Transcript Panel: Current Research

Panel: Current Research on
Stopping Unwanted Traffic
Vern Paxson, Stefan Savage, Helen J. Wang
IAB Workshop on Unwanted Traffic
March 10, 2006
Unwanted Traffic
• From the end host perspective
–
–
–
–
(D)DoS on a service
Exploit traffic attacking on end host vulnerabilities
Botnet traffic
Undesirable application data, e.g., spam
• From the network perspective
– Unwanted traffic to end systems +
– Attacks on the network service
• Flooding a link
– Attacks to the network operations
• E.g., BGP prefix spoofing/hijacking, router compromise
The Economy behind
Unwanted Traffic
• Stefan to fill in
• Botnet/software-flaw economy
General Approaches
• Stop the known bad
• Uncover the new bad
• Filtering as close to the attack source as
possible
• Increase the cost of unwanted
• The cost of solution should be less than
the cost of DoS [Simon et al 06]
End-Host: DDoS on a Service
• Challenge: DDoS and flash crowd hard to
distinguish
• Detect and eliminate zombie requests
– CAPCHA
– Pi
– Bolts-4-sale (NSDI 2005)
– BINDER (Usenix 2005)
• Same solution as flash crowd
– Akamai
End-Host: Exploit Traffic
•
Network intrusion detection systems
–
•
Fast attack signature generation
–
•
StackGuard, ASLR, ISR, program shepherding (Usenix Security 02), control flow integrity
Attack traffic analysis
–
•
Off by default! (HotNets 05), separate client/server address space (Handley, et al FDNA 04)
Undermining the attacks on end hosts
–
•
TaintCheck, Vigilante
Reduce the attack surface
–
•
TaintCheck (NDSS 04), Minos, Vigilante (SOSP 05), HoneyMonkey (NDSS 06)
Automatic response to fast-spreading worms
–
•
Shield (SIGCOMM 04), BrowserShield (06 under submission)
Detecting new vulnerabilities
–
•
EarlyBird (OSDI 04), AutoGraph (sUsenix Security 04)
Vulnerability-driven filtering
–
•
Bro, Snort
Backscatter, Internet background radiation, Witty worm analysis
Honeyfarm
–
Roleplayer, Potemkin, vGround
End-Host: Spam
• New e-mail client
• Spam filtering
–…
EndHost: Outgoing Attack Traffic
• BINDER
• Vern to fill out
Network: Unwanted Traffic from
End Systems
• Infer application-unwanted traffic:
– Packet Symmetry (HotNets 05)
• Applications need to be DoS-aware
Network: Bandwidth Attacks
• First goal: defeat low cost DDoS attacks where a single
compromised machine sends many DoS messages
• Deadlock (Greenhalgh, et al SRUTI 05)
– No source address spoofing because of no filtering mechanism
– Little deployment of ingress filtering because of no source
address spoofing
– No automated filtering because attacks could source-address
spoof to bypass it
• Greenhalgh et al SRUTI 05
– Server-net filtering mechanism using routing/tunneling assuming
no source spoofing
• Internet Accountability (Simon et al 06 under
submission)
– Ingress filtering among “good” ISPs, others’ traffic marked with
“evil” bit with worse treatment during peak traffic
– Filtering infrastructure
Network: Bandwidth Attacks
• IP traceback
• IP pushback
• New capability infrastructure to the
Internet:
– SIFF (Oakland 04), Yang et al SIGCOMM 05
Network: Attacks on Operations
• Securing BGP
– SPV (Sigcomm 04)
Acknowledgement
• This slide deck benefited from discussions
with Adam M. Costello, Sharad Agarwal,
and Dan Simon.