Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)"— Presentation transcript:

1 1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)

2 2 DoS is not even close to be solved Address validation is insufficient (botnets) Traceback is too little too late (detection only) Pushback lacks discrimination (imprecise) Secure overlay filtering requires offline authenticators (public servers) 

3 3 Capabilities are a promising approach Destination control The destinations know better. Network filtering based on explicit and unforgeable packet state, i.e., capabilities Only the network can shed load before the damage has been made. Anderson et al. [Anderson03], Yarr et al. [Yarr04]

4 4 Sketch of the capability approach 1. Source requests permission to send. 2. Destination authorizes source for limited transfer, e.g, 32KB in 10 secs A capability is the proof of a destination’s authorization. 3. Source places capabilities on packets and sends them. 4. Network filters packets based on capabilities. cap

5 5 Capabilities alone do not effectively limit DoS Goal: minimize the damage of the arbitrary behavior of k attacking hosts. Non-goal: make DoS impossible Problems 1. Request or authorized packet floods 2. Added functionality in a router’s forwarding path 3. Authorization policies 4. Deployment TVA addresses all of the above.

6 6 Challenges 1. Counter a broad range of attacks, including request and authorized packet floods 2. Router processing with bounded state and computation 3. Effective authorization policies 4. Incrementally deployable

7 7 Request packet floods Request packets do not carry capabilities.

8 8 Counter request packet floods (I) Rate-limit request packets cap

9 9 Counter request packet floods (II) Rate-limit request packets Routers insert path identifier tags [Yarr03]. Fair queue requests using the most recent tags. Per path-id queues 12 11

10 10 Authorized packet floods cap

11 11 Counter authorized packet floods Per-destination queues TVA bounds the number of queues. cap

12 12 Challenges 1. Counter a broad range of attacks, including request packet floods and authorized packet floods 2. Router processing with bounded state and computation 3. Effective authorization policies

13 13 TVA’s implementation of capabilities Routers stamp pre-capabilities on request packets (timestamp, hash(src, dst, key, timestamp) Destinations return fine-grained capabilities (N, T, timestamp, hash(pre-cap, N, T)) send N bytes in the next T seconds, e.g. 32KB in 10 seconds pre 1 pre 2 cap 1 cap 2

14 14 Validating fine-grained capabilities 1. A router verifies that the hash value is correct. 2. Checks for expiration: timestamp + T · now 3. Checks for byte bound: sent + pkt_len · N cap 1 cap 2 data N, T, timestamp, hash(pre-cap, N, T)

15 15 Bounded computation The main computation overhead is hash validation. On a Pentium Xeon 3.2GHz PC Stamping pre-capabilities takes 460ns Validating capabilities takes 1486ns

16 16 Bounded state Create a slot if a capability sends faster than N/T. For a link with a fixed capacity C, there are at most C/(N/T) flows  Number of slots is bounded by C / (N/T) cap 1 cap 2 data N, T, timestamp, hash(pre-cap, N, T) sent + pkt_len · N

17 17 Worst case byte bound is 2N in T seconds T t1t1 t2t2 t3t3 0 a slot is created a slot is expired TTL average rate · N/T t · T bytes · N If a slot expires, it indicates that a capability sends slower than N/T. t4t4 t5t5

18 18 Bounded number of queues Tag space bounds the number of request queues. Number of destination queues is bounded by C/R path-identifier queue Validate capability requests per-destination queue regular packets Y N low priority queue legacy packets Queue on most recent tags Keeps a queue if a destination receives faster than a threshold rate R

19 19 Challenges 1. Counter a broad range of attacks, including request packet floods and authorized packet floods 2. Router processing with bounded state and computation 3. Effective authorization policies

20 20 Simple policies can be effective Fine-grained capabilities tolerate authorization mistakes. Client policy Authorize requests that match outgoing ones Public server policy Authorize all initial requests Stop misbehaving senders A server has control over its incoming traffic when overload occurs.

21 21 Evaluation

22 22 Overview of different schemes SIFF [Yarr04] request and legacy traffic have the same priority authorized traffic has a higher priority time-limited capabilities Pushback [Mahajan01, Ioannidis02] Network controlled filtering Legacy Internet best-effort

23 23 Ns-2 Simulation Setup Scale down topology to speed up simulations Two metrics: The transfer time of a fixed-length file (20KB) Fraction of completed transfers … … 10 legitimate users 1-100 attackers 10Mb bottleneck destination colluder 1Mb

24 24 TVA is able to limit legacy packet floods Internet SIFF pushback TVA

25 25 TVA is able to limit request packet floods TVA

26 26 TVA is able to limit authorized packet floods SIFF TVA

27 27 Simple policies can be effective

28 28 Conclusion Key contribution a comprehensive and practical capability system for the first time. We made TVA practical in three aspects Counter a broad range of attacks Bounded state and computation Simple and effective authorization policies Coming next Testbed implementation Request rate limit, queuing scheme Robust service differentiation Traffic with different priority

29 29 Types of Queues inside a TVA-router TVA bounds the number of queues. path-identifier queue Validate capability requests per-destination queue regular packets Y N low priority queue legacy packets

30 30 TVA’s implementation of capabilities Routers stamp pre-capabilities on request packets (timestamp, hash(src, dst, key, timestamp) Destinations return fine-grained capabilities (N, T, timestamp, hash(pre-cap, N, T)) send N bytes in the next T seconds, e.g. 32KB in 10 seconds pre 1 pre 2 cap 1 cap 2 cap 1 cap 2 data

Download ppt "1 TVA: A DoS-limiting Network Architecture Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington)"

Similar presentations

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June 28 2007.

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June
Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.

Shutup An E2E Approach to DoS Defense Paul Francis Saikat Guha Cornell.
Introduction Assumptions and Goals Architecture Design Details Analysis Implementation and Evaluation Discussion 2 A Presentation at Advanced Defence.

Introduction Assumptions and Goals Architecture Design Details Analysis Implementation and Evaluation Discussion 2 A Presentation at Advanced Defence.
2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.

Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.
1 CONGESTION CONTROL. 2 Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because.

1 CONGESTION CONTROL. 2 Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because.
TELE202 Lecture 8 Congestion control 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »X.25 »Source: chapter 10 ¥This Lecture »Congestion control »Source:

TELE202 Lecture 8 Congestion control 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »X.25 »Source: chapter 10 ¥This Lecture »Congestion control »Source:
Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.

Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.
Traffic Shaping Why traffic shaping? Isochronous shaping

Traffic Shaping Why traffic shaping? Isochronous shaping
1.  Congestion Control Congestion Control  Factors that Cause Congestion Factors that Cause Congestion  Congestion Control vs Flow Control Congestion.

1.  Congestion Control Congestion Control  Factors that Cause Congestion Factors that Cause Congestion  Congestion Control vs Flow Control Congestion.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
User-level Internet Path Diagnosis Ratul Mahajan, Neil Spring, David Wetherall and Thomas Anderson Designed by Yao Zhao.

User-level Internet Path Diagnosis Ratul Mahajan, Neil Spring, David Wetherall and Thomas Anderson Designed by Yao Zhao.
FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
CacheCast: Eliminating Redundant Link Traffic for Single Source Multiple Destination Transfers Piotr Srebrny, Thomas Plagemann, Vera Goebel Department.

CacheCast: Eliminating Redundant Link Traffic for Single Source Multiple Destination Transfers Piotr Srebrny, Thomas Plagemann, Vera Goebel Department.
March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,

March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,
Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.

Course Name- CSc 8320 Advanced Operating Systems Instructor- Dr. Yanqing Zhang Presented By- Sunny Shakya Latest AOS techniques, applications and future.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP 2001 1.

The War Between Mice and Elephants Presented By Eric Wang Liang Guo and Ibrahim Matta Boston University ICNP

Similar presentations

Ads by Google