addressing shortcomings of existing ddos protection
play

Addressing Shortcomings of Existing DDoS Protection Software Using - PowerPoint PPT Presentation

Apr 10, 2024 •200 likes •677 views

Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking SSP 2018, Hildesheim Lukas Ifflnder , Stefan Geissler, Jrgen Walter, Lukas Beierlieb, Samuel Kounev 08.11.2018

  1. Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking SSP 2018, Hildesheim Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev 08.11.2018 http://se.informatik.uni-wuerzburg.de/

  2. Motivation  No definite defense possible, only mitigation  Long time security threat  More dangerous than ever: • Increasing number of IoT devices • Generally lower security level  Marginal performance increase of defense systems hardware Need for more effective mitigation approaches Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 2 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  3. SYN Flood EXPLANATION Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 3 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  4. TCP  TCP is a reliable transport protocol: • Retransmission of lost packets • Sorting of out-of-order packets  Sequence number on every packet is necessary  Initial sequence numbers are established in a three-way handshake Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 4 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  5. TCP Handshake Server Client Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 5 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  6. SYN Flood Server Client Backlog: TCB sIP1 TCB TCB sIP1 sIP2 TCB TCB TCB sIP1 sIP2 sIP3 TCB TCB TCB TCB sIP1 sIP2 sIP3 sIP4 Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 6 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  7. SYN Flood Explanation  Attacker can spoof any source IP address  Server has to create TCB and keep it for a while  SYN packets are small: • 14 byte (Ethernet header) + 20 byte (IP header) + 20 byte (TCP header) = 54 byte • 1 Mbit/s can transport 2314 pps • 1 Mpps requires 432 Mbit/s Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 7 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  8. SYN Flood EXISTING DEFENSE MECHANISMS Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 8 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  9. SYN Cookies Server Client source dest. IP/Port IP/Port time mod 32 MSS crypt. option HASH 5 3 24 calculate expected cookie, compare with ackn-1 Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 9 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  10. SYN Cookies  Amount of half-open connections not limited by backlog  CPU is burdened with hash calculations  TCP options are restricted  Only active when backlog is full Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 10 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  11. SYN PROXY – Connection Establishment SYN Client PROXY Server Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 11 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  12. SYN PROXY – Data Transfer SYN Client PROXY Server Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 12 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  13. SYN PROXY  Implemented as an IPtables module  Does not have to run on target machine  Only complete handshakes reach target  Proxy cannot predetermine server’s ISN  seqn/ackn translation always necessary Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 13 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  14. Limitations SYN Cookies SYN PROXY Has to run on service host Stateful   No independent scaling Network bottle neck   Independent scaling complex  Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 14 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  15. In a Nutshell  Problem: • Existing solutions can not easily be scaled indepentently from the service host  Idea: • Complete handshake in proxy • Route subsequent packets directly  Benefit: • Server handles only established connections • Proxy can specialize on handshake handling  Action: • Develop proxy network function, utilize SDN, modify server kernel Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 15 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  16. SYN Flood SDN/NFV APPROACH Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 16 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  17. SDN and NFV Software Defined Networking Network Function Virtualization  SDN switches’ behavior is determined by Network functions modify packets not  a set of flows addressed to them • Firewall  SDN controller modify and monitor flow sets of connected switches • Switch • IDS  A flow consists of: Virtualized NF is running on COTS • Match  hardware (instead of being an ASIC) • Action • Stats Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 17 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  18. SDN/NFV Approach Attacker Server Gateway Client Traditional network Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 18 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  19. SDN/NFV Approach Controller VNF Attacker Server Gateway OF-switch Client SDN enabled network Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 19 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  20. SDN/NFV Approach Controller VNF Attacker Server Gateway OF-switch Prio Match Action Client 0 GW VNF 0 SERV VNF 0 VNF GW 1 VNF, daddr=s_ip SERV Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 20 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  21. SDN/NFV Approach Attacker sends SYN packets with spoofed addresses Controller VNF SYN ACK Attacker SYN Server Gateway OF-switch Prio Match Action Client 0 GW VNF 0 SERV VNF 0 VNF GW 1 VNF, daddr=s_ip SERV Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 21 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  22. SDN/NFV Approach Client opens connection REST Controller VNF ACK OF SYN SYN+ ACK Attacker SYN Server Gateway OF-switch data ACK SYN data Prio Match Action Client ACK 0 GW VNF 0 SERV VNF 0 VNF GW 1 VNF, daddr=s_ip SERV 10 GW, from client SERV 10 SERV, to client GW Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 22 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  23. IMPLEMENTATION Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 23 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  24. Implementation: Kernel Modification  Simple concept  Only 8 lines of code  Kernel recompilation necessary  Complete handshake required Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 24 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  25. Implementation: VNF VNF is split in DPDK application and Python application DPDK:  Handshaking Python:  REST requests  (HTTP flood defense) Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 25 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  26. INITIAL EVALUATION Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 26 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  27. Virtual Testbed Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 27 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

  28. Testing Methodology  Attacker floods SYN packets with delay between each packet  Client sends 50 SYN packets in 0.5s intervals  Score is the amount of answered client SYN packets Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking 28 Lukas Iffländer , Stefan Geissler, Jürgen Walter, Lukas Beierlieb, Samuel Kounev

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
No Cloud Allowed Denying Service to DDOS Protection Services Presented by: Allison Nixon

No Cloud Allowed Denying Service to DDOS Protection Services Presented by: Allison Nixon

No Cloud Allowed Denying Service to DDOS Protection Services Presented by: Allison Nixon Allison.Nixon@integralis.com Pentesting, Incident Response PaulDotCom host Cloud Based DDOS Protection How it works Fundamental flaws

875 views • 25 slides
DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat

DDoS protection Using Netfilter/iptables Jesper Dangaard Brouer Senior Kernel Engineer, Red Hat RMLL Montpellier, July 2014 1/36 Email: brouer@redhat.com / netoptimizer@brouer.com / hawk@kernel.org DDoS protection using Netfilter/iptables

822 views • 38 slides
.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS A)ack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos A)acks Few Qmes

150 views • 13 slides
Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Best Practices for Using CDNs Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS Protection As your principle, CDNs distribute traffic around the world to the closest pop for client, using anycast

915 views • 11 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

1 DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&A ~$ whoami 3 Moshe Zioni, Head of Research,

656 views • 47 slides
Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim to DDoS mitigation service SOS "I am getting DoSd" 2 DDoS Transport Choice SOS : Requirements Emergency signal.

247 views • 5 slides
Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense e Quan Jia, Huangxin Wang, Dan Fleck, Fei Li, Angelos Stavrou, Walter Powell Presented by Surya Mani Content u Motivation u Related Work u

262 views • 23 slides
Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building next

764 views • 44 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a number of

356 views • 22 slides
A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon guillaume.valadon@ssi.gouv.fr RIPE 70 - May, 11 2015 ANSSI - http://www.ssi.gouv.fr/guide-ddos & https://goo.gl/UL8M1 1/12 ANSSI Created on July 7th 2009,

142 views • 12 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim fons.mijnen@os3.nl max.grim@os3.nl 2 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today. 3 DDoS

531 views • 52 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
This time Digging into Networking Protocols With a particular focus on TCP details, a t t a c

This time Digging into Networking Protocols With a particular focus on TCP details, a t t a c

This time Digging into Networking Protocols With a particular focus on TCP details, a t t a c k s, and defenses Layer 3: (Inter)network layer Bridges multiple subnets to provide end-to-end internet connectivity between nodes 7

1.59k views • 134 slides
TCP SYN Flood Mitigation Techniques Julian Villing Friday 25 th January, 2019 Chair of Network

TCP SYN Flood Mitigation Techniques Julian Villing Friday 25 th January, 2019 Chair of Network

Chair of Network Architectures and Services Department of Informatics Technical University of Munich TCP SYN Flood Mitigation Techniques Julian Villing Friday 25 th January, 2019 Chair of Network Architectures and Services Department of

511 views • 16 slides
Denial-of-Service (DoS), continued CS 161: Computer Security Prof. David Wagner April 4, 2016

Denial-of-Service (DoS), continued CS 161: Computer Security Prof. David Wagner April 4, 2016

Denial-of-Service (DoS), continued CS 161: Computer Security Prof. David Wagner April 4, 2016 Transport-Level Denial-of-Service Recall TCPs 3-way connection establishment handshake Goal: agree on initial sequence numbers Server Client

530 views • 40 slides
Development Made Simple Danielle Davison, Davison Advisory June 2020 Why am I here, what do I

Development Made Simple Danielle Davison, Davison Advisory June 2020 Why am I here, what do I

Development Made Simple Danielle Davison, Davison Advisory June 2020 Why am I here, what do I know? Client-side development manager >19 years Projects >$3BN in project TDV International/local residential, office, retail, land

1.54k views • 141 slides
Proposals to fix the edge Ca thenetwork Compute Storage Why How How connect to nearest edge

Proposals to fix the edge Ca thenetwork Compute Storage Why How How connect to nearest edge

More Security Start oith Denial of Service CDN Last class Authentication vs Authorization SYN flood why does it work How fixed DDos was it What Proposals to fix the edge Ca thenetwork Compute Storage Why How How connect to nearest edge

58 views • 4 slides
DDoS flooding attack detection throug h a step-by-step investigation

DDoS flooding attack detection throug h a step-by-step investigation

DDoS flooding attack detection throug h a step-by-step investigation

209 views • 17 slides
Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar

Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar

Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar DDoS Attacks A persistent threat on the global Internet Working from home new online tools for collaboration New tools new attack

405 views • 9 slides
Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug

Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug

Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics TCP Layer Responsible for reliable end-to-end transfer of application data.

632 views • 32 slides

More recommend