Preventing Internet Denial-of
Download
Report
Transcript Preventing Internet Denial-of
Preventing Internet Denial-ofService with Capabilities
Tom Anderson, David Wetherall
Univ. of Washington
Timothy Roscoe
Intel Research at Berkeley
7/17/2015
Anupam Chanda, Khaled Elmeleegy. Comp 629
1
Paper Summary
An approach to prevent DoS attacks
Nodes obtain “permission to send” from
destination
7/17/2015
Capabilities
Verification points enforce capabilities
Suitable for incremental deployment
Anupam Chanda, Khaled Elmeleegy. Comp 629
2
Overview
7/17/2015
Motivation
Related work
Proposed solution
Conclusion
Anupam Chanda, Khaled Elmeleegy. Comp 629
3
Motivation
DoS – flooding limited resource
Anomaly detection
Automated response – often shutdown
New applications likely to be anomalous
“Normal” traffic could be an attack
7/17/2015
CPU/Memory on hosts, routers, firewalls
CodeRed virus
Anupam Chanda, Khaled Elmeleegy. Comp 629
4
Related Work
7/17/2015
Anupam Chanda, Khaled Elmeleegy. Comp 629
5
Source Address Filtering
At network ingress and egress points
Prevents spoofing attacks
However…
7/17/2015
Addresses with same n/w prefix can be
spoofed
Attacks often consist of legitimate packets
– hosts under a virus attack
Anupam Chanda, Khaled Elmeleegy. Comp 629
6
IP Traceback
7/17/2015
Traces the source of the attack
Detection rather than prevention
Can do post-mortem traceback
Marking of IP packets
Anupam Chanda, Khaled Elmeleegy. Comp 629
7
IP Traceback (contd.)
A1
R4
A2
A3
R5
R6
R2
R3
R1
V
7/17/2015
Anupam Chanda, Khaled Elmeleegy. Comp 629
8
Pushback
Pushback daemon
7/17/2015
Monitors traffic pattern
Rules to indicate DoS attack
Communicates with upstream routers
(pushback)
Upstream routers drop packets
Anupam Chanda, Khaled Elmeleegy. Comp 629
9
Anomaly Detection
Rule-based or statistical techniques
Malicious traffic detection
Install network filters
Emails to network administrators
Legitimate applications may trigger alerts
7/17/2015
Classify traffic as friendly/malicious
Application level end-to-end decision making is
required
Anupam Chanda, Khaled Elmeleegy. Comp 629
10
Overlay Filtering
Traffic rerouted through special nodes
Traffic passed through overlay
7/17/2015
Sophisticated analysis and filtering
Adds a secret to the packets
Downstream routers check for the secret
Similar to capability-based filtering which
adds nonce tokens in the capabilities
Anupam Chanda, Khaled Elmeleegy. Comp 629
11
Proposed Solution
7/17/2015
Anupam Chanda, Khaled Elmeleegy. Comp 629
12
System’s components
Request To Send (RTS) server
Verification Points (VP)
7/17/2015
Used by sources to get tokens to send
(capabilities)
Perform access control by verifying the
existence of a token in the packet
VPs are coupled with RTS servers, both
co-located with BGP speakers
Anupam Chanda, Khaled Elmeleegy. Comp 629
13
Obtaining permission to send
Autonomous Systems (AS) advertise they
want their inbound traffic filtered
7/17/2015
Augment BGP advertisement
Give the address of their RTS server
Any AS along the way may add its RTS to the
BGP advertisement
Source can discover a chain of RTS servers
through which it can send its request
Anupam Chanda, Khaled Elmeleegy. Comp 629
14
Token Generation and passing
Destination generates a hash chain
7/17/2015
64-bit one way hash values h1,h2…hk
Destination sends hk back to the source
through RTS servers
RTS servers and VPs remember the
token and associates it with the flow
Anupam Chanda, Khaled Elmeleegy. Comp 629
15
Sending with capabilities
Token (capability) allows source to send
n packets in t seconds
Source includes token in packets
VPs along the path validates the token
7/17/2015
If token found and is valid, increment
usage count
Else drop packet
Anupam Chanda, Khaled Elmeleegy. Comp 629
16
Acquiring new capabilities
(in band)
Could explicitly request new token
Destination sends hk-1 ( new capability) after
receiving nearly n packets
Source switches to use hk-1 for the next n
packets
VPs switch to hk-1.
7/17/2015
Bad performance (overhead)
They figure hk-1 as hk = hash(hk-1) (hash chain)
Anupam Chanda, Khaled Elmeleegy. Comp 629
17
Security issues
RTS servers control RTS pkt rates to
destinations
RTS servers are protected against flood
Tokens are difficult to guess
7/17/2015
Only accessed by nodes on the same AS or
another RTS servers
If you can sniff then you can disrupt the
communication anyway
Anupam Chanda, Khaled Elmeleegy. Comp 629
18
Conclusions
Explicit authorization scheme to address
DoS
Paper argued that the scheme other
than it solves the DoS problem, it is:
7/17/2015
Feasible
Incrementally deployable
No experiments, so no sense of added
overhead
Anupam Chanda, Khaled Elmeleegy. Comp 629
19
Questions ?
7/17/2015
Anupam Chanda, Khaled Elmeleegy. Comp 629
20