Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter."— Presentation transcript:

1 Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter

2 Overview Background Congestion puzzles mechanism Implementation and security analysis Experiments Conclusions

3 Bandwidth Exhaustion Attacks victim zombie attacker Background CP mechanism Implementation Experiments Conclusions

4 Attack model Can do: Forge any information in packets they send Coordinate their zombies perfectly Compromise some routers Cannot do: Modify a large fraction of the legitimate packets Eavesdrop on most legitimate flow Background CP mechanism Implementation Experiments Conclusions

5 Puzzles Router Good guy Bad guys Background CP mechanism Implementation Experiments Conclusions

6 One type of puzzle Random hash function h Client Nonce N c Server Nonce N s Puzzle Solution X 000..0001mm…m Puzzle difficulty d Client Server Background CP mechanism Implementation Experiments Conclusions

7 Congestion Puzzles (CP) Apply puzzles at network (IP) level Don’t require attack signatures Only a small fraction of routers needs to implement CP Lightweight implementation within routers Background CP mechanism Implementation Experiments Conclusions

8 Algorithm overview Congestion !!! 1. Puzzle distribution mechanism Puzzle parameters 2.Puzzle based Rate Limiter Computation flow Bit flow 3. Distributed Puzzle Mechanism Background CP mechanism Implementation Experiments Conclusions

9 Puzzle distribution PBauPBauPNaupm auRPPSaupsPSaupsPNaupmps RPaupmps Congestion change Background CP mechanism Implementation Experiments Conclusions

10 Puzzle based rate limiter Control: Control: Function: Function: Background CP mechanism Implementation Experiments Conclusions

11 Distributed puzzle mechanism s 1 2 3 4 5 6 NsNs NsNs N s |N 1 N s |N 2 N s |N 1 N s |N 2 NsNs N s |N 1 |N 3 |N C |X 3 N s |N 1 |N 4 |N C |X 4 N s |N 2 |N 5 |N C |X 5 N s |N 2 |N 6 |N C |X 6 Asking upstream routers to help Blocking reuse of solutions in different paths Background CP mechanism Implementation Experiments Conclusions

12 Implementation CPU: Checking only part of the solutions Needs only about 0.16% to mitigates Memory: We need to know if a sequence appeared Using Bloom filter requires only 1.1MB Background CP mechanism Implementation Experiments Conclusions

13 Security analysis Bandwidth allocation: moving from max-min fairness to weighted max-min fairness Malicious routers: can only affect the clients going through it Authentication: prevent cheating clients into solving puzzles Clients recruit: the malicious router can only use solutions needed as well by the clients Background CP mechanism Implementation Experiments Conclusions

14 Experiments NS-2 network simulator CAIDA’s Skitter map of real internet topologies 1500 paths: 500 legitimate (simulating surfing) and 100-1000 zombies (300kbps UDP) Congested link bandwidth: 20Mpbs Other: 30Mbps Simulating the puzzle solving delay Background CP mechanism Implementation Experiments Conclusions

15 Puzzle difficulty (d) Background CP mechanism Implementation Experiments Conclusions

16 Partial deployment (1) Background CP mechanism Implementation Experiments Conclusions

17 Partial deployment (2) Background CP mechanism Implementation Experiments Conclusions

18 Conclusions Congestion puzzles as a new countermeasure to bandwidth exhaustion attacks May encourages the owners of zombies to change their attacks Future work: Using attack signatures Using memory bound instead of computation May help managing flash crowds Background CP mechanism Implementation Experiments Conclusions

19 Thank you! Presented by Amitai Reuvenny amitaire@post.tau.ac.il

20 HW assignment What is the assumption on the attack that lets us use lightweight authentication schemes ? Describe what is the different between weighted averaging and exponential averaging How will a bloom filter with 16 bits and 2 functions: X mod 13, (X mod 11) + 5 look after adding the numbers 55 and 32 ? What is free riding and what can be done to mitigate it ?

Download ppt "Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter."

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,
2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
Florin Dinu T. S. Eugene Ng Rice University Inferring a Network Congestion Map with Traffic Overhead 0 zero.

Florin Dinu T. S. Eugene Ng Rice University Inferring a Network Congestion Map with Traffic Overhead 0 zero.
CSC 774 Advanced Network Security

CSC 774 Advanced Network Security
CSIT560 Internet Infrastructure: Switches and Routers Active Queue Management Presented By: Gary Po, Henry Hui and Kenny Chong.

CSIT560 Internet Infrastructure: Switches and Routers Active Queue Management Presented By: Gary Po, Henry Hui and Kenny Chong.
Review: Routing algorithms Distance Vector algorithm. –What information is maintained in each router? –How to distribute the global network information?

Review: Routing algorithms Distance Vector algorithm. –What information is maintained in each router? –How to distribute the global network information?
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.
Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.

Defending against Large-Scale Distributed Denial-of-Service Attacks Department of Electrical and Computer Engineering Advanced Research in Information.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:

CS470, A.SelcukReal-Time Communication Issues1 Real-Time Communication Security IPsec & SSL Issues CS 470 Introduction to Applied Cryptography Instructor:
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

Similar presentations

Ads by Google