Download presentation
Presentation is loading. Please wait.
Published byJustin Grant Patterson Modified over 9 years ago
1
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University of Delaware
2
05/11/2004 CISC 859 2 Outline Objectives Problem Description Related Work Proposed Solution Implementation Details Results Future Work Conclusion
3
05/11/2004 CISC 859 3 Objectives of the Project Propose a new simple and effective solution to stamp IP packet to enable easy authentication of IP packets so as to counter DDoS Attacks. Implement the above solution and conduct experiments on emulab testbed to verify its effectiveness.
4
05/11/2004 CISC 859 4 Problem Description DDoS is enormous threat to Internet. Many public websites available which don’t verify the authenticity of their users. Victims overwhelmed with requests and the legitimate users are denied service.
5
05/11/2004 CISC 859 5 Why DDoS difficult to solve? No authentication required to use services Little chance of attacker being caught Difficult to differentiate attack from legitimate traffic Huge Number of Vulnerable machines available Problem of finite resources
6
05/11/2004 CISC 859 6 Related Work IP Easy-pass: Edge Resource Access Control by H. Wang, A. Bose, M. El-Gendy, K. G. Shin Practical Network Support for IP Traceback by S. Savage, D. Wetherall, A. Karlin, T. Anderson StackPi by A. Perrig, D. Song. A. Yaar
7
05/11/2004 CISC 859 7 IP Easy-pass: Edge Resource Access Control by H. Wang, A. Bose, M. El-Gendy, K. G. Shin What we liked about this paper? –Per Packet Filtering based on IP Easy Pass –Dynamic Passes What we didn’t like about this paper? –Space Overhead –Encryption and Decryption Overhead
8
05/11/2004 CISC 859 8 Practical Network Support for IP Traceback by S. Savage, D. Wetherall, A. Karlin, T. Anderson What we liked about this paper? –The use of IP identification field for storing marks in the packets. What we didn’t like about this paper? –Reactive in nature
9
05/11/2004 CISC 859 9 StackPi by A. Perrig, D. Song. A. Yaar What we liked about this paper? –Per Packet Filtering –Proactive approach What we didn’t like about this paper? –Stale Pass –Complicated
10
05/11/2004 CISC 859 10 Desired Properties in Proposed Solution Simple to implement Limited Overheads Limited increase in end to end delay Per Packet Filtering Easily Deployable Robust
11
05/11/2004 CISC 859 11 Proposed Solution Create mechanism which would distinguish legitimate IP packets from attack packets. Drop all the packets which fail the filtering test.
12
05/11/2004 CISC 859 12 How to differentiate attack and legitimate packets? Generate Unique ID for each packet Store this key in the IP header’s identification field to avoid space overheads Routers check the packets ID field to check whether the given packet is genuine or not before forwarding to destination (Victim)
13
05/11/2004 CISC 859 13 Issues with key generation Complex generation techniques at client so that key spoofing is difficult to do Simple verification at router so that router overhead remains small Keep changing the keys so that attackers don’t have time to predict the keys
14
05/11/2004 CISC 859 14 How does our solution work? Generation of keys is done at client Initial communication between client and core router takes place to understand the initial key Generation of legitimate packets takes place Verification of packets done at core routers Router drops or accepts packets based on the key value
15
05/11/2004 CISC 859 15 Other Issues We use a sliding window to take care of packet loss or reordering. As we use dynamic pass and not a stale pass replay attacks are also avoided. Our solution can be used with any Transport or Application protocol as we just change IP ID field.
16
Implementation Details by Maitreya Natu
17
05/11/2004 CISC 859 17
18
05/11/2004 CISC 859 18 f1f1 f 100 f 101 Client uses SHA to generate a queue of 101 keys
19
05/11/2004 CISC 859 19 f1f1 f 100 f 101 Client sends the 101 st key to the router for before sending the data packets
20
05/11/2004 CISC 859 20 10.1.4.2f 101 f1f1 f 100 0 0 0 0 0 0 0 0 Router receives the key and stores it in a client table Router maintains a window to keep track of arriving packets
21
05/11/2004 CISC 859 21 10.1.4.2f 101 f1f1 f 99 f 100 0 0 0 0 0 0 0 0 Client inserts a new key (here f 100 ) in the IP ID field of each outgoing packet We use the dos code to insert the key in ID field
22
05/11/2004 CISC 859 22 10.1.4.2f 101 f1f1 f 99 f 100 0 0 0 0 0 0 0 0
23
05/11/2004 CISC 859 23 10.1.4.2f 101 f1f1 f 99 f 100 0 0 0 0 0 0 0 0
24
05/11/2004 CISC 859 24 10.1.4.2f 101 f1f1 f 99 f 100 f (f 100 ) = f 101 0 0 0 0 0 0 0 0 Router captures each packet and extracts the key from the IP ID field We use capture code to capture incoming packets It identifies the source IP address and accepts packets only with valid IP addresses For each packet with a valid IP address, applies SHA on the ID key to detect if the key is in the window range f 101 f94f94
25
05/11/2004 CISC 859 25 10.1.4.2f 101 f1f1 f 99 f 100 f (f 100 ) = f 101 1 0 0 0 0 0 0 0 Router sets the corresponding bit in the window and forwards the packet
26
05/11/2004 CISC 859 26 10.1.4.2f 100 f1f1 f 99 f 100 1 0 0 0 0 0 0 0 Router sets the corresponding bit in the window and forwards the packet
27
05/11/2004 CISC 859 27 10.1.4.2f 101 f1f1 f 98 f 99 1 1 0 0 0 0 0 0
28
05/11/2004 CISC 859 28 10.1.4.2f 101 f1f1 f 97 f 98 1 1 1 0 0 0 0 0
29
05/11/2004 CISC 859 29 10.1.4.2f 101 f1f1 f 96 f 97 1 1 1 1 0 0 0 0
30
05/11/2004 CISC 859 30 10.1.4.2f 97 f1f1 f 96 1 1 1 1 0 0 0 0 f 97 When the first four bits of the window are set, the window is advanced by 4 bits by setting the client key to the 4 th key (here f 97 ) received
31
05/11/2004 CISC 859 31 10.1.4.2f 97 f1f1 f 95 f 96 0 0 0 0 0 0 0 0 The window is advanced by 4 bits by left shifting by 4 bits to process further packets
32
05/11/2004 CISC 859 32 10.1.4.2f 101 f1f1 f 92 1 1 0 1 0 1 1 0
33
05/11/2004 CISC 859 33 10.1.4.2f 101 f1f1 f 92 f 93 1 1 0 1 0 1 1 0
34
05/11/2004 CISC 859 34 10.1.4.2f 93 f1f1 f 92 1 1 0 1 0 1 1 1 f 93 If the first 4 bits are not set due to packet loss, then the window is shifted when the 8 th packet is received, changing the client key to the 8 th key (here f 93 ) received
35
05/11/2004 CISC 859 35 10.1.4.2f 93 f1f1 f 91 f 92 0 0 0 0 0 0 0 0 The window is advanced by 8 bits by left shifting by 8 bits to process further packets
36
Results By Namratha Hundigopal
37
05/11/2004 CISC 859 37 Topology V LAN 5Mb 250 kb 1Mb
38
05/11/2004 CISC 859 38Results Client 20 pkts/sec for 10 sec Attacker 5 – 130 pkts/sec for 15 sec
39
05/11/2004 CISC 859 39 Client 20 pkts/sec for 10 sec Attacker 5 – 70 pkts/sec for 15 sec
40
05/11/2004 CISC 859 40
41
05/11/2004 CISC 859 41
42
05/11/2004 CISC 859 42 Future Work Implementation of initial handshake between legitimate clients and router Extension of the scheme to achieve a secure end to end path Testing with smart attacks Testing with real time applications
43
05/11/2004 CISC 859 43 Conclusion Proposed a stamping technique to identify legitimate packets Implemented the algorithm on emulab testbed It effectively prevents legitimate packets from loss for all flooding rates we considered with negligible increase in end to end delay
44
05/11/2004 CISC 859 44 Question or Comments? Thank you
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.