Presentation is loading. Please wait.

Presentation is loading. Please wait.

SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Hiral Chhaya CDA 6133.

Published byBonnie Long Modified over 8 years ago

Similar presentations

Presentation on theme: "SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Hiral Chhaya CDA 6133."— Presentation transcript:

1 SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Hiral Chhaya CDA 6133

2 Outline Introduction SOS Architecture Defense Against Attacks Performance Strength Weaknesses Future Work

3 DOS ATTACK

4 Introduction SOS – Secure Overlay Services Proactively secure communications between known entities against Denial of Service (DoS) Attacks Assumes a pre-determined set of approved clients communicating with a target Packets are validated at entry points of the overlay and once inside are tunneled securely to secretly designated nodes.

5 SOS Architecture Diagram

6 SOS Architecture Target Selects some subset of nodes to act as Secret Servlets Accepts traffic only from Secret Servlet IPs Secret Servlets Verifies authenticity of request to act as Secret Servlet Identifies Beacon Nodes

7 SOS Architecture Beacon Nodes Notified by either Secret Servlets or Target of their role (“Hey, you’re a Beacon!”)‏ Verify validity of information received Forwards traffic received to particular Secret Servlet associated with Target

8 SOS Architecture Secure Overlay Access Point (SOAP) Nodes Authenticates and authorizes request from client to communicate with Target Securely routes all traffic to Target via Beacon nodes Verification of packet is done by IPsec or TSL

9 Protection Against DoS If an SOAP node is attacked, source point can enter through an alternate SOAP node If a node within the overlay is attacked, the node “exits” and the overlay provides new paths to Beacons No node is more important or sensitive than any other If Secret Servlet is compromised, new subset of Secret Servlets can be chosen

10 Secured Overlay Service

11 Defending Against Attack Security Analysis Assumptions: An attacker knows and can attack overlay nodes Attacker does not know functionality of any given node, and cannot determine it Bandwidth available to launch an attack is limited Different users access overlay via different SOAPs A node can simultaneously act as a SOAP, Beacon and/or Secret Servlet

12 Example

13 Defending Against Static Attacks ~40% of nodes must be attacked simultaneously for attack to succeed once out of 10,000 attempts

14 Defending Against Static Attacks Increasing number of Beacons and Secret Servlets quickly drops probability of successful attack

15 Performance Measurement of time-to-completion of https requests Depending upon the number of nodes in the overlay, the time-to-completion increases by a factor of 2-10

16 Strengths Proactive approach to fighting Denial of Service (DoS) attacks Overlay can self-heal when a participant node is attacked Scalable access control

17 Weaknesses Assumes, for security analysis, that no attack can come from inside the overlay Assumes that an attacker cannot mask illegitimate traffic to appear legitimate To improve scalability, the number of SOAPs, Beacons, and Secret Servlets are limited – which lessens protection from DoS attacks Shortcut implementation does not protect secret information

18 Future Work More details about how repair and attack processes will function Evaluation of damage and attack that can come from inside the overlay Consideration of attack traffic that may be able to pass through overlay Exploration of overlays shared by multiple organizations in a secure manner Investigation of possible shortcuts through the overlay that do not compromise security

19 Thank You !!!!

Download ppt "SOS: An Architecture For Mitigating DDoS Attacks Angelos D. Keromytis, Vishal Misra, Dan Rubenstein ACM SIGCOMM 2002 Presented By : Hiral Chhaya CDA 6133."

Similar presentations

Chris Karlof and David Wagner

Chris Karlof and David Wagner
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
Quiz 1 Posted on DEN 8 multiple-choice questions

Quiz 1 Posted on DEN 8 multiple-choice questions
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.

October 31st, 2003ACM SSRS'03 Tolerating Denial-of-Service Attacks Using Overlay Networks – Impact of Topology Ju Wang 1, Linyuan Lu 2 and Andrew A. Chien.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.

Ragib Hasan University of Alabama at Birmingham CS 491/691/791 Fall 2012 Lecture 2 08/21/2012 Security and Privacy in Cloud Computing.
A Survey of Secure Wireless Ad Hoc Routing

A Survey of Secure Wireless Ad Hoc Routing
FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.

FastPass: Availability Tokens to Defeat DoS Presented at CMU Systems Seminar by: Dan Wendlandt Work with: David Andersen & Adrian Perrig.
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.

Citrix ® Secure Gateway Phil Montgomery Senior Product Manager Citrix Products and Services October 2001.
WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.

WS-Denial_of_Service Dariusz Grabka M.Sc. Candidate University of Guelph February 13 th 2007.
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.

You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Similar presentations

Ads by Google