• Home

  • Documents

  • Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network...
26
Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014

Tags:

Embed Size (px)

Citation preview

  • Slide 1

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014 Slide 2 Lecture 20 Page 2 Advanced Network Security Outline Basic DDoS defense approaches Some example DDoS defenses Slide 3 Lecture 20 Page 3 Advanced Network Security Basic Approaches to DDoS Defense Dont let it happen at all Add resources to stay ahead of it Track attack streams to their source And, presumably, stop them Filter attacks to remove attack traffic Slide 4 Lecture 20 Page 4 Advanced Network Security Prevention It would be nice if attackers could not perpetrate DDoS attacks at all How to prevent them? Hygiene approaches Resource limitations Hide from the attackers Slide 5 Lecture 20 Page 5 Advanced Network Security Hygiene Approaches 1.Make protocols less susceptible to DDoS 2.Make computers harder to enlist as zombies 3.Close holes at potential targets that can be used for DDoS All these are good and worthy approaches None of them are enough in isolation Hygiene alone hasnt solved any other computer security problem, and wont solve this one, either Slide 6 Lecture 20 Page 6 Advanced Network Security Resource Limitations Dont allow an individual attack machine to use many of a targets resources Requires: Authentication, or Making the sender do special work (puzzles) Authentication schemes are often expensive for the receiver Existing legitimate senders largely not set up to handle doing special work Can still be overcome with a large enough army of zombies Slide 7 Lecture 20 Page 7 Advanced Network Security Hiding From the Attacker Make it hard for anyone but legitimate clients to deliver messages at all E.g., keep your machines identity obscure A possible solution for some potential targets But not for others, like public web servers To the extent that approach relies on secrecy, its fragile Some approaches dont require secrecy Slide 8 Lecture 20 Page 8 Advanced Network Security Resource Multiplication As attacker demands more resources, supply them Not always possible and usually expensive Not clear that defender can keep ahead of the attacker But still a good step against limited attacks Has sometimes worked in practice And sometimes not More advanced versions use Akamai-like techniques Slide 9 Lecture 20 Page 9 Advanced Network Security Trace and Stop Attacks Figure out which machines attacks come from Go to those machines (or near them) and stop the attacks Tracing is trivial if IP source addresses arent spoofed Tracing may be possible even if they are spoofed May not have ability/authority to do anything once youve found the attack machines Not too helpful if attacker has a vast supply of machines Slide 10 Lecture 20 Page 10 Advanced Network Security Filtering Attack Streams The basis for most defensive approaches Addresses the core of the problem by limiting the amount of work presented to target Key question is: What do you drop? Good solutions drop all (and only) attack traffic Less good solutions drop some (or all) of everything Slide 11 Lecture 20 Page 11 Advanced Network Security Filtering Versus Rate Limiting Filtering drops packets with particular characteristics If you get the characteristics right, you do little collateral damage But no guarantee you have dropped enough Rate limiting drops packets on basis of amount of traffic Can thus assure target is not overwhelmed But may drop some good traffic Not really a hard-and-fast distinction Slide 12 Lecture 20 Page 12 Advanced Network Security 12 Where Do You Filter? Near the target? Near the source? In the network core? In multiple places? Slide 13 Lecture 20 Page 13 Advanced Network Security Implications of Filtering Location Choices Near target Near source In core Slide 14 Lecture 20 Page 14 Advanced Network Security Implications of Filtering Location Choices Near target Easier to detect attack Sees everything May be hard to prevent collateral damage May be hard to handle attack volume Good deployment incentive Near source In core Slide 15 Lecture 20 Page 15 Advanced Network Security Implications of Filtering Location Choices Near target Near source May be hard to detect attack Doesnt see everything Easier to prevent collateral damage Easier to handle attack volume Poor deployment incentive In core Slide 16 Lecture 20 Page 16 Advanced Network Security Implications of Filtering Location Choices Near target Near source In core Easier to handle attack volume Sees everything (with sufficient deployment) May be hard to prevent collateral damage May be hard to detect attack Poor deployment incentive Slide 17 Lecture 20 Page 17 Advanced Network Security Example Defenses Pushback DWard Netbouncer SOS Defcom Slide 18 Lecture 20 Page 18 Advanced Network Security Pushback Goal: Preferentially drop attack traffic to relieve congestion Enable core routers to respond to congestion locally by: Profiling traffic dropped by RED Identifying high-bandwidth aggregates Preferentially dropping aggregate traffic to enforce desired bandwidth limit Pushback: A router identifies the upstream neighbors that forward the aggregate traffic to it, requests that they deploy rate-limit Slide 19 Lecture 20 Page 19 Advanced Network Security 19 Pushback Example P P P P Slide 20 Lecture 20 Page 20 Advanced Network Security 20 Pushback Example P P P P Slide 21 Lecture 20 Page 21 Advanced Network Security 21 Pushback Example P P P P Slide 22 Lecture 20 Page 22 Advanced Network Security 22 Pushback Example P P P P Slide 23 Lecture 20 Page 23 Advanced Network Security 23 Pushback Example P P P P Slide 24 Lecture 20 Page 24 Advanced Network Security 24 Pushback Example P P P P Slide 25 Lecture 20 Page 25 Advanced Network Security Can it work? Even a few core routers are able to control high-volume attacks Separation of traffic aggregates improves current situation Only traffic for the victim is dropped Drops affect part of traffic that contains the attack traffic Likely to successfully control the attack, relieving congestion in the Internet Will inflict collateral damage on legitimate traffic Slide 26 Lecture 20 Page 26 Advanced Network Security Advantages and Limitations +Routers can handle high traffic volumes +Deployment at a few core routers can affect many traffic flows, due to core topology +Simple operation, no overhead for routers +Pushback minimizes collateral damage by placing response close to the sources Pushback only works in contiguous deployment Collateral damage is inflicted whenever attack traffic is not clearly separate from legitimate traffic Deployment requires modification of existing core routers and likely purchase of new hardware


Introduction CS 239 Advanced Topics in Computer Security Peter Reiher September 23, 2010

Introduction CS 239 Advanced Topics in Computer Security Peter Reiher September 23, 2010

Documents
IP Spoofing CS 236 Advanced Computer Security Peter Reiher April 29, 2008

IP Spoofing CS 236 Advanced Computer Security Peter Reiher April 29, 2008

Documents
Lecture 9 Page 1 CS 136, Fall 2014 Network Security Computer Security Peter Reiher November 4, 2014

Lecture 9 Page 1 CS 136, Fall 2014 Network Security Computer Security Peter Reiher November 4, 2014

Documents
Lecture 18 Page 1 Advanced Network Security Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014

Lecture 18 Page 1 Advanced Network Security Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014

Documents
Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Documents
Network Security, Continued CS 136 Computer Security Peter Reiher October 30, 2012

Network Security, Continued CS 136 Computer Security Peter Reiher October 30, 2012

Documents
More on Cryptography CS 136 Computer Security Peter Reiher October 9, 2012

More on Cryptography CS 136 Computer Security Peter Reiher October 9, 2012

Documents
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher

Documents
Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014

Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014

Documents
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014

Documents
Lecture 1 Page 1 CS 239, Fall 2010 Introduction CS 239 Advanced Topics in Computer Security Peter Reiher September 23, 2010

Lecture 1 Page 1 CS 239, Fall 2010 Introduction CS 239 Advanced Topics in Computer Security Peter Reiher September 23, 2010

Documents
Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008

Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008

Documents
Web Security CS 136 Computer Security Peter Reiher November 29, 2012

Web Security CS 136 Computer Security Peter Reiher November 29, 2012

Documents
Lecture 16 Page 1 CS 136, Fall 2012 Evaluating System Security CS 136 Computer Security Peter Reiher November 27, 2012

Lecture 16 Page 1 CS 136, Fall 2012 Evaluating System Security CS 136 Computer Security Peter Reiher November 27, 2012

Documents
Evaluating System Security CS 136 Computer Security Peter Reiher March 5, 2010

Evaluating System Security CS 136 Computer Security Peter Reiher March 5, 2010

Documents
More on Cryptography CS 136 Computer Security Peter Reiher October 14, 2014

More on Cryptography CS 136 Computer Security Peter Reiher October 14, 2014

Documents
More on Cryptography CS 136 Computer Security Peter Reiher October 7, 2010

More on Cryptography CS 136 Computer Security Peter Reiher October 7, 2010

Documents
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014

Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014

Documents
Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014

Lecture 11 Page 1 Advanced Network Security Cryptography and Networks: IPSec and SSL/TLS Advanced Network Security Peter Reiher August, 2014

Documents
Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014

Lecture 27 Page 1 Advanced Network Security Routing Security Advanced Network Security Peter Reiher August, 2014

Documents
Introduction CS 136 Computer Security Peter Reiher April 1, 2014

Introduction CS 136 Computer Security Peter Reiher April 1, 2014

Documents
Introduction CS 136 Computer Security Peter Reiher September 23, 2010

Introduction CS 136 Computer Security Peter Reiher September 23, 2010

Documents
Security Principles, Policies, and Tools CS 136 Computer Security Peter Reiher October 7, 2014

Security Principles, Policies, and Tools CS 136 Computer Security Peter Reiher October 7, 2014

Documents
More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

More on Cryptography CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Documents
Security Protocols Computer Security Peter Reiher October 21, 2014

Security Protocols Computer Security Peter Reiher October 21, 2014

Documents
Distributed Denial of Service Attacks CS 236 Advanced Computer Security Peter Reiher May 20, 2008

Distributed Denial of Service Attacks CS 236 Advanced Computer Security Peter Reiher May 20, 2008

Documents
Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Authentication CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Documents
Operating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Operating System Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Documents
Lecture 10 Page 1 CS 136, Fall 2014 Network Security, Continued Computer Security Peter Reiher November 13, 2014

Lecture 10 Page 1 CS 136, Fall 2014 Network Security, Continued Computer Security Peter Reiher November 13, 2014

Documents
Malware CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Malware CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Documents