addressing shortcomings of existing ddos protection
play

Addressing Shortcomings of Existing DDoS Protection Software Using - PowerPoint PPT Presentation

Apr 10, 2024 •200 likes •677 views

Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking SSP 2018, Hildesheim Lukas Ifflnder , Stefan Geissler, Jrgen Walter, Lukas Beierlieb, Samuel Kounev 08.11.2018

  1. Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking SSP 2018, Hildesheim Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev 08.11.2018 http://se.informatik.uni-wuerzburg.de/

  2. Motivation  No definite defense possible, only mitigation  Long time security threat  More dangerous than ever: • Increasing number of IoT devices • Generally lower security level  Marginal performance increase of defense systems hardware Need for more effective mitigation approaches Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 2 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  3. SYN Flood EXPLANATION Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 3 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  4. TCP  TCP is a reliable transport protocol: • Retransmission of lost packets • Sorting of out-of-order packets  Sequence number on every packet is necessary  Initial sequence numbers are established in a three-way handshake Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 4 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  5. TCP Handshake Server Client Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 5 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  6. SYN Flood Server Client Backlog: TCB sIP1 TCB TCB sIP1 sIP2 TCB TCB TCB sIP1 sIP2 sIP3 TCB TCB TCB TCB sIP1 sIP2 sIP3 sIP4 Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 6 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  7. SYN Flood Explanation  Attacker can spoof any source IP address  Server has to create TCB and keep it for a while  SYN packets are small: • 14 byte (Ethernet header) + 20 byte (IP header) + 20 byte (TCP header) = 54 byte • 1 Mbit/s can transport 2314 pps • 1 Mpps requires 432 Mbit/s Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 7 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  8. SYN Flood EXISTING DEFENSE MECHANISMS Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 8 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  9. SYN Cookies Server Client source dest. IP/Port IP/Port time mod 32 MSS crypt. option HASH 5 3 24 calculate expected cookie, compare with ackn-1 Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 9 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  10. SYN Cookies  Amount of half-open connections not limited by backlog  CPU is burdened with hash calculations  TCP options are restricted  Only active when backlog is full Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 10 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  11. SYN PROXY – Connection Establishment SYN Client PROXY Server Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 11 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  12. SYN PROXY – Data Transfer SYN Client PROXY Server Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 12 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  13. SYN PROXY  Implemented as an IPtables module  Does not have to run on target machine  Only complete handshakes reach target  Proxy cannot predetermine server’s ISN  seqn/ackn translation always necessary Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 13 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  14. Limitations SYN Cookies SYN PROXY Has to run on service host Stateful   No independent scaling Network bottle neck   Independent scaling complex  Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 14 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  15. In a Nutshell  Problem: • Existing solutions can not easily be scaled indepentently from the service host  Idea: • Complete handshake in proxy • Route subsequent packets directly  Benefit: • Server handles only established connections • Proxy can specialize on handshake handling  Action: • Develop proxy network function, utilize SDN, modify server kernel Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 15 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  16. SYN Flood SDN/NFV APPROACH Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 16 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  17. SDN and NFV Software Defined Networking Network Function Virtualization  SDN switches’ behavior is determined by Network functions modify packets not  a set of flows addressed to them • Firewall  SDN controller modify and monitor flow sets of connected switches • Switch • IDS  A flow consists of: Virtualized NF is running on COTS • Match  hardware (instead of being an ASIC) • Action • Stats Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 17 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  18. SDN/NFV Approach Attacker Server Gateway Client Traditional network Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 18 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  19. SDN/NFV Approach Controller VNF Attacker Server Gateway OF-switch Client SDN enabled network Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 19 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  20. SDN/NFV Approach Controller VNF Attacker Server Gateway OF-switch Prio Match Action Client 0 GW VNF 0 SERV VNF 0 VNF GW 1 VNF, daddr=s_ip SERV Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 20 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  21. SDN/NFV Approach Attacker sends SYN packets with spoofed addresses Controller VNF SYN ACK Attacker SYN Server Gateway OF-switch Prio Match Action Client 0 GW VNF 0 SERV VNF 0 VNF GW 1 VNF, daddr=s_ip SERV Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 21 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  22. SDN/NFV Approach Client opens connection REST Controller VNF ACK OF SYN SYN+ ACK Attacker SYN Server Gateway OF-switch data ACK SYN data Prio Match Action Client ACK 0 GW VNF 0 SERV VNF 0 VNF GW 1 VNF, daddr=s_ip SERV 10 GW, from client SERV 10 SERV, to client GW Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 22 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  23. IMPLEMENTATION Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 23 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  24. Implementation: Kernel Modification  Simple concept  Only 8 lines of code  Kernel recompilation necessary  Complete handshake required Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 24 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  25. Implementation: VNF VNF is split in DPDK application and Python application DPDK:  Handshaking Python:  REST requests  (HTTP flood defense) Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 25 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  26. INITIAL EVALUATION Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 26 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  27. Virtual Testbed Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 27 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  28. Testing Methodology  Attacker floods SYN packets with delay between each packet  Client sends 50 SYN packets in 0.5s intervals  Score is the amount of answered client SYN packets Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 28 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

Recommend

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
No Cloud Allowed Denying Service to DDOS Protection Services Presented by: Allison Nixon

No Cloud Allowed Denying Service to DDOS Protection Services Presented by: Allison Nixon

No Cloud Allowed Denying Service to DDOS Protection Services Presented by: Allison Nixon Allison.Nixon@integralis.com Pentesting, Incident Response PaulDotCom host Cloud Based DDOS Protection How it works Fundamental flaws

875 views • 25 slides
DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

822 views • 38 slides
.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS A)ack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos A)acks Few Qmes

150 views • 13 slides
Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Best Practices for Using CDNs Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS Protection As your principle, CDNs distribute traffic around the world to the closest pop for client, using anycast

915 views • 11 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

1 DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&A ~$ whoami 3 Moshe Zioni, Head of Research,

656 views • 47 slides
Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim to DDoS mitigation service SOS "I am getting DoSd" 2 DDoS Transport Choice SOS : Requirements Emergency signal.

247 views • 5 slides
Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense e Quan Jia, Huangxin Wang, Dan Fleck, Fei Li, Angelos Stavrou, Walter Powell Presented by Surya Mani Content u Motivation u Related Work u

262 views • 23 slides
Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building next

764 views • 44 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a number of

356 views • 22 slides
A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon guillaume.valadon@ssi.gouv.fr RIPE 70 - May, 11 2015 ANSSI - http://www.ssi.gouv.fr/guide-ddos & https://goo.gl/UL8M1 1/12 ANSSI Created on July 7th 2009,

142 views • 12 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim fons.mijnen@os3.nl max.grim@os3.nl 2 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today. 3 DDoS

531 views • 52 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter Reiher Manu Shantharam & David Hadka What is DoS? DoS A type of attack wherein access to computer resource / service is denied or

380 views • 18 slides
DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service attacks are a fact of life on the Internet Service disruption Sometimes employed as a smoke screen What this talk is and

799 views • 23 slides
COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure Application Services CONFIDENTIAL | DO NOT DISTRIBUTE Company 1. CONFIDENTIAL | DO NOT DISTRIBUTE Attack Tools over Time - Evolved Binary

385 views • 12 slides
XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at

XDP in Practice DDoS Mitigation @Cloudflare Gilberto Bertin About me Systems Engineer at Cloudflare London DDoS Mitigation Team Enjoy messing with networking and Linux kernel Agenda Cloudflare DDoS mitigation pipeline Iptables and

802 views • 65 slides
On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS attack: a powerful type of volumetric DDoS attack

438 views • 25 slides
Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection & Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

614 views • 26 slides
Social protection schemes & cash transfers Considering their role for addressing development

Social protection schemes & cash transfers Considering their role for addressing development

Social protection schemes & cash transfers Considering their role for addressing development challenges beyond poverty Lori Heise Ana Maria Buller A new magic bullet? Increasing interest in using cash transfers to affect a host of

466 views • 14 slides
information for sustainable aquaculture development, addressing environmental protection in

information for sustainable aquaculture development, addressing environmental protection in

Project summary: Background information for sustainable aquaculture development, addressing environmental protection in particular SUSAQ Sub-Title: Sustainable Aquaculture Development in the context of the Water Framework Directive and

480 views • 22 slides

More recommend