Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tiered Incentives for Integrity Based Queuing Fariba Khan, Carl A. Gunter University of Illinois at Urbana-Champaign.

Published byShannon Stone Modified over 8 years ago

Similar presentations

Presentation on theme: "Tiered Incentives for Integrity Based Queuing Fariba Khan, Carl A. Gunter University of Illinois at Urbana-Champaign."— Presentation transcript:

1 Tiered Incentives for Integrity Based Queuing Fariba Khan, Carl A. Gunter University of Illinois at Urbana-Champaign

2 Problem setting Challenges and existing work Infrastructures for IBQ Queuing Analytic and experimental results Outline 2

3 Finding the source of an attack is difficult It is often difficult to detect an attack packet Internet DDoS Attack 3

4 4 Finding the source of an attack is difficult It is often difficult to detect an attack packet Legitimate client has to get through Could we make it so that the magnitude of the attack packet is less important

5 Fair-queuing Figure she is the good guy and skip the long line? No? Cannot tell if a packet is from an Alice or Eve May be give everybody opportunity to send one packet No one gets to send a million Head of line blocking 5 Eve 1 Eve 2 Alice 1 Eve 3 Alice 2 Eve 4 Alice 3 All Alice’s All Eve’s

6 Fair-queue: Head of Line Blocking 6 Alice 1 Alice 2 Alice 3 Alice 4 Alice 5 Alice 6 Alice 7 Eve

7 Performance of Integrity Protection and Fairness 7 ns2 Simulation Setup: Depth 10, 1024 clients/flows, 10Mbps links, 102 attackers, 10 Mbps/attacker, Client bandwidth 0.01 Mbps

8 Ingress Filtering: Neither a complete nor verifiable IP of a filtered domain can be spoofed – In the same domain – From an unfiltered domain Source Address Validation 8 12345678 1,2 3,4 1-4 1-8 12 RFC 2827

9 Effectiveness of fair-queuing is dependent on accurate flow classification. Even with partial authentication legitimate flows can be spoofed by the spoofed origin flows. As the legitimate flows are choked, an ISP cannot see the benefit of deploying filtering or an advanced protocol. Client: received level of service ∝ participation Motivation 9

10 Concept: Integrity Based Queuing (IBQ) 10 High Integrity Highly effective queuing Each flow gets its own bucket Medium Integrity Less effective service Rate-limited flows Shared buckets Low Integrity Generic service Rate limited Least priority

11 Cycle of Network Assurance 11

12 Integrity Levels MAC Queue Design 12

13 Strict filtering vs Regular filtering: – The address range is divided in smaller subdomains – Spoofing is restricted within that subdomain only Example – In University of Illinois a host can spoof 511 neighboring addresses within its /23 prefix – Spoofing index = 9 for University of Illinois or AS3 Spoofing index table for all autonomous systems available for routers Integrity Levels: Spoofing Index Table 13 BB05

14 MAC 14 RFC4301, YPS03, YWA05, LLY08, GH09, YL09

15 Queue 15 MAC verified? N Spoofing Index ? Y =0 >0 Per source high integrity queues Per integrity-block queues Low integrity queue

16 α >> s >> β Spoofing index, i Probability that A and B are in the same domain, p = 1/2 32 – i Loss rate, 16 Analytic Results

17 Experimental Results 17 2000 clients, 256 AS, 16-512 attackers Client rate 64kbps, attacker 64 Mbps Effort = Integrity level = Success

18 Experimental Results – Example Traffic VoIP 18 2000 clients, 256 AS, 16-512 attackers Client rate 64kbps, attacker 64 Mbps

19 Experimental Results: Two Attack Styles 19

20 Thesis – Using IBQ gives legitimate users an avenue to communicate with a server while the network is under attack. The service they get directly relates to the effort their ISP spent for integrity protection and validation thus incentivizing its investment. Future Work – Experiment with real DDoS attack data – Overhead Measurement – Use of IBQ for network assurance Conclusion 20

21 Thank You Questions? 21

22 22

23 [0]Adaptive Selective Verification: An Efficient Adaptive Countermeasure to Thwart DoS Attacks. S. Khanna, S. S. Venkatesh, O. Fatemieh, F. Khan, and C. A. Gunter. (Submission) IEEE Transactions on Network (ToN). [1] Attribute-Based Messaging: Access Control and Confidentiality. R. Bobba, O. Fatemieh, F. Khan, A. Khan, C. A. Gunter, H. Khurana, and M. Prabhakaran. (First three authors in alphabetic order) IN ACM Transactions on Information and System Security (TISSEC). [2] Adaptive Selective Verification, Sanjeev Khanna, Santosh S. Venkatesh, Omid Fatemieh, Fariba Khan, and Carl A. Gunter, IEEE Conference on Computer Communications (INFOCOM '08), Phoenix, AZ, April 2008.Adaptive Selective Verification [3] Using Attribute-Based Access Control to Enable Attribute-Based Messaging, Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter, and Himanshu Khurana. Using Attribute-Based Access Control to Enable Attribute-Based Messaging (First three authors in alphabetic order) IEEE Annual Computer Security Applications Conference (ACSAC '06), Miami, FL, December 2006. [4]Using Attribute-Based Access Control to Enable Attribute-Based Messaging. Fariba Khan Master's Thesis, University of Illinois, October 2006. Other Work 23

24 1974: The Internet was designed with an openness 1989: FQ->active research for congestion control - >RED 1999: FQ-> again for congestion control -> 40Gbps 2005: FQ-> active research for DDoS defenses Fairness 24

25 1024 hosts 33 routers 32 subdomains Spoofing index: 8 (scaled down for small topology) Links – 200 Mbps links, 10 ms delay – 5% of channel for request (10 Mbps) – Bottleneck 1Gbps – Comparative to 40-100 Gbps Internet links. Related Work Analysis 25 10% hosts are attackers Attack bandwidth 100-700 Mbps 50B request from a client

Download ppt "Tiered Incentives for Integrity Based Queuing Fariba Khan, Carl A. Gunter University of Illinois at Urbana-Champaign."

Similar presentations

CCNA3: Switching Basics and Intermediate Routing v3.0 CISCO NETWORKING ACADEMY PROGRAM Switching Concepts Introduction to Ethernet/802.3 LANs Introduction.

CCNA3: Switching Basics and Intermediate Routing v3.0 CISCO NETWORKING ACADEMY PROGRAM Switching Concepts Introduction to Ethernet/802.3 LANs Introduction.
Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.

Cs/ee 143 Communication Networks Chapter 6 Internetworking Text: Walrand & Parekh, 2010 Steven Low CMS, EE, Caltech.
1 Enhanced EDF Scheduling Algorithms for Orchestrating Network-wide Active Measurements Prasad Calyam, Chang-Gun Lee Phani Kumar Arava, Dima Krymskiy OARnet,

1 Enhanced EDF Scheduling Algorithms for Orchestrating Network-wide Active Measurements Prasad Calyam, Chang-Gun Lee Phani Kumar Arava, Dima Krymskiy OARnet,
Random Flow Network Modeling and Simulations for DDoS Attack Mitigation Jiejun Kong, Mansoor Mirza, James Shu, Christian Yoedhana, Mario Gerla, Songwu.

Random Flow Network Modeling and Simulations for DDoS Attack Mitigation Jiejun Kong, Mansoor Mirza, James Shu, Christian Yoedhana, Mario Gerla, Songwu.
SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic CS740 Project Presentation by N. Gupta, S. Kumar, R. Rajamani.

SCTP v/s TCP – A Comparison of Transport Protocols for Web Traffic CS740 Project Presentation by N. Gupta, S. Kumar, R. Rajamani.
Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli University of Calif, Berkeley and Lawrence Berkeley National Laboratory SIGCOMM.

Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli University of Calif, Berkeley and Lawrence Berkeley National Laboratory SIGCOMM.
SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.

SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.
CacheCast: Eliminating Redundant Link Traffic for Single Source Multiple Destination Transfers Piotr Srebrny, Thomas Plagemann, Vera Goebel Department.

CacheCast: Eliminating Redundant Link Traffic for Single Source Multiple Destination Transfers Piotr Srebrny, Thomas Plagemann, Vera Goebel Department.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
1 June 2015 Validating Inter-Domain SLAs with a Programmable Traffic Control System Elisa Boschi

1 June 2015 Validating Inter-Domain SLAs with a Programmable Traffic Control System Elisa Boschi
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.

Receiver-driven Layered Multicast S. McCanne, V. Jacobsen and M. Vetterli SIGCOMM 1996.
Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter.

Illinois Security Lab Using Attribute-Based Access Control to Enable Attribute- Based Messaging Rakesh Bobba, Omid Fatemieh, Fariba Khan, Carl A. Gunter.
End-to-End Analysis of Distributed Video-on-Demand Systems Padmavathi Mundur, Robert Simon, and Arun K. Sood IEEE Transactions on Multimedia, February.

End-to-End Analysis of Distributed Video-on-Demand Systems Padmavathi Mundur, Robert Simon, and Arun K. Sood IEEE Transactions on Multimedia, February.
Criticisms of I3 Zhichun Li. General Issues Functionality Security Performance Practicality If not significant better than existing schemes, why bother?

Criticisms of I3 Zhichun Li. General Issues Functionality Security Performance Practicality If not significant better than existing schemes, why bother?
1 Controlling High Bandwidth Aggregates in the Network.

1 Controlling High Bandwidth Aggregates in the Network.
A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.

A DoS-Limiting Network Architecture Presented by Karl Deng Sagar Vemuri.
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Similar presentations

Ads by Google