Panel: Current Research
Download
Report
Transcript Panel: Current Research
Panel: Current Research on
Stopping Unwanted Traffic
Vern Paxson, Stefan Savage, Helen J. Wang
IAB Workshop on Unwanted Traffic
March 10, 2006
Unwanted Traffic
• From the end host perspective
–
–
–
–
(D)DoS on a service
Exploit traffic attacking on end host vulnerabilities
Botnet traffic
Undesirable application data, e.g., spam
• From the network perspective
– Unwanted traffic to end systems +
– Attacks on the network service
• Flooding a link
– Attacks to the network operations
• E.g., BGP prefix spoofing/hijacking, router compromise
The Economy behind
Unwanted Traffic
• Stefan to fill in
• Botnet/software-flaw economy
General Approaches
• Stop the known bad
• Uncover the new bad
• Filtering as close to the attack source as
possible
• Increase the cost of unwanted
• The cost of solution should be less than
the cost of DoS [Simon et al 06]
End-Host: DDoS on a Service
• Challenge: DDoS and flash crowd hard to
distinguish
• Detect and eliminate zombie requests
– CAPCHA
– Pi
– Bolts-4-sale (NSDI 2005)
– BINDER (Usenix 2005)
• Same solution as flash crowd
– Akamai
End-Host: Exploit Traffic
•
Network intrusion detection systems
– Bro, Snort
•
Fast attack signature generation
– EarlyBird (OSDI 04), AutoGraph (sUsenix Security 04)
•
Vulnerability-driven filtering
– Shield (SIGCOMM 04), BrowserShield (06 under submission)
•
Detecting new vulnerabilities
– TaintCheck (NDSS 04), Minos, Vigilante (SOSP 05), HoneyMonkey (NDSS 06)
•
Automatic response to fast-spreading worms
– TaintCheck, Vigilante
•
Reduce the attack surface
– Off by default! (HotNets 05), separate client/server address space (Handley, et al
FDNA 04)
•
Undermining the attacks on end hosts
– StackGuard, ASLR, ISR, program shepherding (Usenix Security 02), control flow
integrity
End-Host: Spam
• New e-mail client
• Spam filtering
–…
EndHost: Outgoing Attack Traffic
• BINDER
• Vern to fill out
Network: Unwanted Traffic from
End Systems
• Infer application-unwanted traffic:
– Packet Symmetry (HotNets 05)
• Applications need to be DoS-aware
Network: Bandwidth Attacks
• First goal: defeat low cost DDoS attacks where a single
compromised machine sends many DoS messages
• Deadlock (Greenhalgh, et al SRUTI 05)
– No source address spoofing because of no filtering mechanism
– Little deployment of ingress filtering because of no source
address spoofing
– No automated filtering because attacks could source-address
spoof to bypass it
• Greenhalgh et al SRUTI 05
– Server-net filtering mechanism using routing/tunneling assuming
no source spoofing
• Internet Accountability (Simon et al 06 under
submission)
– Ingress filtering among “good” ISPs, others’ traffic marked with
“evil” bit with worse treatment during peak traffic
– Filtering infrastructure
Network: Bandwidth Attacks
• IP traceback (Savage et al SIGCOMM 00)
• IP pushback
• New capability infrastructure to the
Internet:
– SIFF (Oakland 04), Yang et al SIGCOMM 05
Acknowledgement
• This slide deck benefited discussions with
Adam M. Costello, Sharad Agarwal, and
Dan Simon.