Presentation is loading. Please wait.

Presentation is loading. Please wait.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938.

Published byOswald Jefferson Modified over 8 years ago

Similar presentations

Presentation on theme: "SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938."— Presentation transcript:

1 SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938 April 12, 2007

2 Outline Introduction SOS Architecture Defense Against Attacks Performance Strength Weaknesses Future Work

3 Introduction SOS – Secure Overlay Services Proactively secure communications between known entities against Denial of Service (DoS) Attacks Assumes a pre-determined set of approved clients communicating with a target Focus efforts on a site that stores information that is difficult to replace

4 SOS Architecture Diagram

5 SOS Architecture Target Selects some subset of nodes to act as Secret Servlets Accepts traffic only from Secret Servlet IPs Secret Servlets Verifies authenticity of request to act as Secret Servlet Identifies Beacon Nodes

6 SOS Architecture Beacon Nodes Notified by either Secret Servlets or Target of their role (“Hey, you’re a Beacon!”) Verify validity of information received Forwards traffic received to particular Secret Servlet associated with Target

7 SOS Architecture Secure Overlay Access Point (SOAP) Nodes Authenticates and authorizes request from client to communicate with Target Securely routes all traffic to Target via Beacon nodes

8 Protection Against DoS If an SOAP node is attacked, source point can enter through an alternate SOAP node If a node within the overlay is attacked, the node “exits” and the overlay provides new paths to Beacons No node is more important or sensitive than any other If Secret Servlet is compromised, new subset of Secret Servlets can be chosen

9 Defending Against Attack Security Analysis Assumptions: An attacker knows and can attack overlay nodes Attacker does not know functionality of any given node, and cannot determine it Bandwidth available to launch an attack is limited Attack packets can always be identified as illegitimate traffic Different users access overlay via different SOAPs A node can simultaneously act as a SOAP, Beacon and/or Secret Servlet

10 Defending Against Static Attacks ~40% of nodes must be attacked simultaneously for attack to succeed once out of 10,000 attempts Increasing number of Beacons and Secret Servlets quickly drops probability of successful attack

11 Defending Against Dynamic Attacks Dynamic Attack allows for SOS to self-heal; Attacker can then alter attack in response Centralized vs. Distributed Repair Process Centralized vs. Distributed Attack Process

12 Defending Against Network Attacks Several zombies launch attack on Target Triggered immediately or at some specified time Anonymizing the Attacked Node When Secret Servlet Identity is unknown, attacks randomly launched into overlay Only a fraction of attack traffic will reach appropriate servlet Placing targeted servlet in an overlay of size 30 reduces probability of attack by 4 orders of magnitude

13 Performance Measurement of time-to-completion of https requests Depending upon the number of nodes in the overlay, the time-to-completion increases by a factor of 2-10

14 Performance Shortcut Implementation SOAPs contact Beacon nodes to determine Secret Servlet; cache information and route future traffic from source directly to Servlet Latency increases by as little as a factor of 2

15 Strengths Proactive approach to fighting Denial of Service (DoS) attacks Overlay can self-heal when a participant node is attacked Scalable access control

16 Weaknesses Assumes, for security analysis, that no attack can come from inside the overlay Assumes that an attacker cannot mask illegitimate traffic to appear legitimate To improve scalability, the number of SOAPs, Beacons, and Secret Servlets are limited – which lessens protection from DoS attacks Shortcut implementation does not protect secret information

17 Future Work More details about how repair and attack processes will function Evaluation of damage and attack that can come from inside the overlay Consideration of attack traffic that may be able to pass through overlay Exploration of overlays shared by multiple organizations in a secure manner Investigation of possible shortcuts through the overlay that do not compromise security

Download ppt "SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Tracy Wagner CDA 6938."

Similar presentations

Chris Karlof and David Wagner

Chris Karlof and David Wagner
2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.

October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Barracuda Web Application Firewall

Barracuda Web Application Firewall
WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.

WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
1 SOS: Secure Overlay Services Angelos Keromytis, Dept. of Computer Science Vishal Misra, Dept. of Computer Science Dan Rubenstein, Dept. of Electrical.

1 SOS: Secure Overlay Services Angelos Keromytis, Dept. of Computer Science Vishal Misra, Dept. of Computer Science Dan Rubenstein, Dept. of Electrical.
Secure Routing in Sensor Networks: Attacks and Countermeasures First IEEE International Workshop on Sensor Network Protocols and Applications 5/11/2003.

Secure Routing in Sensor Networks: Attacks and Countermeasures First IEEE International Workshop on Sensor Network Protocols and Applications 5/11/2003.
Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.

Detecting Network Intrusions via Sampling : A Game Theoretic Approach Presented By: Matt Vidal Murali Kodialam T.V. Lakshman July 22, 2003 Bell Labs, Lucent.
Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.

Random Key Predistribution Schemes for Sensor Networks Authors: Haowen Chan, Adrian Perrig, Dawn Song Carnegie Mellon University Presented by: Johnny Flowers.
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Delay Tolerant Networking Gareth Ferneyhough UNR CSE Department 4-19-2010.

Delay Tolerant Networking Gareth Ferneyhough UNR CSE Department

Similar presentations

Ads by Google