security iii availability ddos and routing security
play

Security III: Availability, DDoS, and Routing Security 15-441 Fall - PowerPoint PPT Presentation

Apr 01, 2023 •502 likes •1.3k views

Security III: Availability, DDoS, and Routing Security 15-441 Fall 2019 Profs Peter Steenkiste & Justine Sherry Your Feedback I like to think of Dr. Weiss as my teaching teacher They require students to go over algorithms weve

  1. Security III: Availability, DDoS, and Routing Security 15-441 Fall 2019 Profs Peter Steenkiste & Justine Sherry

  2. Your Feedback I like to think of Dr. Weiss as my teaching teacher • They require students to go over algorithms we’ve learned by hand. • “Challenging. Reinforce topics covered in lecture.” • Students feel that the time spent just “exploring” but not doing the work is not 2. Prizes (candy, stickers, t-shirts) are motivating and help students stay involved during lecture. (66% agreed) • • “It’s more fun learning through interaction.” RFC documentation was hard to parse. Would often say, “Do this…” with no 34% of you are unsatisfied with my candy. I have brought more variety. • “Interactive teaching style [is] very helpful.” instruction on how. 2. Ensure consistency when answering questions on Piazza. (90% agreed) • I suspect consistency is due to changes in the course. Students reported getting conflicting or unhelpful information from TAs. This year: going to ask TAs to leave answers to “lead” project TAs when they are unsure • “Homework is informative.” • “ Some answers in Piazza look impatient. ” Next year: hopefully fewer changes in the course mean all TAs will be on same page • “[Problem sets] help us apply topics from lecture.” • “ ” don’t feel they’re turning in their best possible work • “Powerpoint slides use lots of animations explaining concepts like routing algorithms and BGP.” (2 students) • “Challenging labs [are helpful].” (2 students) • • “Projects – • coding practice and style.” (3 students) • • CGI program doesn’t work well. Tests in the handouts can be improved. “We learned good programming techniques from the first project.” • “Exposure to RFC is a worthwhile experience because it’s a real • “ ” document.” (<6 students) • “ ” • “Course is well organized.” (5 students) • “Lectures are interesting.” (5 students) • “Good bottom up learning of the OSI model and how the internet works.” (3 • “ – ” • “ ”

  3. Your Feedback I like to think of Dr. Weiss as my teaching teacher 1. Projects are very ambitious and need more specifics on what needs to be done. (<100% agreed) • Students feel that the time spent just “exploring” but not doing the work is not I’m going to ask for more feedback at the end of class today — did valuable (e.g., searching through RFC documents). you feel the same way about Project 2? • RFC documentation was hard to parse. Would often say, “Do this…” with no Re: Project 1: What about offering a “highlighted” version of the RFC to draw your attention where to look? • “ ” • “ ” don’t feel they’re turning in their best possible work • • • CGI program doesn’t work well. Tests in the handouts can be improved. • “ ” • “ ” • “ – ” • “ ”

  4. • Students feel that the time spent just “exploring” but not doing the work is not • RFC documentation was hard to parse. Would often say, “Do this…” with no Your Feedback • “ ” • “ ” don’t feel they’re turning in their best possible work (75% agreed) I like to think of Dr. Weiss as my teaching teacher Either: • Provide more tests to run locally (allowing for better debugging), or • Increased submission limit (other classes allow 20+ submissions). • CGI program doesn’t work well. Tests in the handouts can be improved. • “ Currently, the feedback from Autolab is not sufficient for debugging. ” • “ A lot of time spent trying to get P2 testing working. ” • “ Turnaround time for grading – neither homework was graded before the midterm ” • “ ” “A hill worth dying on”: An issue to pursue with wholehearted conviction and/ or single-minded focus, with little or no regard to the cost.

  6. Why are my Twitter Friends making these jokes? • In developing a real product, the only people who “give you tests” to try against are your users. • But “deploying” code to them is not free! • When things break, your users get angry • Send you mean emails • Quit your project and move to a competitor • You might get fired if you make this happen with any frequency.

  7. Why are my Twitter Friends making these jokes? • Best industry practices: • Try to figure out everything that could possibly go wrong before deploying. • Write tests to make sure those bad things don’t happen. • Then “deploy”.

  8. Why we have autolab limits • This is a senior-level systems class. We are almost about to send you out to the big leagues! • Think of “autolab” as “deploying” — you get fast and immediate feedback from your users. But it’s not free! • Then again, in industry, if you “test” on all your users with buggy code a dozen times in one week, you’ll probably get fired. • We’re still giving you lots of submissions. • But we want you to slow down and think about fixing things before deploying.

  9. What I see on my side • Very very few of you are getting close to your autolab limits. • Some of you could even benefit from submitting a little more often :-) • And yet… we’re also seeing some of the highest project scores I’ve seen in the three times I’ve taught this course. • The training wheels are working! You’re becoming much stronger developers!

  10. What were the four requirements for a secure communications channel?

  11. What do we need for a secure comm channel? • Authentication (Who am I talking to?) • Confidentiality (Is my data hidden?) • Integrity (Has my data been modified?) • Availability (Can I reach the destination?)

  12. http://www.computerworld.com/article/2516953/enterprise-applications/a-chinese-isp-momentarily-hijacks-the- internet--again-.html

  16. Goals of this lecture • Understand attacks on availability in the network. • Many attacks at the application layer — bugs in code — go take 18-487 to learn more about those. • This class focuses on attacks on availability in the network.

  17. Two classes of attacks on availability today • Resource Exhaustion • DDoS • SYN Floods • Routing Attacks • We’ll talk about flaws in BGP • There are so many kinds of attacks we’re not discussing though! • Take 18-487 with Prof. Sekar!

  18. Recall: Internet routing • An Interior Gateway Protocol (IGP) is used to route packets within an AS: Intra-domain routing • An Exterior Gateway Protocol (EGP) to maintain Internet connectivity among ASs: Inter-domain routing AS400 BGP AS100 BGP AS300 BGP BGP IGP AS200

  19. What kind of routing algorithm is BGP?

  20. What are the other kinds of routing algorithms we discussed in this class (not BGP)?

  21. How does BGP work? Internet routers communicate using the Border Gateway Protocol (BGP): • Destinations are prefixes (CIDR blocks) Example: 128.2.0.0/16 (CMU) • • Routes through Autonomous Systems (ISPs) • Each ISP is uniquely identified by a number Example: 9 (Carnegie Mellon) • • Each route includes a list of traversed ISPs: Example: 9 ← 5050 ← 11537 ← 2153 •

  22. Principles of operation • Exchange routes • AS100 announces 128.1.1.0/24 prefix to AS200 and AS300, etc • Incremental updates 192.208.10.2 AS200 AS400 192.208.10.1 AS100 129.213.1.2 128.1.1.0/24 AS300 129.213.1.1

  23. UPDATE message example Prefix: 128.1.1.0/24 Nexthop: 192.208.10.1 ASPath: 100 192.208.10.2 AS200 AS400 192.208.10.1 AS100 129.213.1.2 128.1.1.0/24 AS300 129.213.1.1 Prefix:128.1.1.0/24 Nexthop: 129.213.1.2 ASPath: 100

  24. Route propagation Prefix: 128.1.1.0/24 Nexthop: 190.225.11.1 Prefix: 128.1.1.0/24 ASPath: 200 100 Nexthop: 192.208.10.1 ASPath: 100 192.208.10.2 190.225.11.1 AS200 AS400 192.208.10.1 AS100 150.211.1.1 129.213.1.2 128.1.1.0/24 AS300 129.213.1.1 Prefix: 128.1.1.0/24 Prefix:128.1.1.0/24 Nexthop: 150.212.1.1 Nexthop: 129.213.1.2 ASPath: 300 100 ASPath: 100

  25. All you need is one compromised BGP speaker

  26. Pakistan Telecom: Sub-prefix hijack February 2008 : Pakistan Telecom hijacks YouTube “The Internet” Pakistan I’m YouTube: Telecom YouTube IP 208.65.153.0 / 22 Multinet Telnor Pakistan Pakistan Aga Khan University

  27. Pakistan wanted to send an iBGP announcement to blackhole traffic to YouTube… Pakistan Telecom: Sub-prefix hijack Hijack + drop packets going to YouTube “The Internet” X Pakistan I’m YouTube: Telecom YouTube IP 208.65.153.0 / 22 Multinet Telnor Pakistan Pakistan Aga Khan University Block your own customers.

  28. But they accidentally sent an eBGP announcement to blackhole YouTube! Pakistan Telecom: Sub-prefix hijack No, I’m YouTube! IP 208.65.153.0 / 24 “The Internet” Pakistan Pakistan I’m YouTube: Telecom Telecom YouTube IP 208.65.153.0 / 22 Multinet Telnor Pakistan Pakistan Aga Khan University

  29. Potential attack objectives • Blackholing – make something unreachable • Redirection – e.g., congestion, eavesdropping • Instability • But more often than not, just a mistake!

  30. Unauthorized origin ISP (prefix theft) 
 Destination Route Destination Route Google M Google G ← B G B C M M’s route to G is better than B’s

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell

Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell

3/28/19 Security III: Availability, DDoS, sli.do time and Routing Security 15-441 Spring 2019 (yell at me if I dont notice?) Profs Peter Steenkiste &amp; Justine Sherry &amp; (Guest Lecturer) Sannan Slides almost entirely copied from

288 views • 18 slides
Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

614 views • 26 slides
NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security

NDN ROUTING SECURITY Lan Wang, Beichuan Zhang 2/9/2015 www.named-data.net 2 Routing Security Required: authenticity and integrity of routing information o Link state routing: LSAs are originated by the routing process authorized to do so

345 views • 10 slides
Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net

Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net

Improving BGP routing security Job Job S Snijders NTT / / AS AS 2 2914 job ob@ntt.net http tps:// //tw twitter.com/ om/Job JobSnijders Why are we doing any of this routing security? Creating EBGP routing filters based on

906 views • 44 slides
Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia

Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia

Routing Security Economics Steven M. Bellovin http://www.cs.columbia.edu/~smb Columbia University January 18, 2007 1 / 9 What is Routing Security? Bad guys play games with routing protocols. What is Routing Security? How is it

95 views • 9 slides
RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing

RPKI and Routing Security Presentation | September 2015 Yerevan Regional Meeting Routing Security 2 Routing Registry route objects RPKI (Resource Public Key Infrastructure) ROAs (Route Origin Authorisation) RPKI and Routing

422 views • 31 slides
Routing Security Security Solutions CSE598K/CSE545 - Advanced Network Security Prof. McDaniel -

Routing Security Security Solutions CSE598K/CSE545 - Advanced Network Security Prof. McDaniel -

312 views • 16 slides
Political DDoS: Estonia and Beyond Jose Nazario, Ph.D. jose@arbor.net USENIX Security, 2008

Political DDoS: Estonia and Beyond Jose Nazario, Ph.D. jose@arbor.net USENIX Security, 2008

Political DDoS: Estonia and Beyond Jose Nazario, Ph.D. jose@arbor.net USENIX Security, 2008 Jose Nazario, Ph.D. o Arbor 2002 - Present o ATLAS, ASERT, ATF o Research, analysis, engineering Page 2 DDoS Background Exhaust resources Overwhelm

1.22k views • 74 slides
What is food security? Access to Availability food of food People Hunger Dietary Chronic

What is food security? Access to Availability food of food People Hunger Dietary Chronic

Alexander J. Stein October 1, 2013 Measuring food and nutrition security based on health outcomes Conference on Global Food Security October 1, 2013, Noordwijkerhout Alexander J. Stein What is food security? Access to Availability food

326 views • 9 slides
A Case Study in Safety, Security, and Availability of Wireless-Enabled Aircraft Communication

A Case Study in Safety, Security, and Availability of Wireless-Enabled Aircraft Communication

Motivation Safety Security Availability A Case Study in Safety, Security, and Availability of Wireless-Enabled Aircraft Communication Networks Rohit Dureja, Eric W.D. Rozier, and Kristin Yvonne Rozier Iowa State University

851 views • 39 slides
Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior

February 2019 Glo lobal Routing Security and it its im impact on Policy Development Aftab Siddiqui Senior Manager, Internet Technology siddiqui@isoc.org Lets understand the problem.. What is the connection between routing security

346 views • 19 slides
Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route

Inter-Domain Routing Security Inter-Domain Routing Security ~ ~BGP BGP Route Hijacking~ Route Hijacking~ Mar 1 2007 in APRICOT 2007 NTT Communications Corp. Taka Mizuguchi Tomoya Yoshida What s BGP Route Hijacking? s BGP Route

583 views • 40 slides
Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System

Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System

Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System Administrators Christian Tiefenau , Maximilian Hring, Katharina Krombholz, Emanuel von Zezschwitz @chrizzlz @cathykxx Usable Security and Privacy Lab,

596 views • 12 slides
TLD-OPS ccTLD Security and Stability Together ccNSO ICANN 62 June 27, 2018 A first delivery

TLD-OPS ccTLD Security and Stability Together ccNSO ICANN 62 June 27, 2018 A first delivery

TLD-OPS ccTLD Security and Stability Together ccNSO ICANN 62 June 27, 2018 A first delivery : the DDOS Mitigation Playbook The goal of the first workshop was to explore how TLD-OPS members can collaborate to detect and mitigate DDOS

1.12k views • 13 slides
DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
28/11/2010 Risk of Energy Availability: Common Corridors for Europe Supply Security ETSAP Meeting

28/11/2010 Risk of Energy Availability: Common Corridors for Europe Supply Security ETSAP Meeting

28/11/2010 Risk of Energy Availability: Common Corridors for Europe Supply Security ETSAP Meeting Energy Systems Modelling Addressing Energy Security and Climate Change November 15th 2010, University College Cork, Ireland Ensuring Security of

552 views • 22 slides
CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS

CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS

CENSORSHIP RESISTANCE CMSC 414 APR 17 2018 CENSORSHIP COMES IN MANY FORMS DROPPING PACKETS Network operators : Block traffic in their own networks/countries Off-path attackers : Inject TCP RST packets (next week) Routing-capable adversaries

517 views • 23 slides
BLE Security Authentication Privacy Discussion EECS 582 -- Spring 2015 BLE: Quick/Simplified

BLE Security Authentication Privacy Discussion EECS 582 -- Spring 2015 BLE: Quick/Simplified

Overview BLE Refresher Attacks Improvements BLE Security Authentication Privacy Discussion EECS 582 -- Spring 2015 BLE: Quick/Simplified Refresh Link Layer State Machine Application Layer GATT ATT L2CAP Link Layer Physical Layer

783 views • 3 slides
6.888 Lecture 9: Wireless/Op4cal Datacenters Mohammad Alizadeh and Dinesh Bharadia Many

6.888 Lecture 9: Wireless/Op4cal Datacenters Mohammad Alizadeh and Dinesh Bharadia Many

6.888 Lecture 9: Wireless/Op4cal Datacenters Mohammad Alizadeh and Dinesh Bharadia Many thanks to George Porter (UCSD) and Vyas Sekar (Berkeley) Spring 2016 1 Datacenter Fabrics Spine Leaf 1000s of server ports Scale out designs (VL2,

608 views • 39 slides
CSCE 515: Computer Network Programming ------ Advanced Socket Programming Wenyuan Xu

CSCE 515: Computer Network Programming ------ Advanced Socket Programming Wenyuan Xu

CSCE 515: Computer Network Programming ------ Advanced Socket Programming Wenyuan Xu http://www.cse.sc.edu/~wyxu/csce515f07.html Department of Computer Science and Engineering University of South Carolina Ref: Dave Hollinger Ref: UNP Chapter

1.23k views • 55 slides
iCAST / TRUST Collaboration Year 2 - Kickoff Meeting Robin Sommer International Computer Science

iCAST / TRUST Collaboration Year 2 - Kickoff Meeting Robin Sommer International Computer Science

iCAST / TRUST Collaboration Year 2 - Kickoff Meeting Robin Sommer International Computer Science Institute robin@icsi.berkeley.edu http://www.icir.org Projects Overview Project 1 NIDS Evasion Testing in a Live Context Project 2

420 views • 21 slides
CPS: Market Analysis of Attacks Against Demand Response in the Smart Grid Carlos Barreto,

CPS: Market Analysis of Attacks Against Demand Response in the Smart Grid Carlos Barreto,

CPS: Market Analysis of Attacks Against Demand Response in the Smart Grid Carlos Barreto, carlos.barretosuarez@utdallas.edu Alvaro A. Cardenas, alvaro.cardenas@utdallas.edu Nicanor Quijano, nquijano@uniandes.edu.co Eduardo Mojica,

330 views • 20 slides
CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee,

735 views • 36 slides
Pinpointing Delay and Forwarding Anomalies Using Large-Scale Traceroute Measurements Romain

Pinpointing Delay and Forwarding Anomalies Using Large-Scale Traceroute Measurements Romain

Pinpointing Delay and Forwarding Anomalies Using Large-Scale Traceroute Measurements Romain Fontugne 1 , Emile Aben 2 , Cristel Pelsser 3 , Randy Bush 1 November 1, 2017 1 IIJ Research Lab, 2 RIPE NCC, 3 University of Strasbourg / CNRS 1 / 25

499 views • 35 slides

More recommend