You should worry if you are below this point  Your projected and optimistically projected grades should be in the grade center soon o Projected: 

Download Report

Transcript You should worry if you are below this point  Your projected and optimistically projected grades should be in the grade center soon o Projected:  

You should worry
if you are below
this point
 Your
projected and optimistically projected
grades should be in the grade center soon
o Projected:
 Your current weighted score /30 * 100
o Optimistic:
 (Your current weighted score+70)/100
o Just for your feedback
 Quiz
1 is posted
o Do it before your lab slot but after this week’s
lab lecture
oOpen book open notes, unlimited time
oYou will do the same version again after your lab
– to be posted soon. Better score counts.
 Don’t
allow an individual attack machine to
use many of a target’s resources
 Requires:
o
o
Authentication, or
Making the sender do special work (puzzles)
 Authentication
schemes are often expensive
for the receiver
 Existing legitimate senders largely not set
up to handle doing special work
 Can still be overcome with a large enough
army of zombies
 Make
it hard for anyone but legitimate
clients to deliver messages at all
 E.g., keep your machine’s identity obscure
 A possible solution for some potential
targets
o
But not for others, like public web servers
 To
the extent that approach relies on
secrecy, it’s fragile
o
Some such approaches don’t require secrecy
 As
attacker demands more resources, supply
them
 Essentially, never allow resources to be
depleted
 Not always possible, usually expensive
 Not clear that defender can keep ahead of the
attacker
 But still a good step against limited attacks
 More advanced versions might use
Akamai-like techniques
 Figure
out which machines attacks come
from
 Go to those machines (or near them) and
stop the attacks
 Tracing is trivial if IP source addresses
aren’t spoofed
o
Tracing may be possible even if they are spoofed
 May
not have ability/authority to do
anything once you’ve found the attack
machines
 Not too helpful if attacker has a vast supply
of machines
 The
basis for most defensive approaches
 Addresses the core of the problem by
limiting the amount of work presented to
target
 Key question is:
o
What do you drop?
 Good
solutions drop all (and only) attack
traffic
 Less good solutions drop some (or all) of
everything
 Filtering
drops packets with particular
characteristics
o
o
If you get the characteristics right, you do little
collateral damage
At odds with the desire to drop all attack traffic
 Rate
limiting drops packets on basis of
amount of traffic
o
o
Can thus assure target is not overwhelmed
But may drop some good traffic
In multiple
places?
Near the
source?
In the network
core?
Near the
target?
 Near
target
 Near source
 In core
 Near
o
o
o
o
target
Easier to detect attack
Sees everything
May be hard to prevent collateral damage
May be hard to handle attack volume
 Near
source
 In core
 Near
target
 Near source
o
o
o
o
May be hard to detect attack
Doesn’t see everything
Easier to prevent collateral damage
Easier to handle attack volume
 In
core
 Near
target
 Near source
 In core
o
o
o
o
Easier to handle attack volume
Sees everything (with sufficient deployment)
May be hard to prevent collateral damage
May be hard to detect attack
 Have
database of attack signatures
 Detect anomalous behavior
o
o
By measuring some parameters for a long time
and setting a baseline
 Detecting when their values are abnormally high
By defining which behavior must be obeyed
starting from some protocol specification
 Devise
filters that encompass most of
anomalous traffic
 Drop everything but give priority to
legitimate-looking traffic
o
o
It has some parameter values
It has certain behavior
 Need
for a distributed response
 Economic and social factors
 Lack of detailed attack information
 Lack of defense system benchmarks
 Difficulty of large-scale testing
 Moving target
 Attacker
sends lots of TCP SYN packets
oVictim sends an ack, allocates space in memory
oAttacker never replies
oGoal is to fill up memory before entries time out
and get deleted
 Usually
spoofed traffic
o Otherwise patterns may be used for filtering
o OS at the attacker or spoofed address may send
RST and free up memory
 Effective
defense against TCP SYN flood
oVictim encodes connection information and time
in ACK number
oMust be hard to craft values that get encoded
into the same ACK number – use crypto for
encoding
oMemory is only reserved when final ACK comes
 Only
the server must change
oBut TCP options are not supported
oAnd lost SYN ACKs are not repeated
 Overwhelm
routers
oCreate a lot of pps
oExhaust CPU
oMost routers can’t handle full bandwidth’s load of
small packets
 No
real solution, must filter packets
somehow to reduce router load
 Periodically
slam the victim with short,
high-volume pulses
oLead to congestion drops on client’s TCP traffic
oTCP backs off
oIf loss is large back off to 1 MSS per RTT
oAttacker slams again after a few RTTs
 Solution requires TCP protocol changes
oTough to implement since clients must be
changed
 Generate
legitimate application traffic to the
victim
oE.g., DNS requests, Web requests
oUsually not spoofed
oIf enough bots are used no client appears too
aggressive
oReally hard to filter since both traffic and client
behavior seem identical between attackers and
legitimate users
 Generate
service requests to public servers
spoofing the victim’s IP
oServers reply back to the victim overwhelming it
oUsually done for UDP and ICMP traffic (TCP SYN
flood would only overwhelm CPU if huge number
of packets is generated)
oOften takes advantage of amplification effect –
some service requests lead to huge replies; this
lets attacker amplify his attack
 Pushback
 Traceback
 SOS
 Proof-of-work
systems
1”Controlling
high bandwidth aggregates in the network,”
Mahajan, Bellovin, Floyd, Paxson, Shenker, ACM CCR, July 2002
 Goal:
Preferentially drop attack traffic to
relieve congestion
 Local ACC: Enable core routers to
respond to congestion locally by:
o
o
o
Profiling traffic dropped by RED
Identifying high-bandwidth aggregates
Preferentially dropping aggregate traffic to
enforce desired bandwidth limit
 Pushback:
A router identifies the
upstream neighbors that forward the
aggregate traffic to it, requests that they
deploy rate-limit
 Even
a few core routers are able to
control high-volume attacks
 Separation of traffic aggregates improves
current situation
o
o
Only traffic for the victim is dropped
Drops affect a portion containing the attack
traffic
 Likely
to successfully control the attack,
relieving congestion in the Internet
 Will inflict collateral damage on
legitimate traffic
+ Routers
can handle high traffic volumes
+ Deployment at a few core routers can affect
many traffic flows, due to core topology
+ Simple operation, no overhead for routers
+ Pushback minimizes collateral damage by
placing response close to the sources
– Pushback only works in contiguous
deployment
– Collateral damage is inflicted by response,
whenever attack is not clearly separable
– Requires modification of existing core
routers
2
1“Practical
network support for IP Traceback,” Savage, Wetherall, Karlin, Anderson,
ACM SIGCOMM 2000
 Goal:
locate the agent machines
 Each packet header may carry a mark,
containing:
o
o
EdgeID (IP addresses of the routers) specifying an
edge it has traversed
The distance from the edge
 Routers
mark packets probabilistically
 If a router detects half-marked packet
(containing only one IP address) it will
complete the mark
 Victim under attack reconstructs the path from
the marked packets
 Traceback
does nothing to stop DDoS
attacks
 It only identifies attackers’ true locations
o
 If
Comes to a vicinity of attacker
IP spoofing were not possible in the
Internet, traceback would not be necessary
 There are other approaches to filter out
spoofed traffic
 Incrementally
deployable, a few disjoint routers
can provide beneficial information
 Moderate router overhead (packet
modification)
 A few thousand packets are needed even for
long path reconstruction
 Does not work well for highly distributed
attacks
 Path reassembly is computationally
demanding, and is not 100% accurate:
o
o
Path information cannot be used for legal purposes
Routers close to the sources can efficiently block
attack traffic, minimizing collateral damage
+ Incrementally
deployable
+ Effective for non-distributed attacks and
for highly overlapping attack paths
+ Facilitates locating routers close to the
sources
– Packet marking incurs overhead at
routers, must be performed at slow path
– Path reassembly is complex and prone to
errors
– Reassembly of distributed attack paths is
prohibitively expensive
1“
SOS: Secure Overlay Services,” Keromytis, Misra, Rubensteain, ACM SIGCOMM 2002
 Goal:
route only “verified user” traffic to the
server, drop everything else
 Clients use overlay network to reach the
server
 Clients are authenticated at the overlay
entrance, their packets are routed to proxies
 Small set of proxies are “approved” to reach
the server, all other traffic is heavily filtered
out
3
 User
first contacts nodes that can check its
legitimacy and let him access the overlay –
access points
 An
overlay node uses Chord overlay routing
protocol to send user’s packets to a beacon
 Beacon sends packets to a secret servlet
 Secret servlets tunnel packets to the firewall
 Firewall only lets through packets with an IP
of a secret servlet
o
o
 If
Secret servlet’s identity has to be hidden, because
their source address is a passport for the realm
beyond the firewall
Beacons are nodes that know the identity of secret
servlets
a node fails, other nodes can take its role
3
 SOS
successfully protects communication
with a private server:
o
o
o
Access points can distinguish legitimate from
attack communications
Overlay protects traffic flow
Firewall drops attack packets
 Redundancy
in the overlay and secrecy of
the path to the target provide security
against DoS attacks on SOS
3
+ Ensures
communication of “verified user”
with the victim
+ Resilient to overlay node failure
+ Resilient to DoS on the defense system
– Does not work for public service
– Traffic routed through the overlay travels
on suboptimal path
– Brute force attack on links leading to the
firewall still possible
3
1“Client
puzzles: A cryptographic countermeasure against connection depletion attacks,”
Juels, Brainard, NDSS 1999
 Goal:
defend against connection depletion
attacks
 When under attack:
o
o
o
o
Server distributes small cryptographic puzzles to
clients requesting service
Clients spend resources to solve the puzzles
Correct solution, submitted on time, leads to state
allocation and connection establishment
Non-validated connection packets are dropped
 Puzzle
generation is stateless
 Client cannot reuse puzzle solutions
 Attacker cannot make use of intercepted
packets
3
 Client
puzzles guarantee that each client has
spent a certain amount of resources
 Server determines the difficulty of the puzzle
according to its resource consumption
o
Effectively server controls its resource
consumption
 Protocol
is safe against replay or interception
attacks
 Other flooding attacks will still work
3
+ Forces
the attacker to spend resources,
protects server resources from depletion
+ Attacker can only generate a certain
number of successful connections from one
agent machine
+ Low overhead on server
– Requires client modification
– Will not work against highly distributed
attacks
– Will not work against bandwidth
consumption attacks (Defense By Offense
paper changes this)
3