netfence preventing internet denial of service from
play

NetFence: Preventing Internet Denial of Service from Inside Out - PowerPoint PPT Presentation

Jan 12, 2024 •153 likes •1.46k views

NetFence: Preventing Internet Denial of Service from Inside Out Xiaowei Yang (Duke University) with Xin Liu (Duke University) Yong Xia (NEC Labs China) Sigcomm 2010 Delhi, India DoS is a Formidable Threat Distributed attacks: many

  1. How does NetFence Work? L • A router under attack replaces nop with L  – All traffic – Signal congestion to access router – L  link,   act, mon  mode = MAC (src, dst, ts, L, mon,  , ) – – No downstream overwrite

  2. How does NetFence Work? L • A router under attack replaces nop with L  – All traffic – Signal congestion to access router – L  link,   act, mon  mode = MAC (src, dst, ts, L, mon,  , ) – – No downstream overwrite

  3. How does NetFence Work? L • A router under attack replaces nop with L  – All traffic – Signal congestion to access router – L  link,   act, mon  mode = MAC (src, dst, ts, L, mon,  , ) – – No downstream overwrite

  4. How does NetFence Work? L A shared time-varying secret key via distributed Diffie-Hellman via BGP [Passport] • A router under attack replaces nop with L  – All traffic – Signal congestion to access router – L  link,   act, mon  mode = MAC (src, dst, ts, L, mon,  , ) – – No downstream overwrite

  5. How does NetFence Work? L A shared time-varying secret key via distributed Diffie-Hellman via BGP [Passport] • A router under attack replaces nop with L  – All traffic – Signal congestion to access router – L  link,   act, mon  mode = MAC (src, dst, ts, L, mon,  , ) – – No downstream overwrite

  6. How does NetFence Work? L A shared time-varying secret key via distributed Diffie-Hellman via BGP [Passport] • A router under attack replaces nop with L  – All traffic – Signal congestion to access router – L  link,   act, mon  mode = MAC (src, dst, ts, L, mon,  , ) – – No downstream overwrite

  7. How does NetFence Work? L • A receiver use the feedback as capabilities • Sender sends regular packets that carry the congestion policing feedback – Could be nop when there is no attack – Can’t send if receiving no feedback from receiver

  8. How does NetFence Work? L • A receiver use the feedback as capabilities • Sender sends regular packets that carry the congestion policing feedback – Could be nop when there is no attack – Can’t send if receiving no feedback from receiver

  9. How does NetFence Work? L • A receiver use the feedback as capabilities • Sender sends regular packets that carry the congestion policing feedback – Could be nop when there is no attack – Can’t send if receiving no feedback from receiver

  10. How does NetFence Work? L • A receiver use the feedback as capabilities • Sender sends regular packets that carry the congestion policing feedback – Could be nop when there is no attack – Can’t send if receiving no feedback from receiver

  11. How does NetFence Work? L • A receiver use the feedback as capabilities • Sender sends regular packets that carry the congestion policing feedback – Could be nop when there is no attack – Can’t send if receiving no feedback from receiver

  12. How does NetFence Work? L • A receiver use the feedback as capabilities • Sender sends regular packets that carry the congestion policing feedback – Could be nop when there is no attack – Can’t send if receiving no feedback from receiver

  13. How does NetFence Work? L • Access router validates feedback • Starts congestion policing – One leaky bucket per (src, L) limits sending rate – Not distinguish legitimate/malicious senders • Resets L  – now  ts,   act = MAC (src, dst, ts, L, mon,  ) –

  14. How does NetFence Work? L • Access router validates feedback • Starts congestion policing – One leaky bucket per (src, L) limits sending rate – Not distinguish legitimate/malicious senders • Resets L  – now  ts,   act = MAC (src, dst, ts, L, mon,  ) –

  15. How does NetFence Work? (src, L) L • Access router validates feedback • Starts congestion policing – One leaky bucket per (src, L) limits sending rate – Not distinguish legitimate/malicious senders • Resets L  – now  ts,   act = MAC (src, dst, ts, L, mon,  ) –

  16. How does NetFence Work? (src, L) L • Access router validates feedback • Starts congestion policing – One leaky bucket per (src, L) limits sending rate – Not distinguish legitimate/malicious senders • Resets L  – now  ts,   act = MAC (src, dst, ts, L, mon,  ) –

  17. How does NetFence Work? (src, L) L • Access router validates feedback • Starts congestion policing – One leaky bucket per (src, L) limits sending rate – Not distinguish legitimate/malicious senders • Resets L  – now  ts,   act = MAC (src, dst, ts, L, mon,  ) –

  18. How does NetFence Work? (src, L) L

  19. How does NetFence Work? (src, L) L

  20. How does NetFence Work? (src, L) L • Establishes a congestion policing loop – Bottleneck router signals • If congested, L   L  • Otherwise, L  – Access router polices • Periodic Additive Increase Multiplicative Decrease (AIMD, TCP-like) for fairness and efficiency

  21. How does NetFence Work? (src, L) L • Establishes a congestion policing loop – Bottleneck router signals • If congested, L   L  • Otherwise, L  – Access router polices • Periodic Additive Increase Multiplicative Decrease (AIMD, TCP-like) for fairness and efficiency

  22. How does NetFence Work? (src, L) L • Establishes a congestion policing loop – Bottleneck router signals • If congested, L   L  • Otherwise, L  – Access router polices • Periodic Additive Increase Multiplicative Decrease (AIMD, TCP-like) for fairness and efficiency

  23. How does NetFence Work? (src, L) L • Establishes a congestion policing loop – Bottleneck router signals • If congested, L   L  • Otherwise, L  – Access router polices • Periodic Additive Increase Multiplicative Decrease (AIMD, TCP-like) for fairness and efficiency

  24. How does NetFence Work? (src, L) L • Establishes a congestion policing loop – Bottleneck router signals • If congested, L   L  • Otherwise, L  – Access router polices L  L  • Periodic Additive Increase Multiplicative Decrease (AIMD, TCP-like) for fairness and efficiency

  25. How does NetFence Work? • Bottleneck router 1. Detect attack to start a policing cycle Loss or load based • 2. Signal congestion within a cycle Random Early Detection (RED) •

  26. Recap: Why It Works 1. Secret keys to secure congestion policing feedback 2. Periodic AIMD based on secure congestion police feedback L  L  3. Secure congestion feedback as network capabilities

  27. Properties • Provable fairness – Denial of Service  Predictable Delay of Service Theorem: Given G good and B bad senders sharing a bottleneck link of capacity C , regardless of the attack strategies, any good sender g with sufficient demand eventually obtains a fair share  v g C  G B where and is a transport efficiency factor.   v 1 g

  28. Properties • Provable fairness – Denial of Service  Predictable Delay of Service Theorem: Given G good and B bad senders sharing a bottleneck link of capacity C , regardless of the attack strategies, any good sender g with sufficient demand eventually obtains a fair share  v g C  G B where and is a transport efficiency factor.   v 1 g

  29. Properties • Provable fairness – Denial of Service  Predictable Delay of Service Theorem: Given G good and B bad senders sharing a bottleneck link of capacity C , regardless of the attack strategies, any good sender g with sufficient demand eventually obtains a fair share  v g C  G B where and is a transport efficiency factor.   v 1 g

  30. Now the Trickier Stuff

  31. More Challenges • A broad range of attacks – Flood request packets (with no feedback) – Hide L  – Evade attack detection – On/Off – … • Multiple bottlenecks • Practical constraints – Low overhead – Gradual deployment – Incentive-compatible adoption

  32. More Challenges • A broad range of attacks – Flood request packets (with no feedback) – Hide L  – Evade attack detection – On/Off – … • Multiple bottlenecks • Practical constraints – Low overhead – Gradual deployment – Incentive-compatible adoption

  33. Limiting Request Packet Floods L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •

  34. Limiting Request Packet Floods L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •

  35. Limiting Request Packet Floods k L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •

  36. Limiting Request Packet Floods 2   k 1 k L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •

  37. Limiting Request Packet Floods 2   k 1 k L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •

  38. Limiting Request Packet Floods 2   k 1 k k-1 L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •

  39. Limiting Request Packet Floods 2   k 1 k k-1 L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles •

  40. Limiting Request Packet Floods 2   k 1 k k-1 L 1. Separate request packet channel 2. Per-sender request packet policing 3. Priority-based backoff Emulate computational puzzles • 1. Eventual success 2. Efficient: waiting replaces proof of work

  41. Making hiding L  ineffective Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends

  42. Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends

  43. Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends

  44. Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends

  45. Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends

  46. Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends

  47. Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router t e t e + I ctrl Access Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends

  48. Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router t e t e + I ctrl Access Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends

  49. Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router t e t e + I ctrl Access Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends

  50. Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router t e t e + I ctrl Access Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends

  51. Making hiding L  ineffective t 1 t 2 t 2 + 2 I ctrl Bottleneck Router t e t e + I ctrl Access Router Robust signaling rate increase with L  • 1. Treating the absence of L  as L  2. Stamping no L  for sufficiently long after congestion ends

Recommend

A study of denial of service attacks on the Internet David J. Marchette marchettedj@nswc.navy.mil

A study of denial of service attacks on the Internet David J. Marchette marchettedj@nswc.navy.mil

A study of denial of service attacks on the Internet David J. Marchette marchettedj@nswc.navy.mil Naval Surface Warfare Center Code B10 < > - + A study of denial of service attacks on the Internet p.1/39 Outline Background

761 views • 54 slides
Inferring Internet Inferring Internet Denial- -of of- -Service Activity Service Activity

Inferring Internet Inferring Internet Denial- -of of- -Service Activity Service Activity

Inferring Internet Inferring Internet Denial- -of of- -Service Activity Service Activity Denial Geoffrey M. Voelker Geoffrey M. Voelker University of California, San Diego University of California, San Diego Joint work with David Moore

369 views • 32 slides
Denial-of-Service (DoS) CS 161: Computer Security Prof. David Wagner March 5, 2013 Attacks on

Denial-of-Service (DoS) CS 161: Computer Security Prof. David Wagner March 5, 2013 Attacks on

Denial-of-Service (DoS) CS 161: Computer Security Prof. David Wagner March 5, 2013 Attacks on Availability Denial-of-Service (DoS): preventing legitimate users from using a computing service We do though need to consider our threat model

1.09k views • 42 slides
IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai

IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai

SPAWAR S YSTEMS C ENTER P ACIFIC IoDDoS The Internet of Distributed Denial of Service Attacks A Case Study of the Mirai Malware and IoT-Based Botnets 24-26 April, 2017 Presented at the 2 nd International Conference Presented by Roger

654 views • 20 slides
Denial of Service A/acks Cunsheng Ding Department of CSE HKUST, Hong Kong Acknowledgements:

Denial of Service A/acks Cunsheng Ding Department of CSE HKUST, Hong Kong Acknowledgements:

Denial of Service A/acks Cunsheng Ding Department of CSE HKUST, Hong Kong Acknowledgements: Materials are taken from the Internet COMP4631 1 Agenda of this lecture Zombie computers, bots, botnets Denial of service (DoS) a/acks

630 views • 45 slides
Denial of Service Denial of Service An attack designed to disrupt or completely deny

Denial of Service Denial of Service An attack designed to disrupt or completely deny

1 Denial of Service Denial of Service An attack designed to disrupt or completely deny legitimate users access to network, servers, services, or other resources Two basic favors: Target resource starvation Network

430 views • 19 slides
Denial of Service attacks Markus Peuhkuri 2005-04-12 Lecture topics Types of denial of service

Denial of Service attacks Markus Peuhkuri 2005-04-12 Lecture topics Types of denial of service

Denial of Service attacks Markus Peuhkuri 2005-04-12 Lecture topics Types of denial of service How to mitigate attacks How to find out senders What is Denial of Service

542 views • 8 slides
DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service attacks are a fact of life on the Internet Service disruption Sometimes employed as a smoke screen What this talk is and

799 views • 23 slides
Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan

Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan

Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan Savage Presented by Thangam Seenivasan & Rabin Karki 1 Simple Question How prevalent are denial-of-service

886 views • 50 slides
Denial of Service Last Class Fault tolerance Concurrency Naming This Class

Denial of Service Last Class Fault tolerance Concurrency Naming This Class

Denial of Service Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a

436 views • 28 slides
Denial-of-Service (DoS), continued CS 161: Computer Security Prof. David Wagner April 4, 2016

Denial-of-Service (DoS), continued CS 161: Computer Security Prof. David Wagner April 4, 2016

Denial-of-Service (DoS), continued CS 161: Computer Security Prof. David Wagner April 4, 2016 Transport-Level Denial-of-Service Recall TCPs 3-way connection establishment handshake Goal: agree on initial sequence numbers Server Client

530 views • 40 slides
Countering SYN Flood Denial-of-Service (DoS) Attacks Ross Oliver Tech Mavens

Countering SYN Flood Denial-of-Service (DoS) Attacks Ross Oliver Tech Mavens

Countering SYN Flood Denial-of-Service (DoS) Attacks Ross Oliver Tech Mavens reo@tech-mavens.com What is a Denial-of- Service (DoS) attack? ! Attacker generates unusually large volume of requests, overwhelming your servers ! Legitimate

493 views • 27 slides
Denial of Service Attacks Types, Causes, Motives & Remedies By M. Raza ur Rehman NUST

Denial of Service Attacks Types, Causes, Motives & Remedies By M. Raza ur Rehman NUST

Denial of Service Attacks Types, Causes, Motives & Remedies By M. Raza ur Rehman NUST PAKCON 2004 Denial of Service Attacks Attempts to prevent or disturb legitimate access to co mputer resources Resources like bandwidth, services

557 views • 18 slides
CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL:

CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL:

CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ CSE543 Computer (and Network) Security - Fall 2007 - Professor Jaeger 1 Denial of Service Intentional prevention

663 views • 25 slides
Denial of Service Attacks that prevent legitimate users from doing their work By flooding

Denial of Service Attacks that prevent legitimate users from doing their work By flooding

Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing tables Or flooding routers Or destroying key packets Lecture 9 Page 1 CS 236 Online How Do Denial of

259 views • 15 slides
Automated Detection of Guessing and Denial of Service Attacks in Security Protocols Marius Minea

Automated Detection of Guessing and Denial of Service Attacks in Security Protocols Marius Minea

Automated Detection of Guessing and Denial of Service Attacks in Security Protocols Marius Minea Politehnica University of Timi soara CMACS seminar, CMU, 18 March 2010 In this talk Formalizing attacks on protocols denial of service by

732 views • 45 slides
Using A Cost-Based Framework For Analyzing Denial Of Service Presented By: Joan Paul A

Using A Cost-Based Framework For Analyzing Denial Of Service Presented By: Joan Paul A

Using A Cost-Based Framework For Analyzing Denial Of Service Presented By: Joan Paul A Cost-Based Framework for Analysis of Denial of Service in Networks Catherine Meadows (2001) Analyzing DoS-Resistance of Protocols Using a

287 views • 28 slides
Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program

Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program

Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program Exploitation Buffer Overflows Memory Declaration Smashing The Stack TCP/IP Three Way Handshake Denial of Service SYN Flooding

403 views • 13 slides
Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall

Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall

Distributed Denial of Service Attacks & Defenses Guest Lecture by: Vamsi Kambhampati Fall 2011 Distributed Denial of Service (DDoS) Exhaust resources of a target, or the resources it depends on Resources: CPU, Memory, Bandwidth

427 views • 23 slides
ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch Duke University Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: An action that

565 views • 28 slides
Computer and Information Security Fall 2019 Denial of Service Attacks Tyler Bletsch Duke

Computer and Information Security Fall 2019 Denial of Service Attacks Tyler Bletsch Duke

ECE590 Computer and Information Security Fall 2019 Denial of Service Attacks Tyler Bletsch Duke University Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: An action that

314 views • 28 slides
Infrastructure Internet Service Providers: An Internet Service Provider, or ISP, is a company that

Infrastructure Internet Service Providers: An Internet Service Provider, or ISP, is a company that

Infrastructure Internet Service Providers: An Internet Service Provider, or ISP, is a company that provides you access to the internet. We can help you pick an ISP based on price, internet speed, and location. Routers: Routers direct network

695 views • 6 slides
Introduction to Computer Security Session 2.2 Denial of Service Prof. Nadim Kobeissi 2.2a

Introduction to Computer Security Session 2.2 Denial of Service Prof. Nadim Kobeissi 2.2a

CSCI-UA.9480 Introduction to Computer Security Session 2.2 Denial of Service Prof. Nadim Kobeissi 2.2a Defining Denial of Service 2 CSCI-UA.9480: Introduction to Computer Security Nadim Kobeissi What is a Denial of Service attack? An

920 views • 23 slides
Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples

Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples

Resilient Networking 07: Denial of Service 1 Outline Classification DoS examples Countermeasures against DoS Crypto Puzzles Stateless Protocols Avoid IP address spoofing / identifying malicious nodes Ingress filtering

937 views • 72 slides

More recommend