module) 18

19 Integrating SENSS With Your Network SENSS client is a stand-alone Python program, which can be ran on any node within your ISP – Admin account requires 2-factor authentication – The node which runs SENSS must have adequate proof of authority for your prefixes – Supply IP address of your ISP’s SENSS server (in isolated deployment) 19

20 Performance 20

21 Simulation On AS topology: – Legitimate traffic patterns from Edgecast and random attacker distributions Findings: – Early adopters can mitigate 100% of direct floods and reflector attacks for their customers – As adoption grows, protection grows for everyone. Higher range of attacks mitigated and higher effectiveness – Deployment at any tier helps. But deployment at Tier 1 and Tier 2 is especially effective – Most attacks can be mitigated with deployment at just 1–2% of all ISPs, with under 10 sec delay 21

22 Emulation On Deterlab testbed (www.deterlab.net) with topologies from Topology Zoowww.deterlab.net – 186 switches (OpenVSwitch+Quagga) – 1 SDN controller (RYU) – 1 SENSS server – 1-100 concurrent SENSS clients Response time (including RPKI validation): – Up to 4.32 sec for 100 concurrent SENSS queries – Up to 24.95 sec for 100 concurrent SENSS control msgs – Most attacks are handled within 10 seconds 22

23 Conclusions 23

24 Conclusions Distributed attacks not handled well today – Redundancy to sustain attacks. Cost is still high and attack traffic still clogs the Internet – Smaller businesses can be affected for days SENSS enables inter-ISP collaboration to detect and mitigate distributed attacks – Useful in a variety of settings – Complements other solutions Test-drive it on Deterlab or in your network – http://steel.isi.edu/Projects/SENSS/ http://steel.isi.edu/Projects/SENSS/ 24

25 Thanks for coming! Reach out if interested sunshine@isi.edu sunshine@isi.edu http://steel.isi.edu/Projects/SENSS/ Jelena MirkovicMinlan YuYing Zhang Sivaram Ramanathan

Download ppt "1 SENSS Security Service for the Internet Jelena Mirkovic (USC/ISI), Minlan Yu (USC), Ying Zhang (HP Labs), Sivaram Ramanathan (USC)"

Similar presentations

Ethernet Switch Features Important to EtherNet/IP

Ethernet Switch Features Important to EtherNet/IP
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Akamai DNS Offerings RSA © Conference 2013. ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.

Akamai DNS Offerings RSA © Conference ©2013 AKAMAI | FASTER FORWARD TM Akamai DNS Solutions Enhanced DNS (eDNS) Scalable, outsourced, DNS solution.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.

By Hitesh Ballani, Paul Francis, Xinyang Zhang Slides by Benson Luk for CS 217B.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
SDN and Openflow.

SDN and Openflow.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.

Securing the Border Gateway Protocol (S-BGP) Dr. Stephen Kent Chief Scientist - Information Security.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.

SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.

Investigations into BIND Dynamic Update with OpenSSL by David Wilkinson.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Deployment of the VoIP Servers BY: Syed khaja Najmuddin Ahmed Anil Kumar Marikukala.

Deployment of the VoIP Servers BY: Syed khaja Najmuddin Ahmed Anil Kumar Marikukala.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Similar presentations

Ads by Google