Download Lecture 9 - USC`s Center for Computer Systems Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
Document related concepts

Asynchronous Transfer Mode wikipedia , lookup

Peering wikipedia , lookup

Multiprotocol Label Switching wikipedia , lookup

Wireless security wikipedia , lookup

Remote Desktop Services wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Net bias wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Lag wikipedia , lookup

Deep packet inspection wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
Sample Research Defenses
•
•
•
•
•
•
Pushback
Traceback
SOS
Proof-of-work systems
Human behavior modeling
SENSS
Pushback
1
1”Controlling
high bandwidth aggregates in the network,”
Mahajan, Bellovin, Floyd, Paxson, Shenker, ACM CCR, July 2002
• Goal: Preferentially drop attack traffic to relieve
congestion
• Local ACC: Enable core routers to respond to
congestion locally by:
–
–
–
Profiling traffic dropped by RED
Identifying high-bandwidth aggregates
Preferentially dropping aggregate traffic to enforce
desired bandwidth limit
• Pushback: A router identifies the upstream
neighbors that forward the aggregate traffic to it,
requests that they deploy rate-limit
Can it Work?
• Even a few core routers are able to control highvolume attacks
• Separation of traffic aggregates improves current
situation
–
–
Only traffic for the victim is dropped
Drops affect a portion containing the attack traffic
• Likely to successfully control the attack, relieving
congestion in the Internet
• Will inflict collateral damage on legitimate traffic
Advantages and Limitations
+ Routers can handle high traffic volumes
+ Deployment at a few core routers can affect
many traffic flows, due to core topology
+ Simple operation, no overhead for routers
+ Pushback minimizes collateral damage by placing
response close to the sources
– Pushback only works in contiguous deployment
– Collateral damage is inflicted by response, whenever
attack is not clearly separable
– Requires modification of existing core routers
4
Traceback
1
1“Practical
network support for IP Traceback,” Savage, Wetherall, Karlin, Anderson,
ACM SIGCOMM 2000
• Goal: locate the agent machines
• Each packet header may carry a mark, containing:
–
–
EdgeID (IP addresses of the routers) specifying an edge it has
traversed
The distance from the edge
• Routers mark packets probabilistically
• If a router detects half-marked packet (containing only
one IP address) it will complete the mark
• Victim under attack reconstructs the path from the
marked packets
Traceback and IP Spoofing
• Traceback does nothing to stop DDoS attacks
• It only identifies attackers’ true locations
–
Comes to a vicinity of attacker
• If IP spoofing were not possible in the Internet,
traceback would not be necessary
• There are other approaches to filter out spoofed traffic
Can it Work?
• Incrementally deployable, a few disjoint routers can
provide beneficial information
• Moderate router overhead (packet modification)
• A few thousand packets are needed even for long path
reconstruction
• Does not work well for highly distributed attacks
• Path reassembly is computationally demanding, and is
not 100% accurate:
–
–
Path information cannot be used for legal purposes
Routers close to the sources can efficiently block attack traffic,
minimizing collateral damage
Advantages and Limitations
+ Incrementally deployable
+ Effective for non-distributed attacks and for highly
overlapping attack paths
+ Facilitates locating routers close to the sources
– Packet marking incurs overhead at routers, must
be performed at slow path
– Path reassembly is complex and prone to errors
– Reassembly of distributed attack paths is
prohibitively expensive
SOS
1“
1
SOS: Secure Overlay Services,” Keromytis, Misra, Rubensteain, ACM SIGCOMM 2002
• Goal: route only “verified user” traffic to the server,
drop everything else
• Clients use overlay network to reach the server
• Clients are authenticated at the overlay entrance, their
packets are routed to proxies
• Small set of proxies are “approved” to reach the server,
all other traffic is heavily filtered out
9
SOS
• User first contacts nodes that can check its legitimacy
and let him access the overlay – access points
• An overlay node uses Chord overlay routing
protocol to send user’s packets to a beacon
• Beacon sends packets to a secret servlet
• Secret servlets tunnel packets to the firewall
• Firewall only lets through packets with an IP
of a secret servlet
–
–
Secret servlet’s identity has to be hidden, because
their source address is a passport for the realm
beyond the firewall
Beacons are nodes that know the identity of secret servlets
• If a node fails, other nodes can take its role
10
Can It Work?
• SOS successfully protects communication with a
private server:
–
–
–
Access points can distinguish legitimate from attack
communications
Overlay protects traffic flow
Firewall drops attack packets
• Redundancy in the overlay and secrecy of the
path to the target provide security against DoS
attacks on SOS
11
Advantages And Limitations
+ Ensures communication of “verified user”
with the victim
+ Resilient to overlay node failure
+ Resilient to DoS on the defense system
– Does not work for public service
– Traffic routed through the overlay travels on
suboptimal path
– Brute force attack on links leading to the firewall still
possible
12
Client Puzzles
1
1“Client
puzzles: A cryptographic countermeasure against connection depletion attacks,”
Juels, Brainard, NDSS 1999
• Goal: defend against connection depletion attacks
• When under attack:
– Server distributes small cryptographic puzzles to
clients requesting service
– Clients spend resources to solve the puzzles
– Correct solution, submitted on time, leads to state
allocation and connection establishment
– Non-validated connection packets are dropped
• Puzzle generation is stateless
• Client cannot reuse puzzle solutions
• Attacker cannot make use of intercepted packets
13
Can It Work?
• Client puzzles guarantee that each client has spent a
certain amount of resources
• Server determines the difficulty of the puzzle
according to its resource consumption
– Effectively server controls its resource consumption
• Protocol is safe against replay or interception attacks
• Other flooding attacks will still work
14
Advantages And Limitations
+ Forces the attacker to spend resources, protects
server resources from depletion
+ Attacker can only generate a certain number of
successful connections from one agent machine
+ Low overhead on server
– Requires client modification
– Will not work against highly distributed attacks
– Will not work against bandwidth consumption
attacks (Defense By Offense paper changes this)
15
Human Behavior Modeling
1“Modeling
1
Human Behavior for Defense Against Flash Crowd Attacks”, Oikonomou, Mirkovic 2009.
• Goal: defend against flash-crowd attacks on Web
servers
• Model human behavior along three dimensions
– Dynamics of interaction with server (trained)
•
–
Semantics of interaction with server (trained)
•
–
Detect aggressive clients as attackers
Detect clients that browse unpopular content or use
unpopular paths as attackers
Processing of visual and textual cues
•
Detect clients that click on invisible or uninteresting
links as attackers
16
Can It Work?
• Attackers can bypass detection if they
– Act non-aggressively
– Use each bot for just a few requests, then replace it
• But this forces attacker to use many bots
– Tens to hundreds of thousands
– Beyond reach of most attackers
• Other flooding attacks will still work
17
Advantages And Limitations
+
+
–
–
–
–
Transparent to users
Low false positives and false negatives
Requires server modification
Server must store data about each client
Will not work against other flooding attacks
May not protect services where humans do not
generate traffic, e.g., DNS
18
SENSS: Security as a Service
1“Software-Defined
1
Security Service”, Yu, Zhang, Mirkovic, Alwabel, 2014.
• Goal: enable victim networks to request monitoring
and traffic/route control from remote network
• ISPs already support this through human channels
–
Software-Defined Networking (SDN) enables automated
support
Networks can only ask about their prefixes
–
ISPs can charge for service
–
19
Can It Work?
• Attackers cannot forge queries or replies
• Misbehaving ISPs cannot do anything worse than they
can today
• Small deployment (50-200 core networks) can protect
a large number of victims
• Attacks handled:
–
–
–
–
–
DDoS-with-signature
DDoS-without-signature (spoofed traffic)
Crossfire DDoS
Route blackholing
Route diversion
20
Advantages And Limitations
+
+
+
–
–
–
Easily supported by today’s router capabilities
Can handle a variety of attacks
Good economic model
Requires inter-network collaboration
Requires deployment at Internet core
Requires minor changes at routers
21
Related documents
Distributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS)
Document
Document
No Slide Title
No Slide Title
Secure Group Communications in Wireless Sensor Networks
Secure Group Communications in Wireless Sensor Networks
Presentation_Sharmistha_Roy
Presentation_Sharmistha_Roy
Forms of Network Attacks
Forms of Network Attacks
True/False: - UC Davis Computer Science
True/False: - UC Davis Computer Science
True/False: • When a client browser requests a web page and the
True/False: • When a client browser requests a web page and the
Malicious code, Mobile Code and Denial of Service attacks
Malicious code, Mobile Code and Denial of Service attacks
Building Survivable Systems based on Intrusion Detection and
Building Survivable Systems based on Intrusion Detection and
Detecting service violation in Internet and Mobile ad hoc networks
Detecting service violation in Internet and Mobile ad hoc networks
MPV2
MPV2
The Internet and Security
The Internet and Security
Subnetting
Subnetting
CS 494/594 Computer and Network Security - UTK-EECS
CS 494/594 Computer and Network Security - UTK-EECS
IIDPS: An Internal Intrusion Detection and
IIDPS: An Internal Intrusion Detection and
Supraventricular Tachycardia (SVT)
Supraventricular Tachycardia (SVT)
The Need for Security
The Need for Security
heart attack - Meridian Kinesiology
heart attack - Meridian Kinesiology
Attacks and Mitigations
Attacks and Mitigations
Network Support for IP Traceback - David Wetherall
Network Support for IP Traceback - David Wetherall
lecture6
lecture6