Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presenter: Chen Chih-Ming 96/12/27. Outline  Background  Problem Definition  State of Art  Portcullis Architecture  Designs  Potential Attacks 

Published byJemimah Ward Modified over 8 years ago

Similar presentations

Presentation on theme: "Presenter: Chen Chih-Ming 96/12/27. Outline  Background  Problem Definition  State of Art  Portcullis Architecture  Designs  Potential Attacks "— Presentation transcript:

1 Presenter: Chen Chih-Ming 96/12/27

2 Outline  Background  Problem Definition  State of Art  Portcullis Architecture  Designs  Potential Attacks  Evaluation  Discussion  Conclusion

3 Background  DoS Protected by Capability-based System  Capability-based System  DoC Flood request channel!

4 Problem Definition  Guarantee successfully transmitting

5 State of Art  Identity-Based Fairness Per-Source Fairness Per-Path Fairness (TVA) Per-Destination Fairness  Proof-of-Work Schemes Per-Bandwidth Fairness (Speak up) Per-Computation Fairness

6 Portcullis Architecture  Authenticity  Availability  Freshness  Efficiency  Granularity

7 Design

8 Design – cont.  p = H(x||r||h i ||dest IP||l) r : 64 bit random choosed by client h i :seed from DNS Dest IP: Destination IP l : puzzle level, find the last l bits of p are all zero

9 Theoretical Result  Assume attack have bounded resources  Equal computation power  M = Number of malicious machines  Result Legitimate clients succeed in time O(M) For any routing policy, the time needed for capability setup is O(M)

10 Potential Attacks  Sharing Puzzle Solutions Attack different link Still cannot flood bottleneck  Timing Amplification High level puzzle need more time. Low level puzzle can pass through.

11 Evaluation  Internet Scale Simulation  Portcullis Attacker Strategies  Comparative Simulations  Partial Deployment

12 Evaluation – cont.  Internet Scale Simulation DAIDA Skitter probe result ○ Router-level topology Victim uses single link connect Internet No bandwidth measurement ○ Sender have 1/10 bw of receiver(200Mbps) ○ Others are 10x bw of receiver Request packet is 1000 bits Request channel occupies 5% bw Randomly place client Equal computational resources

13 Evaluation – cont.  Portcullis Attacker Strategies

14 Evaluation – cont.  Comparative Simulations IP to ASN map router to AS for TVA

15 Evaluation – cont.  Partial Deployment Victim’s ISP upgrades router.

16 Discussion  Asymmetric computation Power Memory bound function, 3x~5x  Puzzle Inflation Not exhausted Exhausted by high level packet Exhausted by mixture packet PlatformSHA-1 hashes/minNormalized Nokia 662025k1 Nokia N7036k1.33 Sharp Zaurus PDA56k2.24 Xeon 3.2GHz PC956k38.24

17 Conclusion  Portcullis can make capability-based system more robust against DoC.

18 Comment  Partial Deployment is strong advantage.  Computing power varies dramatically from platform to platform.

19  Bye

Download ppt "Presenter: Chen Chih-Ming 96/12/27. Outline  Background  Problem Definition  State of Art  Portcullis Architecture  Designs  Potential Attacks "

Similar presentations

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June 28 2007.

The role of network capabilities Xiaowei Yang UC Irvine NSF FIND PI meeting, June
Security Issues In Mobile IP

Security Issues In Mobile IP
Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson.

Loose Source Routing as a Mechanism for Traffic Policies Katerina Argyraki and David R. Cheriton Presented by Thuan Huynh, Robert Patro, and Shomir Wilson.
Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China 1.

Mitigate DDoS Attacks in NDN by Interest Traceback Huichen Dai, Yi Wang, Jindou Fan, Bin Liu Tsinghua University, China 1.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.

The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network Rob Jansen et. al NDSS 2014 Presenter: Yue Li Part of slides adapted from R.
FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
1 June 2015 Validating Inter-Domain SLAs with a Programmable Traffic Control System Elisa Boschi

1 June 2015 Validating Inter-Domain SLAs with a Programmable Traffic Control System Elisa Boschi
Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.

Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
A DoS-limiting Network Architecture CSCE 715: Fall’06 Presentation by: Amit Jain Shantnu Chaturvedi.

A DoS-limiting Network Architecture CSCE 715: Fall’06 Presentation by: Amit Jain Shantnu Chaturvedi.
2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.
Criticisms of I3 Zhichun Li. General Issues Functionality Security Performance Practicality If not significant better than existing schemes, why bother?

Criticisms of I3 Zhichun Li. General Issues Functionality Security Performance Practicality If not significant better than existing schemes, why bother?
To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets Xin Liu Xiaowei Yang Yanbin Lu UC Irvine

To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets Xin Liu Xiaowei Yang Yanbin Lu UC Irvine
Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.

Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.
A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.

A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.
© 2003 By Default! A Free sample background from www.powerpointbackgrounds.com Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,

© 2003 By Default! A Free sample background from Slide 1 SAVE: Source Address Validity Enforcement Protocol Authors: Li,
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

Similar presentations

Ads by Google