Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems."— Presentation transcript:

1 On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems Lab, Computer Sciences Purdue University In Proc. ACM SIGCOMM 2001 Presented by Brad Burres

2 Agenda Introduction Introduction Related Work Related Work Route-Based Packet Filtering Route-Based Packet Filtering Performance Evaluation Performance Evaluation Results Results Implementation Issues Implementation Issues Conclusions Conclusions

3 Introduction DoS – Denial of Service DoS – Denial of Service Attacker demands more resources than are available Attacker demands more resources than are available We’ve talked about this! We’ve talked about this! You cannot prevent a DoS/DDoS attack You cannot prevent a DoS/DDoS attack Protection takes two forms Protection takes two forms Proactive – put measures in place to prevent attacks Proactive – put measures in place to prevent attacks Reactive – put systems in place to react to the attack and minimize its impact Reactive – put systems in place to react to the attack and minimize its impact

4 Related Works Resource Management (e.g. firewall/detect) Resource Management (e.g. firewall/detect) Mitigate the impact on the victim Mitigate the impact on the victim Does not eliminate the problem Does not eliminate the problem Does not (likely) deter the attacker Does not (likely) deter the attacker Ingress Filtering Ingress Filtering Place at all boarder gateways Place at all boarder gateways Should limit source IP address spoofing Should limit source IP address spoofing Expensive to implement Expensive to implement

5 IP Traceback (related works) Trace back the attacking packets to their source Trace back the attacking packets to their source Traffic Analysis Traffic Analysis Use logs at the routers to perform trace Use logs at the routers to perform trace High storage and processing costs High storage and processing costs ICMP Traceback messages ICMP Traceback messages Variable length marking denotes route path Variable length marking denotes route path Increased network traffic Increased network traffic Now ICMP messages can be spoofed… Now ICMP messages can be spoofed…

6 IP Traceback (related works) Probabilistic Packet Marking Probabilistic Packet Marking Probabilistically mark a packet by adding route info Probabilistically mark a packet by adding route info Constant marking field Constant marking field Efficient to implement Efficient to implement Reconstructs the path of the attacker with a high probability Reconstructs the path of the attacker with a high probability Can track attacker to within 5 equally likely sites Can track attacker to within 5 equally likely sites Reactive Only! Allows initial attack… Reactive Only! Allows initial attack… Doesn’t scale well with lots of attackers Doesn’t scale well with lots of attackers

7 Route-Based Distributed Packet Filtering (DPF) Break the name into pieces Break the name into pieces Route-Based Packet Filtering Route-Based Packet Filtering Filter the spoofed packets whenever they are traversing an unexpected routing path Filter the spoofed packets whenever they are traversing an unexpected routing path Distributed Packet Filtering Distributed Packet Filtering Applying the filtering technique at certain points in the network Applying the filtering technique at certain points in the network Key Objectives are to 1) Maximize proactive filtering, 2) Minimize the number of possible attackers, 3) achieve 1&2 with smallest number of nodes possible Key Objectives are to 1) Maximize proactive filtering, 2) Minimize the number of possible attackers, 3) achieve 1&2 with smallest number of nodes possible

8 Illustration of Route-Based Filtering 0 1 2 4 3 6 7 5 8 9 Valid Routing path of node 2 Node 7 Attacks 4 by spoofing Node 2’s address Node 6 filters the attack

9 Definition of Terms F: filtering function F: filtering function 0 1 2 4 3 6 7 5 8 9 Routing paths from node 2 G: network topology G: network topology T: filtering nodes T: filtering nodes R: routing policies R: routing policies

10 More Terms (quickly) V – a set of nodes in G (vertices) V – a set of nodes in G (vertices) E – a set of links in G (edges) E – a set of links in G (edges) U – all non-filtering nodes (so V = U + T) U – all non-filtering nodes (so V = U + T) S(a,t) – set of nodes an attacker can spoof that won’t get filtered (attacker located at a and attacking t) S(a,t) – set of nodes an attacker can spoof that won’t get filtered (attacker located at a and attacking t) R(u,v) – the path from node u to v (in lower case, it’s a specific node) R(u,v) – the path from node u to v (in lower case, it’s a specific node) Routing Policies Routing Policies Tight – there exists a single path between two nodes Tight – there exists a single path between two nodes Loose – any loop free path between two nodes Loose – any loop free path between two nodes

11 Maximal and Semi-maximal Filters Maximal Filter Maximal Filter Use all source and dest routing paths in G Use all source and dest routing paths in G If V nodes, then V nodes can be the source, and V-1 nodes can be the dest… If V nodes, then V nodes can be the source, and V-1 nodes can be the dest… V*(V-1) = V 2  O(n 2 ) V*(V-1) = V 2  O(n 2 ) If edge e is on the routing path, the filter returns a 0, otherwise return a 1 and filter it. If edge e is on the routing path, the filter returns a 0, otherwise return a 1 and filter it. Semi-Maximal Filter Semi-Maximal Filter Use only the source address coming over link e Use only the source address coming over link e O(n) complexity, storage O(n) complexity, storage

12 Final Term: Vertex Cover (VC) T=VC T=VC Any node in the set U has only nodes in the set T as its neighbors. Any node in the set U has only nodes in the set T as its neighbors. Finding a minimal VC Finding a minimal VC NP-complete problem NP-complete problem Two well-known algorithms used for finding a VC Two well-known algorithms used for finding a VC

13 Performance Measures Proactive Prevention – limiting (eliminating) the number of nodes from which no spoofed IP packets can be reached Proactive Prevention – limiting (eliminating) the number of nodes from which no spoofed IP packets can be reached  2(1): fraction of AS’s from which no spoofed packets coming Reactive Traceback – A measure of the percentage of nodes which can – after receiving a spoofed packet (i.e. realizing that it’s under attack) – can localize it’s true source to within some minimal number Reactive Traceback – A measure of the percentage of nodes which can – after receiving a spoofed packet (i.e. realizing that it’s under attack) – can localize it’s true source to within some minimal number  1(5): fraction of AS’s which can resolve the attack location to within 5 possible sites.

14 Performance Measures (cont) Attack Volume reduction Attack Volume reduction Captures the reduction in the volume of an attack, such as when the source IP address is randomly selected Captures the reduction in the volume of an attack, such as when the source IP address is randomly selected

15 Minimizing “Spoofable” Addresses F2 Filtering at F1 and F2: S 1,9 ={1,2} F1 Filtering at F1: S 1,9 ={0,1,2,3,4,5} 8 6 3 5 9 7 4 21 0 Attacker Victim Routes to victim No filtering: S 1,9 ={0,1,2,3,4,5,6,7,8}

16 Power-Law Networks Mathematically (PDF): P[X=x] ~ x -(k+1) = x -a Mathematically (PDF): P[X=x] ~ x -(k+1) = x -a Behaviorally. Think of it as “the rich get richer”. If a lot of paths go through one node, than as more paths get added to the network, they too will go through that node. Behaviorally. Think of it as “the rich get richer”. If a lot of paths go through one node, than as more paths get added to the network, they too will go through that node. Like airport hubs – because we made Denver, Chicago, and Atlanta major hubs, now almost all flights of any distance go through one of those hubs. Like airport hubs – because we made Denver, Chicago, and Atlanta major hubs, now almost all flights of any distance go through one of those hubs.

17 Performance Results Found using a lot of evaluation tools (dpf, inet, brite) Found using a lot of evaluation tools (dpf, inet, brite) Proactive Filtering Effect Proactive Filtering Effect Not viable as a “perfect” filter Not viable as a “perfect” filter Does a very good job as DDoS attack prevention technique (limiting which nodes can attack and spoof from where) Does a very good job as DDoS attack prevention technique (limiting which nodes can attack and spoof from where)  2(1) =.88 on real Internet topologies from 97-99

18 Proactive Filtering on DDoS G: 1997~1999 Internet connectivity T: VC R: Tight F: Semi-maximal On real Internet topologies from 97-99, DPF makes 88% of internet sites “unspoofable”. This obviously hurts an attackers chances and makes them work much harder to even find valid attack nodes.

19 Attack Volume Reduction Randomly generated spoofed addresses are filtered 99.96% of the time!! Randomly generated spoofed addresses are filtered 99.96% of the time!! When T=VC,  = 0.0004 When T=VC,  = 0.0004

20 Reactive Performance for Traceback  1(5) = 1 for all three real Internet Topologies Means that an attack can be localized to no more than five nodes

21 Maximal vs. Semi-maximal Filters Semi-Maximal filters are almost as good at a fraction of the cost!! Semi-Maximal filters are almost as good at a fraction of the cost!! Maximal filters require V 2 storage and searching for insignificant gain Maximal filters require V 2 storage and searching for insignificant gain

22 Impact of Network Topology The authors spent a lot of time here – I will not. The authors spent a lot of time here – I will not. Random topology (Not Power-Law Network) Random topology (Not Power-Law Network) Really bad performance. Takes lots of filter nodes and still doesn’t filter a high percentage of spoofed addresses. Really bad performance. Takes lots of filter nodes and still doesn’t filter a high percentage of spoofed addresses. VC = 55% of total nodes! VC = 55% of total nodes! Inet topology Inet topology Has power-law characteristics Has power-law characteristics VC = 32% of nodes (real Internet was 18%) VC = 32% of nodes (real Internet was 18%) Performance close to that reported for 97-99 Internet Performance close to that reported for 97-99 Internet Brite topology Brite topology Basically, couldn’t make it do what we want (or at least give us the results that we want) Basically, couldn’t make it do what we want (or at least give us the results that we want) Why put this in the paper? Why put this in the paper?

23 Other Miscellaneous Results All simulations were done with the “T” nodes doing Ingress Filtering All simulations were done with the “T” nodes doing Ingress Filtering  1(5) != 1 when this is not true  1(20) = 1, and 20 nodes is still managable Multipath Routing degrades this solution. For R=3,  1(10) = 1

24 Conclusion Distributed Route-Based Packet Filtering is effective Distributed Route-Based Packet Filtering is effective Preventative – minimizes the choices available to attackers Preventative – minimizes the choices available to attackers Reactive – minimizes the nodes which can originate a given attack Reactive – minimizes the nodes which can originate a given attack Is it Practical? Is it Practical? Can be deployed incrementally Can be deployed incrementally Needs protocol support to get source routing information (i.e. BGP needs a face lift) Needs protocol support to get source routing information (i.e. BGP needs a face lift)

25 References Info on ICMP traceback: http://www.nwfusion.com/news/2000/0724itrace.html Info on ICMP traceback: http://www.nwfusion.com/news/2000/0724itrace.html http://www.nwfusion.com/news/2000/0724itrace.html Graphs: http://www.cs.cornell.edu/People/egs/syslunch- spring02/syslunchsp02/park-lee.pdf Graphs: http://www.cs.cornell.edu/People/egs/syslunch- spring02/syslunchsp02/park-lee.pdf http://www.cs.cornell.edu/People/egs/syslunch- spring02/syslunchsp02/park-lee.pdf http://www.cs.cornell.edu/People/egs/syslunch- spring02/syslunchsp02/park-lee.pdf Concepts and images: cosmos.kaist.ac.kr/cs540/seminar/hjlee020911.ppt Concepts and images: cosmos.kaist.ac.kr/cs540/seminar/hjlee020911.ppt cosmos.kaist.ac.kr/cs540/seminar/hjlee020911.ppt Power Law Networks: http://tisu.it.jyu.fi/cheesefactory/documents/PowerLawNetwor ks.ppt http://rio.ecs.umass.edu/~gao/ece697_0.../lect-03.01- properties.ppt Power Law Networks: http://tisu.it.jyu.fi/cheesefactory/documents/PowerLawNetwor ks.ppt http://rio.ecs.umass.edu/~gao/ece697_0.../lect-03.01- properties.ppt http://tisu.it.jyu.fi/cheesefactory/documents/PowerLawNetwor ks.ppt http://rio.ecs.umass.edu/~gao/ece697_0.../lect-03.01- properties.ppt http://tisu.it.jyu.fi/cheesefactory/documents/PowerLawNetwor ks.ppt http://rio.ecs.umass.edu/~gao/ece697_0.../lect-03.01- properties.ppt

Download ppt "On the Effectiveness of Route- Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets Kihong Park and Heejo Lee Network Systems."

Similar presentations

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.

IP Traceback in Cloud Computing Through Deterministic Flow Marking Mouiad Abid Hani Presentation figures are from references given on slide 21. By Presented.
Advanced Networks 1. Delayed Internet Routing Convergence 2. The Impact of Internet Policy and Topology on Delayed Routing Convergence.

Advanced Networks 1. Delayed Internet Routing Convergence 2. The Impact of Internet Policy and Topology on Delayed Routing Convergence.
The Structure of Networks with emphasis on information and social networks T-214-SINE Summer 2011 Chapter 8 Ýmir Vigfússon.

The Structure of Networks with emphasis on information and social networks T-214-SINE Summer 2011 Chapter 8 Ýmir Vigfússon.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Topology Generation Suat Mercan. 2 Outline Motivation Topology Characterization Levels of Topology Modeling Techniques Types of Topology Generators.

Topology Generation Suat Mercan. 2 Outline Motivation Topology Characterization Levels of Topology Modeling Techniques Types of Topology Generators.
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
Traffic Engineering With Traditional IP Routing Protocols

Traffic Engineering With Traditional IP Routing Protocols
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.

IP Traceback With Deterministic Packet Marking Andrey Belenky and Nirwan Ansari IEEE communication letters, VOL. 7, NO. 4 April 2003 林怡彣.
PROXY FOR CONNECTIVITY We consider the k shortest edge disjoint paths between a pair of nodes and define a hyperlink, whose ‘connectivity’ is defined as:

PROXY FOR CONNECTIVITY We consider the k shortest edge disjoint paths between a pair of nodes and define a hyperlink, whose ‘connectivity’ is defined as:
SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.

SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.

Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
On Distinguishing between Internet Power Law B Bu and Towsley Infocom 2002 Presented by.

On Distinguishing between Internet Power Law B Bu and Towsley Infocom 2002 Presented by.
The Structure of Networks with emphasis on information and social networks T-214-SINE Summer 2011 Chapter 8 Ýmir Vigfússon.

The Structure of Networks with emphasis on information and social networks T-214-SINE Summer 2011 Chapter 8 Ýmir Vigfússon.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Similar presentations

Ads by Google