senss against volumetric ddos attacks
play

SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena - PowerPoint PPT Presentation

Oct 31, 2022 •44 likes •604 views

SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and Ying Zhang 3 1 University of Southern California/Information Sciences Institute 2 Harvard University 3 Facebook 1 DDoS attacks Volumetric DDoS

  1. SENSS Against Volumetric DDoS Attacks Sivaram Ramanathan 1 , Jelena Mirkovic 1 , Minlan Yu 2 and Ying Zhang 3 1 University of Southern California/Information Sciences Institute 2 Harvard University 3 Facebook 1

  2. DDoS attacks • Volumetric DDoS can overwhelm networks • Such attacks are hard to mitigate by victim • Volume is too high for victim to handle – need help of upstream ISPs • Legit traffic mixed with attack traffic – need help to place imperfect filters near attack sources to minimize collateral damage • Need collaborative, distributed response • But today’s internet lacks the infrastructure for victim to ask peers or remote networks for help *Figure taken from Arbor Networks worldwide infrastructure security report, 2016 2

  3. Existing solutions at victim • Solutions such as Bro and Arbor Attacker APS deployed at victim Bro Arbor APS • Filters traffic based on Attacker inspection and rules Victim • Large attacks cannot be filtered Attacker as the origin of attack is upstream from victim Attacker 3

  4. Existing solutions at first hop ISP • Collaboration with ISP via Attacker human channels which are error RTBH prone and slow Bohatei • Crude filtering such as remotely- Attacker First hop triggered blackhole saves ISP Victim ISP from attack but cuts victim from internet Attacker • Bohatei uses SDN + NFV to scale defense on demand Attacker • Provides a fine grained traffic control but is resource intensive 4

  5. Existing solutions at cloud • Cloud solutions are effective by Attacker diverting all victim’s traffic towards themselves during an attack Attacker Victim • Apply scrubbing algorithms to remove attack traffic, send the Attacker rest to victim • Ability to handle heavy attacks Attacker depends on extent of geo- replication, which is costly Cloudflare Akamai Cloud Providers 5

  6. What do we provide? • SENSS is a collaborative framework which allows victim under attack to communicate with peers or remote networks • Design is simple • SENSS keeps the intelligence at the victim and has simple functionalities at ISP which can be easily implemented in current ISP infrastructure • Victim drives decisions to monitor and taking necessary actions to mitigate attacks • Victims can create versatile, evolvable and customizable defense for different types of DDoS flavors 6

  7. Overview • Introduction • SENSS • Architecture • SENSS API • SENSS client programs • Security and robustness • Evaluation • Conclusion 7

  8. SENSS: Components SENSS Attacker SENSS server client Victim SENSS server 8

  9. SENSS: Attack scenario SENSS Attacker SENSS server client Victim SENSS server 9

  10. SENSS: Attack scenario SENSS directory SENSS Attacker SENSS server client Victim SENSS server 10

  11. SENSS: Attack scenario Traffic Monitor request SENSS Attacker SENSS server client Victim SENSS server Traffic Monitor request 11

  12. SENSS: Attack scenario SENSS server authenticates requests SENSS Attacker client $ Victim $ 12

  13. SENSS: Attack scenario SENSS server charges client SENSS Attacker client $ Victim $ 13

  14. SENSS: Attack scenario Gather traffic SENSS Attacker stats client Victim Gather traffic stats 14

  15. SENSS: Attack scenario Return monitoring stats SENSS Attacker SENSS server client Victim SENSS server 15

  16. SENSS: Attack scenario Devise mitigation Attacker SENSS server strategy Victim SENSS server 16

  17. SENSS: Attack scenario Traffic control request SENSS Attacker SENSS server client Victim 17

  18. SENSS: Attack scenario SENSS server authenticates requests SENSS Attacker client $ Victim 18

  19. SENSS: Attack scenario SENSS server charges client SENSS Attacker client $ Victim 19

  20. SENSS: Attack scenario Apply control SENSS Attacker request client Victim 20

  21. SENSS: Attack blocked Attack traffic SENSS Attacker blocked! client Victim 21

  22. SENSS: Labor division Intelligence at victim 22

  23. SENSS: Incentives for ISPs Simple implementation at ISP $ With incentives! $ 23

  24. SENSS: Secure Communication secured by TLS SENSS server Queries only on verifies prefix client’s owned ownership prefixes 24

  25. SENSS API Type Response from SENSS server Traffic Query Traffic stats matching predicates 25

  26. SENSS API Type Response from SENSS server Traffic Query Traffic stats matching predicates Route Query AS paths from SENSS server to prefix 26

  27. SENSS API Type Response from SENSS server Traffic Query Traffic stats matching predicates Route Query AS paths from SENSS server to prefix Traffic filter Adds filter matching predicate 27

  28. SENSS API Type Response from SENSS server Traffic Query Traffic stats matching predicates Route Query AS paths from SENSS server to prefix Traffic filter Adds filter matching predicate Route demote Demotes AS path from SENSS server to prefix with certain path segment 28

  29. SENSS API Type Response from SENSS server Traffic Query Traffic stats matching predicates Route Query AS paths from SENSS server to prefix Traffic filter Adds filter matching predicate Route demote Demotes AS path from SENSS server to prefix with certain path segment Each traffic query/control consists of a predicate matching flow(s) • Supports various packet header fields • Different packet header fields can be combined using negation, conjunction, disjunction and wildcard 29

  30. SENSS Server Implementation • Queries to SENSS server can be implemented using Openflow or Netflow+ACL SENSS • SENSS server receives requests SENSS ISP Server from clients, authenticates and sends appropriate replies • SENSS server also co-ordinates with various border routers within the same ISP and gathers statistics 30

  31. Overview • Introduction • SENSS • Architecture • SENSS API • SENSS client programs • Security and robustness • Evaluation • Conclusion 31

  32. DDoS without signature attack Legit traffic from L1 and L2 L1 S1 V S2 A L2 S3 B C D 32

  33. DDoS without signature attack L1 S1 Periodic traffic query to S1, S2 and V S2 S3 A L2 S3 B C D 33

  34. DDoS without signature attack L1 Replies S1 S1: 1000 Mbps S2: 0 Mbps V S2 S3: 400 Mbps A L2 S3 B C D 34

  35. DDoS without signature attack Attack from A L1 S1 V S2 A L2 S3 B C D 35

  36. DDoS without signature attack More attack from B, C and D L1 S1 V S2 A L2 S3 B C D 36

  37. DDoS without signature attack L1 S1 Periodic traffic query to S1, S2 and V S2 S3 A L2 S3 B C D 37

  38. DDoS without signature attack L1 Replies S1 S1: 1000 Mbps S2: 500 Mbps V S2 A S3: 750 Mbps L2 S3 B C D 38

  39. DDoS without signature attack L1 Replies Replies S1 S1: 1000 Mbps S1: 1000 Mbps S2: 0 Mbps S2: 500 Mbps V S2 A S3: 400 Mbps S3: 750 Mbps L2 S3 B C D 39

  40. DDoS without signature attack L1 Replies Replies S1 S1: 1000 Mbps S1: 1000 Mbps S2: 0 Mbps S2: 500 Mbps V S2 A S3: 400 Mbps S3: 750 Mbps Unusual traffic L2 from S2 and S3 S3 B C D 40

  41. DDoS without signature attack Traffic filter at S2 L1 S1 V S2 A L2 S3 B Traffic filter at S3 C D 41

  42. DDoS without signature attack L1 S1 V S2 A Attack stopped at S2 and S3! L2 S3 B C D 42

  43. Overview • Introduction • SENSS • Architecture • SENSS API • SENSS client programs • Security and robustness • Evaluation • Conclusion 43

  44. Securing communication • SENSS allows client to issue requests only to its own prefixes • SENSS client binds a proof of ownership certificate with every request • Proof can be created using RPKI Route Origin Authorization (ROA) certificates • Alternatively we can issue custom certificates • Communication between SENSS client and SENSS server is secured using TLS and occurs over HTTPS • If the privacy of key is compromised, SENSS server can purge all existing client requests 44

  45. Challenges • Router’s TCAM space is limited • Coarse rules are enough to mitigate large volumetric attack • Finer rules can be prevented by SENSS ISP’s or discourage users by charging higher prices • ISP’s privacy concerns • Traffic replies can contain anonymized ID’s to cover neighboring peers • ISP is in control • Can reject demote requests which may not be optimal 45

  46. Handling misbehavior • SENSS clients have low incentive to misbehave • Excessive requests are unlikely as clients need to pay for each request • Requests can be made only for their own prefixes • SENSS servers could lie about observations and/or fail to implement control actions • Legacy: Lie about client’s traffic and make it look smaller, increasing the cost of client but does not drop traffic • Dropper: Lie about client’s traffic and make it look larger causing client to issue traffic control to drop traffic • But dropper liars are already on the path of traffic, SENSS does not make it worst 46

  47. Overview • Introduction • SENSS • Architecture • SENSS API • SENSS client programs • Security and robustness • Evaluation • Conclusion 47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu

Poseidon: Mitigating Volumetric DDoS Attacks with Programmable Switches Menghao Zhang 1 , Guanyu Li 1 , Shicheng Wang 1 , Chang Liu 1 , Ang Chen 2 , Hongxin Hu 3 , Guofei Gu 4 , Qi Li 1 , Mingwei Xu 1 , Jianping Wu 1 1 4 2 3 DDoS Attacks are

480 views • 23 slides
DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias

Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias

Next Gen Blackholing to Counter DDoS NANOG75, San Francisco Christoph Dietzel *, Matthias Wichtlhuber*, Georgios Smaragdakis , Anja Feldmann TU Berlin, *DE-CIX, MPI Volumetric DDoS Attacks ? Tbps 1.7 Tbps 1 Tbps 200 Gbps 15

571 views • 22 slides
Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde,

Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde,

Practical Verifiable In-network Filtering for DDoS Defense Deli Gong, Muoi Tran , Shweta Shinde, Hao Jin, Vyas Sekar, Prateek Saxena, Min Suk Kang July 8, 2019 | Dallas, TX Large-scale volumetric DDoS attacks are common (distributed denial of

569 views • 29 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon guillaume.valadon@ssi.gouv.fr RIPE 70 - May, 11 2015 ANSSI - http://www.ssi.gouv.fr/guide-ddos & https://goo.gl/UL8M1 1/12 ANSSI Created on July 7th 2009,

142 views • 12 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter Reiher Manu Shantharam & David Hadka What is DoS? DoS A type of attack wherein access to computer resource / service is denied or

380 views • 18 slides
Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Khrer, Thomas

Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Khrer, Thomas

Exit from Hell? Reducing the Impact of Amplifjcation DDoS Attacks Marc Khrer, Thomas Hupperich, Christian Rossow, and Thorsten Holz Presented By : Richie Noble Distributed Denial-of-Service (DDoS) Attacks Known problem for many

660 views • 35 slides
Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback

Mark Shtern DDoS Attacks http://en.wikipedia.org/wiki/Operation_Pa yback http://www.betterhostreview.com/wp-content/uploads/2013/08/ddos-attack.gif 2 DDoS Attacks http://blog.rivalhost.com/wp- http://en.wikipedia.org/wiki/Low

800 views • 36 slides
COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure Application Services CONFIDENTIAL | DO NOT DISTRIBUTE Company 1. CONFIDENTIAL | DO NOT DISTRIBUTE Attack Tools over Time - Evolved Binary

385 views • 12 slides
Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim fons.mijnen@os3.nl max.grim@os3.nl 2 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today. 3 DDoS

531 views • 52 slides
Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS

Best Practices for Using CDNs Against DDoS Attacks Wilson Rogrio Lopes LACNIC 28 / LACNOG 2017 09/2017 CDNs for DDoS Protection As your principle, CDNs distribute traffic around the world to the closest pop for client, using anycast

915 views • 11 slides
A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

DD O S D ETECTION AND A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in the SURFnet network Mostly flooding attacks Customers are heavily affected and complain These attacks are cheap and

767 views • 17 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras

A First Joint Look at DoS Attacks and BGP Blackholing in the Wild Mattijs Jonker Aiko Pras (UTwente) Alberto Dainotti (CAIDA / UC San Diego) Anna Sperotto (UTwente) Denial-of-Service attacks A conceptually simple, yet effective class of

750 views • 33 slides
CSCI 4250/6250 Fall 2013 Computer and Networks Security Web Security Goodrich, Chapter 7

CSCI 4250/6250 Fall 2013 Computer and Networks Security Web Security Goodrich, Chapter 7

CSCI 4250/6250 Fall 2013 Computer and Networks Security Web Security Goodrich, Chapter 7 The Web Application Hackers Handbook, 2/e WWW Evolution Past vs. Future In the past web was made of static pages Today, highly

1.09k views • 63 slides
Finding Protocol Manipulation Attacks Nupur Kothari Ratul Mahajan, Todd Millstein, Ramesh

Finding Protocol Manipulation Attacks Nupur Kothari Ratul Mahajan, Todd Millstein, Ramesh

Finding Protocol Manipulation Attacks Nupur Kothari Ratul Mahajan, Todd Millstein, Ramesh Govindan, Madanlal Musuvathi Manipulation Attacks Adversaries induce victim into undesirable behavior by lying in their messages Exploit partial

216 views • 19 slides
OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com

Introduction to the OWASP Top Ten Kirk Jackson OWASP NZ RedShield https://www.meetup.com/ kirk@pageofwords.com OWASP-Wellington/ http://hack-ed.com www.owasp.org.nz Recordings: @kirkj @owaspnz https://goo.gl/a2VSG2 What is OWASP? Open

880 views • 45 slides
Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and

Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and

Ohms Law in Data Centers: A Voltage Side Channel for Timing Power Attacks Mohammad A. Islam and Shaolei Ren UC Riverside Acknowledgement: This work was supported in part by the U.S. NSF under grants CNS-1551661 and ECCS-1610471. Cloud data

1.15k views • 75 slides
Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical

Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical

Securing your database servers from external attacks Alkin Tezuysal (Sr. Technical Manager,Percona) David Busby (Information Security Architect, Percona) Who we are? David Busby (@icleus) Alkin Tezuysal ( @ask_dba ) Technical

429 views • 30 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR

LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR

Professor Ken Birman LINUX / C++ PROTECTION FEATURES CS4414 Lecture 26 CORNELL CS4414 - FALL 2020. 1 IDEA MAP FOR TODAY Firewalls Memory Protection Type Checking as a Protection Tool VMs and Containers Intel SGX Security CORNELL CS4414 -

595 views • 43 slides

More recommend