do network layer connections solve dos
play

Do Network-layer Connections Solve DoS ? Katerina Argyraki David - PowerPoint PPT Presentation

Nov 19, 2022 •343 likes •1.06k views

Do Network-layer Connections Solve DoS ? Katerina Argyraki David R. Cheriton Datagrams vs. Connections Datagrams vs. Connections Connection-less network layer flexibility, simplicity best-effort service Datagrams vs. Connections

  1. Do Network-layer Connections Solve DoS ? Katerina Argyraki David R. Cheriton

  2. Datagrams vs. Connections

  3. Datagrams vs. Connections ● Connection-less network layer – flexibility, simplicity – best-effort service

  4. Datagrams vs. Connections ● Connection-less network layer – flexibility, simplicity – best-effort service ● Connection-oriented network layer – end-to-end guarantees – more mechanism in routers, connection setup

  5. Bandwidth Flooding Attacks

  6. Bandwidth Flooding Attacks G srv G

  7. Bandwidth Flooding Attacks B srv B ● Victim's link flooded with malicious traffic

  8. Bandwidth Flooding Attacks B srv B ● Victim's link flooded with malicious traffic ● Legitimate TCP clients back off

  9. Datagrams vs. Connections

  10. Datagrams vs. Connections ● Datagram approach – allow all, explicitly deny bad traffic – use filtering to block bad traffic

  11. Datagrams vs. Connections ● Datagram approach – allow all, explicitly deny bad traffic – use filtering to block bad traffic ● Connection-oriented (capability) approach – deny (or limit) all, explicitly allow good traffic – use network-layer connections to shield good traffic

  12. What about Connection Setup?

  13. What about Connection Setup? ● Must protect connection setup against DoS

  14. What about Connection Setup? ● Must protect connection setup against DoS ● Necessarily datagram traffic

  15. What about Connection Setup? ● Must protect connection setup against DoS ● Necessarily datagram traffic ● Need datagram DoS solution

  16. What about Connection Setup? ● Must protect connection setup against DoS ● Necessarily datagram traffic ● Need datagram DoS solution ● Can use to protect all datagrams

  17. What about Connection Setup? ● Must protect connection setup against DoS ● Necessarily datagram traffic ● Need datagram DoS solution ● Can use to protect all datagrams Once datagram DoS solution is deployed, connections become unnecessary

  18. The Datagram Approach B srv B

  19. The Datagram Approach B srv B ● Explicitly filter traffic from bad sources

  20. The Datagram Approach B srv B ● Explicitly filter traffic from bad sources ● Securely move filtering state close to sources – Active Internet Traffic Filtering (USENIX '05)

  21. Capabilities: Stateless Connections cli srv

  22. Capabilities: Stateless Connections marking/verification nodes cli srv

  23. Capabilities: Stateless Connections capability request cli srv

  24. Capabilities: Stateless Connections capability request cli srv capability

  25. Capabilities: Stateless Connections capability request cli srv capability ● Ticket to send n bytes within t seconds

  26. Capabilities: Stateless Connections capability request cli srv capability ● Ticket to send n bytes within t seconds ● No filtering state, no special inter-ISP relationships

  27. Capabilities: Stateless Connections capability request cli srv capability ● Ticket to send n bytes within t seconds ● No filtering state, no special inter-ISP relationships Elegant and easy to deploy

  28. DoS with Capability Requests capability requests B srv capability requests B ● Can flood victim with capability requests

  29. DoS with Capability Requests capability requests B srv capability requests B ● Can flood victim with capability requests

  30. DoS with Capability Requests capability requests B srv capability requests B ● Can flood victim with capability requests ● New client has trouble connecting to site

  31. DoS with Capability Requests capability requests B srv capability requests B ● Can flood victim with capability requests ● New client has trouble connecting to site Denial of Capability

  32. Setup vs. General Traffic

  33. Setup vs. General Traffic ● Are setup requests easier to protect ? – more resistant to loss – more predictable

  34. Setup vs. General Traffic ● Are setup requests easier to protect ? – more resistant to loss – more predictable ● Our position: Setup traffic is not different – with respect to vulnerability to DoS – and means required to protect it

  35. Is Connection Setup Resistant to Loss ?

  36. Is Connection Setup Resistant to Loss ? ● Assume victim knows good clients

  37. Is Connection Setup Resistant to Loss ? ● Assume victim knows good clients ● A single setup request must get through

  38. Is Connection Setup Resistant to Loss ? ● Assume victim knows good clients ● A single setup request must get through ● Can retransmit setup request until connected

  39. Is Connection Setup Resistant to Loss ? ● Assume victim knows good clients ● A single setup request must get through ● Can retransmit setup request until connected ● Probability of failure decreases exponentially

  40. Is Connection Setup Resistant to Loss ? 2.5 Gbps attack traffic B srv 100 Mbps B

  41. Is Connection Setup Resistant to Loss ? 2.5 Gbps attack traffic B srv 100 Mbps B ● Good client retransmits every second

  42. Is Connection Setup Resistant to Loss ? 2.5 Gbps attack traffic B srv 100 Mbps B ● Good client retransmits every second ● Expected time to connection is over 8 minutes

  43. Is Connection Setup Resistant to Loss ? 2.5 Gbps attack traffic B srv 100 Mbps B ● Good client retransmits every second ● Expected time to connection is over 8 minutes Response time suffers

  44. Is Setup Traffic Policeable ?

  45. Is Setup Traffic Policeable ? ● Attack sources send more than good sources

  46. Is Setup Traffic Policeable ? ● Attack sources send more than good sources ● Fair-queue setup requests

  47. Is Setup Traffic Policeable ? ● Attack sources send more than good sources ● Fair-queue setup requests ● Each source gets same share of receiver's bwdth

  48. Is Setup Traffic Policeable ? G srv B ● Fair-queuing per incoming interface

  49. Is Setup Traffic Policeable ? B srv B ● Fair-queuing per incoming interface ● Ineffective during highly distributed attacks

  50. Is Setup Traffic Policeable ? B srv B ● Fair-queuing per source

  51. Is Setup Traffic Policeable ? B srv B ● Fair-queuing per source ● Similar state with per-source filtering

  52. Is Setup Traffic Policeable ? B srv B ● Fair-queuing per source ● Similar state with per-source filtering At the cost of simplicity and deployability

  53. The Datagram Approach B srv B ● Explicitly filter setup requests from bad sources

  54. The Datagram Approach B srv B ● Explicitly filter setup requests from bad sources ● Explicitly filter all traffic from bad sources

  55. The Datagram Approach B srv B ● Explicitly filter setup requests from bad sources ● Explicitly filter all traffic from bad sources Connections become unnecessary

  56. Capabilities as an Optimization

  57. Capabilities as an Optimization B srv B ● At least connected clients are unaffected by attack

  58. Unless there Are Lots of Bad Guys

  59. Unless there Are Lots of Bad Guys ● Undetected bad sources acquire capabilities

  60. Unless there Are Lots of Bad Guys ● Undetected bad sources acquire capabilities ● Victim must decide how to split bandwidth

  61. Unless there Are Lots of Bad Guys ● Undetected bad sources acquire capabilities ● Victim must decide how to split bandwidth ● Randomly chooses which capabilities to renew

  62. Unless there Are Lots of Bad Guys ● Undetected bad sources acquire capabilities ● Victim must decide how to split bandwidth ● Randomly chooses which capabilities to renew ● Good clients lose to bad sources

  63. Unless there Are Lots of Bad Guys ● Undetected bad sources acquire capabilities ● Victim must decide how to split bandwidth ● Randomly chooses which capabilities to renew ● Good clients lose to bad sources Undetected bad sources can always harm good traffic

  64. Capabilities = Reservations

  65. Capabilities = Reservations ● Sender reserves receiver's bandwidth

  66. Capabilities = Reservations ● Sender reserves receiver's bandwidth ● Challenge: make the “right” reservation

  67. Capabilities = Reservations ● Sender reserves receiver's bandwidth ● Challenge: make the “right” reservation ● Large botnets: each attack source sends low rate

  68. Capabilities = Reservations ● Sender reserves receiver's bandwidth ● Challenge: make the “right” reservation ● Large botnets: each attack source sends low rate ● Less relevant to restrict per-sender bandwidth

  69. Capabilities = Reservations ● Sender reserves receiver's bandwidth ● Challenge: make the “right” reservation ● Large botnets: each attack source sends low rate ● Less relevant to restrict per-sender bandwidth ● More relevant to monitor traffic patterns

  70. Conclusions ● Connections can protect good traffic against DoS ● Connection-setup relies on datagrams – must protect datagrams against DoS ● Connections become unnecessary

  71. Conclusions ● Connections can protect good traffic against DoS ● Connection-setup relies on datagrams – must protect datagrams against DoS ● Connections become unnecessary ● Capabilities may be useful optimization – must compute the “right” capability for each source

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

1 Network Layer Network Layer Recall: Circuit Switching vs. Packet Interplay between routing

Network Layer Network Layer Chapter 4: Network Layer Mobile network Chapter goals: Global ISP understand principles behind network layer Network Layer services: Home network network layer service models Regional ISP forwarding

550 views • 3 slides
5 Network Layer Network Layer Network Layer Network Layer Example: Choosing among multiple ASes

5 Network Layer Network Layer Network Layer Network Layer Example: Choosing among multiple ASes

Network Layer Network Layer Network Layer Network Layer Network Layer Comparison of LS and DV algorithms Message complexity Robustness: what happens 1 Introduction 5 Routing algorithms if router malfunctions? LS: with n nodes, E

325 views • 4 slides
7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

7 Network Layer Network Layer Network Layer Network Layer Subnets Classful Address

Network Layer Network Layer Network Layer Network Layer IP Fragmentation & Reassembly IP Fragmentation and Reassembly network links have MTU length ID fragflag offset (max.transfer size) - largest possible link-level frame.

948 views • 5 slides
4 Network Layer Network Layer Network Layer Network Layer Switching Via Memory Three types of

4 Network Layer Network Layer Network Layer Network Layer Switching Via Memory Three types of

Network Layer Network Layer Network Layer Network Layer Routing Table Aggregation - > 4 billion Forwarding table Longest prefix matching possible entries Prefix Match Link Interface Destination Address Range Link Interface 11001000

288 views • 3 slides
Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Topics Network service models Datagrams (packets), virtual circuits

524 views • 28 slides
Network Layer (Routing) Where we are in the Course Moving on up to the Network Layer!

Network Layer (Routing) Where we are in the Course Moving on up to the Network Layer!

Network Layer (Routing) Where we are in the Course Moving on up to the Network Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Topics Network service models Datagrams (packets), virtual

757 views • 40 slides
Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application

Network Layer Where we are in the Course Moving on up to the Network Layer! Application Transport Network Link Physical CSE 461 University of Washington 2 Topics Network service models Datagrams (packets), virtual circuits

840 views • 42 slides
Network layer (IP) Network layer Transport segment from sending to receiving host Network

Network layer (IP) Network layer Transport segment from sending to receiving host Network

Network layer (IP) Network layer Transport segment from sending to receiving host Network layer protocols in every host, router Many historical examples, but only one really matters Network layer functions 1. Connection setup 5.

1.56k views • 113 slides
7 Network Layer Network Layer BGP basics Internet inter-AS routing: BGP when AS2 advertises

7 Network Layer Network Layer BGP basics Internet inter-AS routing: BGP when AS2 advertises

Network Layer Network Layer RIP ( Routing Information Protocol) RIP advertisements distance vectors: exchanged among distance vector algorithm neighbors every 30 sec via Response included in BSD-UNIX Distribution in 1982 Message

746 views • 3 slides
Network Layer Addressing, forwarding, routing Why do we need a Network layer? Cannot afford

Network Layer Addressing, forwarding, routing Why do we need a Network layer? Cannot afford

Network Layer Addressing, forwarding, routing Why do we need a Network layer? Cannot afford to directly connect everyone Why do we need a Network layer? Cannot broadcast all packets globally Network layer functions Addressing A

656 views • 41 slides
Network Layer Part A (IPv6) Network Layer 4-1 Chapter 4: outline 4.1 Overview of Network

Network Layer Part A (IPv6) Network Layer 4-1 Chapter 4: outline 4.1 Overview of Network

Network Layer Part A (IPv6) Network Layer 4-1 Chapter 4: outline 4.1 Overview of Network 4.4 Generalized Forward and layer SDN data plane match control plane action 4.2 What s inside a router OpenFlow examples of

941 views • 55 slides
Network Layer (Routing) Recap: Why do we need a Network layer? Internetworking Need to

Network Layer (Routing) Recap: Why do we need a Network layer? Internetworking Need to

Network Layer (Routing) Recap: Why do we need a Network layer? Internetworking Need to connect different link layer networks Addressing Need a globally unique way to address hosts Routing and forwarding Now Need to

1.56k views • 124 slides
Network Layer Goals: Overview: understand principles last time behind network layer

Network Layer Goals: Overview: understand principles last time behind network layer

Network Layer Goals: Overview: understand principles last time behind network layer network layer services services: virtual circuit and datagram forwarding networks routing (path selection) whats inside a router?

709 views • 24 slides
Network Layer Understand principles behind network layer services: network layer service

Network Layer Understand principles behind network layer services: network layer service

Chapter 4: Network Layer Chapter goals: Network Layer Understand principles behind network layer services: network layer service models CS 3516 Computer Networks CS 3516 Computer Networks forwarding versus routing how a

628 views • 18 slides
1 Transport Layer Transport Layer RTT Estimation RTT Estimation Basic Idea SampleRTT :

1 Transport Layer Transport Layer RTT Estimation RTT Estimation Basic Idea SampleRTT :

Transport Layer Transport Layer Outline Mobile network Transport-layer Connection-oriented Global ISP services transport: TCP Transport Layer Multiplexing and segment structure Home network demultiplexing reliable data

264 views • 5 slides
Chapter 4: Network Layer Chapter goals: understand principles behind network layer services:

Chapter 4: Network Layer Chapter goals: understand principles behind network layer services:

Chapter 4: Network Layer Chapter goals: understand principles behind network layer services: routing (path selection) dealing with scale how a router works instantiation and implementation in the Internet Network Layer 4-1

1.81k views • 103 slides
Computer Networks 1 (M ng My Tnh 1) Lectured by: Nguy n c Thi Lecture 5:

Computer Networks 1 (M ng My Tnh 1) Lectured by: Nguy n c Thi Lecture 5:

Computer Networks 1 (M ng My Tnh 1) Lectured by: Nguy n c Thi Lecture 5: Network Layer Reference : Chapter 5 - Computer Networks , Andrew S. Tanenbaum, 4th Edition, Prentice Hall, 2003. Contents The network layer

509 views • 32 slides
Internetworking Outline Best Effort Service Model Global Addressing Scheme 1 Internetworking

Internetworking Outline Best Effort Service Model Global Addressing Scheme 1 Internetworking

Internetworking Outline Best Effort Service Model Global Addressing Scheme 1 Internetworking Concatenation of Different Networks Network 1 (Ethernet) H7 R3 H8 H1 H2 H3 Network 4 (point-to-point) Network 2 (Ethernet) R1 R2 H4

540 views • 7 slides
EPL606 Internetworking Network Layer Part 2a 1 The majority of the slides in this course are

EPL606 Internetworking Network Layer Part 2a 1 The majority of the slides in this course are

EPL606 Internetworking Network Layer Part 2a 1 The majority of the slides in this course are adapted from the accompanying slides to the books by Larry Peterson and Bruce Davie and by Jim Kurose and Keith Ross. Additional slides and/or figures

1.14k views • 80 slides
Engaging and Connecting to Navigate Todays Historic Times Eugenia (Genia) Naro-Maciel

Engaging and Connecting to Navigate Todays Historic Times Eugenia (Genia) Naro-Maciel

Engaging and Connecting to Navigate Todays Historic Times Eugenia (Genia) Naro-Maciel Christopher Packard Heidi White September 30th, 2020 Overview 2020 as a (very very long) teachable moment 6thfloor+u Summer Program GLS

290 views • 13 slides
Creating Connection February 21, 2019 Agenda for the Breakout 9:15-9:50 Guest speakers

Creating Connection February 21, 2019 Agenda for the Breakout 9:15-9:50 Guest speakers

Creating Connection February 21, 2019 Agenda for the Breakout 9:15-9:50 Guest speakers 9:50-9:55 Personal reflection exercise (see page 9 in conference program) 10:00-10:30 Divide into 3 groups for discussion 10:30-10:45 Reconvene for

385 views • 23 slides
Proxies and supporting an exploding number of user-accounts Eric Herman - Percona Live -

Proxies and supporting an exploding number of user-accounts Eric Herman - Percona Live -

Proxies and supporting an exploding number of user-accounts Eric Herman - Percona Live - 2018-04-24 Eric Herman eric.herman@gmail.com https://github.com/ericherman/ https://twitter.com/eric_herman Trend of more complex deployments - tools

559 views • 27 slides
Whats Missing For Postgres Monitoring @LukasFittl l t t i F s a k u L @ What are

Whats Missing For Postgres Monitoring @LukasFittl l t t i F s a k u L @ What are

Whats Missing For Postgres Monitoring @LukasFittl l t t i F s a k u L @ What are the problems with Postgres monitoring? Its incomplete. Its hard to access & understand. It contains sensitive information. Its

1.19k views • 60 slides
Some Companies/Insts. Using Zeek SOC operations overview (Microsoft) HTTPS Connection (SSL / TLS)

Some Companies/Insts. Using Zeek SOC operations overview (Microsoft) HTTPS Connection (SSL / TLS)

http.log | HTTP request/reply details conn.log | IP, TCP, UDP, ICMP connection details FIELD TYPE DESCRIPTION FIELD TYPE DESCRIPTION ts time Timestamp of the HTTP request ts time Timestamp of the fjrst packet uid & id Underlying

428 views • 8 slides

More recommend