Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preventing Internet Denial-of-Service with Capabilities

Published byFlora Glenn Modified over 5 years ago

Similar presentations

Presentation on theme: "Preventing Internet Denial-of-Service with Capabilities"— Presentation transcript:

1 Preventing Internet Denial-of-Service with Capabilities
Tom Anderson, David Wetherall Univ. of Washington Timothy Roscoe Intel Research at Berkeley 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

2 Anupam Chanda, Khaled Elmeleegy. Comp 629
Paper Summary An approach to prevent DoS attacks Nodes obtain “permission to send” from destination Capabilities Verification points enforce capabilities Suitable for incremental deployment 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

3 Anupam Chanda, Khaled Elmeleegy. Comp 629
Overview Motivation Related work Proposed solution Conclusion 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

4 Anupam Chanda, Khaled Elmeleegy. Comp 629
Motivation DoS – flooding limited resource CPU/Memory on hosts, routers, firewalls Anomaly detection Automated response – often shutdown New applications likely to be anomalous “Normal” traffic could be an attack CodeRed virus 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

5 Anupam Chanda, Khaled Elmeleegy. Comp 629
Related Work 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

6 Source Address Filtering
At network ingress and egress points Prevents spoofing attacks However… Addresses with same n/w prefix can be spoofed Attacks often consist of legitimate packets – hosts under a virus attack 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

7 Anupam Chanda, Khaled Elmeleegy. Comp 629
IP Traceback Traces the source of the attack Detection rather than prevention Can do post-mortem traceback Marking of IP packets 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

8 Anupam Chanda, Khaled Elmeleegy. Comp 629
IP Traceback (contd.) A1 A2 A3 R4 R5 R6 R2 R3 R1 V 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

9 Anupam Chanda, Khaled Elmeleegy. Comp 629
Pushback Pushback daemon Monitors traffic pattern Rules to indicate DoS attack Communicates with upstream routers (pushback) Upstream routers drop packets 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

10 Anupam Chanda, Khaled Elmeleegy. Comp 629
Anomaly Detection Rule-based or statistical techniques Classify traffic as friendly/malicious Malicious traffic detection Install network filters s to network administrators Legitimate applications may trigger alerts Application level end-to-end decision making is required 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

11 Anupam Chanda, Khaled Elmeleegy. Comp 629
Overlay Filtering Traffic rerouted through special nodes Sophisticated analysis and filtering Traffic passed through overlay Adds a secret to the packets Downstream routers check for the secret Similar to capability-based filtering which adds nonce tokens in the capabilities 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

12 Anupam Chanda, Khaled Elmeleegy. Comp 629
Proposed Solution 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

13 Anupam Chanda, Khaled Elmeleegy. Comp 629
System’s components Request To Send (RTS) server Used by sources to get tokens to send (capabilities) Verification Points (VP) Perform access control by verifying the existence of a token in the packet VPs are coupled with RTS servers, both co-located with BGP speakers 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

14 Obtaining permission to send
Autonomous Systems (AS) advertise they want their inbound traffic filtered Augment BGP advertisement Give the address of their RTS server Any AS along the way may add its RTS to the BGP advertisement Source can discover a chain of RTS servers through which it can send its request 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

15 Token Generation and passing
Destination generates a hash chain 64-bit one way hash values h1,h2…hk Destination sends hk back to the source through RTS servers RTS servers and VPs remember the token and associates it with the flow 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

16 Sending with capabilities
Token (capability) allows source to send n packets in t seconds Source includes token in packets VPs along the path validates the token If token found and is valid, increment usage count Else drop packet 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

17 Acquiring new capabilities (in band)
Could explicitly request new token Bad performance (overhead) Destination sends hk-1 ( new capability) after receiving nearly n packets Source switches to use hk-1 for the next n packets VPs switch to hk-1. They figure hk-1 as hk = hash(hk-1) (hash chain) 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

18 Anupam Chanda, Khaled Elmeleegy. Comp 629
Security issues RTS servers control RTS pkt rates to destinations RTS servers are protected against flood Only accessed by nodes on the same AS or another RTS servers Tokens are difficult to guess If you can sniff then you can disrupt the communication anyway 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

19 Anupam Chanda, Khaled Elmeleegy. Comp 629
Conclusions Explicit authorization scheme to address DoS Paper argued that the scheme other than it solves the DoS problem, it is: Feasible Incrementally deployable No experiments, so no sense of added overhead 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

20 Anupam Chanda, Khaled Elmeleegy. Comp 629
Questions ? 11/13/2018 Anupam Chanda, Khaled Elmeleegy. Comp 629

Download ppt "Preventing Internet Denial-of-Service with Capabilities"

Similar presentations

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.

COMP 7320 Internet Security: Prevention of DDoS Attacks By Dack Phillips.
A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.

Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
A DoS-limiting Network Architecture CSCE 715: Fall’06 Presentation by: Amit Jain Shantnu Chaturvedi.

A DoS-limiting Network Architecture CSCE 715: Fall’06 Presentation by: Amit Jain Shantnu Chaturvedi.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
John Kristoff DePaul Security Forum 2003 1 Network Defenses to Denial of Service Attacks John Kristoff +01 312 362-5878.

John Kristoff DePaul Security Forum Network Defenses to Denial of Service Attacks John Kristoff
Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.

Efficient and Secure Source Authentication with Packet Passports Xin Liu (UC Irvine) Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Similar presentations

Ads by Google