Presentation is loading. Please wait.

Presentation is loading. Please wait.

Max Robinson Jelena Mirković DR. Peter Reiher DefCOM Motivation Distributed denial-of-service attacks require a distributed solution. Detection is more.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Max Robinson Jelena Mirković DR. Peter Reiher DefCOM Motivation Distributed denial-of-service attacks require a distributed solution. Detection is more."— Presentation transcript:

1 Max Robinson Jelena Mirković DR. Peter Reiher DefCOM Motivation Distributed denial-of-service attacks require a distributed solution. Detection is more effective closer to the victim network. Response is more selective closer to the source. Good coverage with a few deployment points in intermediate network.Idea Combine diverse defense systems for cooperative response. Additional benefits Wide deployment is achieved by accommodating legacy systems. Defense nodes can specialize in those functions they can do best. Through communication, the strengths of specialists can address challenges for other nodes. attacker client victim DefCOM DefCOM is a peer-to-peer network of defense nodes that exchange information and services to perform cooperative DDoS defense. Three types of nodes: Alert generator nodes Alert generator nodes – detect the attack and alert the rest of the peer network Core nodes Core nodes – perform simple rate-limiting Classifier nodes Classifier nodes – differentiate between legitimate traffic and attack traffic, forward legitimate packets and severely rate-limit attack packets attacker client victim alert generator core classifier Attack detected! attacker client victim alert generator core classifier attacker client victim alert generator core classifier Rate limit N BpsRate limit N/2 Bps attacker client victim alert generator core classifier Alert generators detect the attack, send alerts to all peers in the network. Nodes forward alerts to their neighbors, yet avoid cycles. Nodes stamp packets that they forward to the victim. When a node detects a packet with its neighbor’s stamp, this neighbor becomes the node’s child. The node sends a “parent” message to its children. traffic tree Nodes with parents/children form a traffic tree. Nodes on the tree cooperate to stop the attack. Rate-limits are propagated from the root to the leaves. Parents divide their rate-limits among their children. legitimate monitored Classifiers block attack traffic and forward traffic bearing legitimate stamps. Core nodes overwrite these stamps, and mark any unstamped traffic with monitored stamps. Each node dedicates bandwidth first to legitimate, then to monitored, and last to unstamped traffic. All nodes in the peer network cooperate to give preferential service to legitimate traffic and constrain the attack by: Deploying secure packet stampinglegitimate monitored Deploying secure packet stamping – each node defines its legitimate and monitored stamp. Classifier nodes mark legitimate packets with legitimate stamps, and the rest of traffic with monitored stamps. Core nodes rewrite these stamps. Any unmarked packets reaching core nodes will be stamped as monitored if they pass the rate-limit. Serving packets in three service levels Serving packets in three service levels – A core node apportions its bandwidth first to packets bearing legitimate stamps, then to packets bearing monitored stamps and any leftover to unstamped traffic. Distributed Peer-to-Peer Network for DDoS Defense Defensive Cooperative Overlay Mesh

Download ppt "Max Robinson Jelena Mirković DR. Peter Reiher DefCOM Motivation Distributed denial-of-service attacks require a distributed solution. Detection is more."

Similar presentations

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.

Secure Routing Panel FIND PI Meeting (June 27, 2007) Morley Mao, Jen Rexford, Xiaowei Yang.
Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.

Why Is DDoS Hard to Solve? 1.A simple form of attack 2.Designed to prey on the Internet’s strengths 3.Easy availability of attack machines 4.Attack can.
Exact Inference. Inference Basic task for inference: – Compute a posterior distribution for some query variables given some observed evidence – Sum out.

Exact Inference. Inference Basic task for inference: – Compute a posterior distribution for some query variables given some observed evidence – Sum out.
NUS.SOC.CS5248-2014 Roger Zimmermann (based in part on slides by Ooi Wei Tsang) Peer-to-Peer Streaming.

NUS.SOC.CS Roger Zimmermann (based in part on slides by Ooi Wei Tsang) Peer-to-Peer Streaming.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Playback delay in p2p streaming systems with random packet forwarding Viktoria Fodor and Ilias Chatzidrossos Laboratory for Communication Networks School.

Playback delay in p2p streaming systems with random packet forwarding Viktoria Fodor and Ilias Chatzidrossos Laboratory for Communication Networks School.
Junction Trees And Belief Propagation. Junction Trees: Motivation What if we want to compute all marginals, not just one? Doing variable elimination for.

Junction Trees And Belief Propagation. Junction Trees: Motivation What if we want to compute all marginals, not just one? Doing variable elimination for.
MMCN 19 Jan 2005 Ooi Wei Tsang Peer-to-Peer Streaming.

MMCN 19 Jan 2005 Ooi Wei Tsang Peer-to-Peer Streaming.
Defending Against Traffic Analysis Attacks in Wireless Sensor Networks Security Team 2009.07.20.

Defending Against Traffic Analysis Attacks in Wireless Sensor Networks Security Team
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
LightFlood: An Optimal Flooding Scheme for File Search in Unstructured P2P Systems Song Jiang, Lei Guo, and Xiaodong Zhang College of William and Mary.

LightFlood: An Optimal Flooding Scheme for File Search in Unstructured P2P Systems Song Jiang, Lei Guo, and Xiaodong Zhang College of William and Mary.
Resilient Peer-to-Peer Streaming Paper by: Venkata N. Padmanabhan Helen J. Wang Philip A. Chou Discussion Leader: Manfred Georg Presented by: Christoph.

Resilient Peer-to-Peer Streaming Paper by: Venkata N. Padmanabhan Helen J. Wang Philip A. Chou Discussion Leader: Manfred Georg Presented by: Christoph.
Computer Science 1 ShapeShifter: Scalable, Adaptive End-System Multicast John Byers, Jeffrey Considine, Nicholas Eskelinen, Stanislav Rost, Dmitriy Zavin.

Computer Science 1 ShapeShifter: Scalable, Adaptive End-System Multicast John Byers, Jeffrey Considine, Nicholas Eskelinen, Stanislav Rost, Dmitriy Zavin.
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
Scribe: A Large-Scale and Decentralized Application-Level Multicast Infrastructure Miguel Castro, Peter Druschel, Anne-Marie Kermarrec, and Antony L. T.

Scribe: A Large-Scale and Decentralized Application-Level Multicast Infrastructure Miguel Castro, Peter Druschel, Anne-Marie Kermarrec, and Antony L. T.
SplitStream: High-Bandwidth Multicast in Cooperative Environments Marco Barreno Peer-to-peer systems 9/22/2003.

SplitStream: High-Bandwidth Multicast in Cooperative Environments Marco Barreno Peer-to-peer systems 9/22/2003.
Network Coding for Large Scale Content Distribution Christos Gkantsidis Georgia Institute of Technology Pablo Rodriguez Microsoft Research IEEE INFOCOM.

Network Coding for Large Scale Content Distribution Christos Gkantsidis Georgia Institute of Technology Pablo Rodriguez Microsoft Research IEEE INFOCOM.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.

SAVE: Source Address Validity Enforcement Protocol Jun Li, Jelena Mirković, Mengqiu Wang, Peter Reiher and Lixia Zhang UCLA Computer Science Dept 10/04/2001.

Similar presentations

Ads by Google