Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Controlling High Bandwidth Aggregates in the Network.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Controlling High Bandwidth Aggregates in the Network."— Presentation transcript:

1 1 Controlling High Bandwidth Aggregates in the Network

2 2 Goals: Handle congestion Limit DoS attacks Allow flash crowds Identify traffic aggregates Subset of flows responsible for congestion Integrate provider policy Allow provider to configure drop mechanism

3 3 Related Work IP Traceback Tries to find source of attack Ingress/Egress Filtering ISP filters packets with fake source addresses Input debugging Uses signatures to filter attack traffic Scheduling: Fair Queuing Deficit Round Robin

4 4 ACC Design Apply congestion control to aggregated traffic Two levels of control: Local:  Identification  Control Global:  Pushback*

5 5 Issues Collateral damage Legitimate traffic may be inaccurately identified and restricted Routers may become synchronized and simultaneously detect congestion Insert jitter into monitoring interval How to ensure fairness of flows Separate identification and control Use RED to manage queue drops

6 6 Application to DoS attacks: Finding Aggregates Match destination of each dropped IP packet with longest matching prefix in routing table Periodically find most frequent prefix See if destinations match longer prefix E.g. maybe all dropped packets go to some specific host.

7 7 Application to DoS attacks: Rate Limiting* Let: w o be output bandwidth w i be total input bandwidth w b be bandwidth of aggregate desired drop rate be 20% Two conditions: w i – w b <= 1.2*w o w i – w b > 1.2*w o

Download ppt "1 Controlling High Bandwidth Aggregates in the Network."

Similar presentations

An Internet Without IP Minaxi Gupta Computer Science Dept. Indiana University, Bloomington.

An Internet Without IP Minaxi Gupta Computer Science Dept. Indiana University, Bloomington.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Logically-Centralized Control COS 597E: Software Defined Networking.
1 CNPA B Nasser S. Abouzakhar Queuing Disciplines Week 8 – Lecture 2 16 th November, 2009.

1 CNPA B Nasser S. Abouzakhar Queuing Disciplines Week 8 – Lecture 2 16 th November, 2009.
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.

Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.
Networks: Congestion Control1 Congestion Control.

Networks: Congestion Control1 Congestion Control.
Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006.

Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006.
A Deficit Round Robin Input Arbiter for NetFPGA Jonathan Woodruff.

A Deficit Round Robin Input Arbiter for NetFPGA Jonathan Woodruff.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
A & M University1 Design, and Evaluation of a Partial State Router Phani Achanta A. L. Narasimha Reddy Dept. of Electrical Engineering.

A & M University1 Design, and Evaluation of a Partial State Router Phani Achanta A. L. Narasimha Reddy Dept. of Electrical Engineering.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.

DDoS Attack Prevention by Rate Limiting and Filtering d’Artagnan de Anda CS239 Network Security 26 Apr 04.
ACN: Congestion Control1 Congestion Control and Resource Allocation.

ACN: Congestion Control1 Congestion Control and Resource Allocation.
School of Information Technologies IP Quality of Service NETS3303/3603 Weeks 10-11.

School of Information Technologies IP Quality of Service NETS3303/3603 Weeks
Controlling High Bandwidth Aggregates in the Network Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker AT&T.

Controlling High Bandwidth Aggregates in the Network Ratul Mahajan, Steven M. Bellovin, Sally Floyd, John Ioannidis, Vern Paxson, and Scott Shenker AT&T.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.

Similar presentations

Ads by Google