On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets
|
|
- Jacob Kelley
- 6 years ago
- Views:
Transcription
1 Kihong Park Heejo Lee On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets SIGCOMM'01 Presented by WeeSan Lee 10/28/2004
2 Outline Background Proactive Prevention vs Reactive Source ID Route-based Distributed Packet Filtering Performance Measures for DPF Performance Results Conclusion Pros & Cons Future Work 2
3 Outline Background Proactive Prevention vs Reactive Source ID Route-based Distributed Packet Filtering Performance Measures for DPF Performance Results Conclusion Pros & Cons Future Work 3
4 Background DoS Denial of Service Forge the source IP address Consume resources Processes (eg. Ping of Death) Network bandwidth (eg. Ping flood) Network connections (eg. SYN flood) Services becomes unavailable Impact QoS DDoS Distributed DoS From more than one host More severe impact 4
5 Outline Background Proactive Prevention vs Reactive Source ID Route-based Distributed Packet Filtering Performance Measures for DPF Performance Results Conclusion Pros & Cons Future Work 5
6 Proactive Prevention & Reactive Source ID Proactive Prevention Deploy filters Challenge: on which ASes? eg. vertex cover Reactive Source ID Locate the attackers Shut them down Catch the attackers Challenge: within small # of ASes, eg. 5 6
7 Outline Background Proactive Prevention vs Reactive Source ID Route-based Distributed Packet Filtering Performance Measures for DPF Performance Results Conclusion Pros & Cons Future Work 7
8 Route-based Distributed Packet Filtering AS7 forges AS2 address to attack AS4 AS6 filters attacked packets What if AS7 forges AS8 to attack AS4? 8
9 Route-based Distributed Packet Filtering (cont) AS1 attacks AS9 Filter on AS8, no spoof from AS6 & 7 Filter on AS8+AS3, no spoof from AS3-AS7 Single filter Distributed filter 9
10 Outline Background Proactive Prevention vs Reactive Source ID Route-based Distributed Packet Filtering Performance Measures for DPF Performance Results Conclusion Pros & Cons Future Work 10
11 Performance Measures for DPF Proactive Filtering Measures : the fraction of AS's that are immune from DoS attack. Perfect proactive, ie. ~1 when coverage ratio ~1 : the fraction of attack sites that is impossible to send spoofed IP packets to other ASes due to filtering. If, it means 90% of ASes can't be used to spoof IP packets. 11
12 Performance Measures for DPF (cont) Reactive Filtering Measure (AS Traceback) For example, means the fraction of attacked ASes that can traceback the attack location to within 5 possible attack ASes. 12
13 Outline Background Proactive Prevention vs Reactive Source ID Route-based Distributed Packet Filtering Performance Measures for DPF Performance Results Conclusion Pros & Cons Future Work 13
14 Performance Results Proactive Filtering Effect achieves 88% during Only 12% ASes left for attackers to spoof IP 14
15 Performance Results (cont) Reactive Filtering Effect (AS Traceback) Every attack can be traceback'd within 5 ASes Even increase the ASes by some factor c 15
16 Performance Results (cont) Maximal Filters vs Semi-maximal Filters Maximal filters use both src and dst Semi-maximal filters use only src Not much difference! 16
17 Performance Results (cont) Impact of Network Topology Random, Inet and Brite, and VC remains invariant over
18 Performance Results (cont) Random Topology Although VC, Reactive Filtering 18
19 Performance Results (cont) Inet Topology Generator VC ~50% larger, Inet performs better than Random 19
20 Performance Results (cont) Brite Topology Generator PC = 0, spatial proximity only PC = 1, power law on node degree distribution PC = 2, hybrid 20
21 Performance Results (cont) Brite Topology Generator Perform worst than Inet 21
22 Performance Results (cont) Ingress Filtering Protect itself from DoS, allow DoS within the AS Without Ingress Filtering Reactive Filtering increases to 20, ie. Proactive Filtering drops ~20% 22
23 Performance Results (cont) Multi-path Routing # of paths, Reactive and Proactive Filtering 23
24 Conclusion Deploy DPF on 18% of ASes, 88% of ASes are impossible to be used for DDoS Identify other DDoS within 5 ASes Filter performance depends on AS topology Vertex Cover Multi-path Routing Ingress Filtering is important as well Imply Inet is better than Brite? 24
25 Pros & Cons Scalable DDoS prevention architecture Systematic way to measure its performance Topology generators comparison Just a theory source reachability is not avail. in BGP Source ID in 5 ASes doesn't mean much Too many definitions & GRE words 25
26 Future Work Efficient implementation Costs associated with deployment & overhead 26
Distributed Denial-of-Service Attack Prevention using Route-Based Distributed Packet Filtering. Heejo Lee
CERIAS Security Seminar Jan. 17, 2001 Distributed Denial-of-Service Attack Prevention using Route-Based Distributed Packet Filtering Heejo Lee heejo@cerias.purdue.edu Network Systems Lab and CERIAS This
More informationOverview of Sensor Network Routing Protocols. WeeSan Lee 11/1/04
Overview of Sensor Network Routing Protocols WeeSan Lee weesan@cs.ucr.edu 11/1/04 Outline Background Data-centric Protocols Flooding & Gossiping SPIN Directed Diffusion Rumor Routing Hierarchical Protocols
More informationSDN-based Network Obfuscation. Roland Meier PhD Student ETH Zürich
SDN-based Network Obfuscation Roland Meier PhD Student ETH Zürich This Talk This thesis vs. existing solutions Alice Bob source: Alice destination: Bob Hi Bob, Hi Bob, Payload encryption ǾǼōĦ
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationInterdomain Routing Design for MobilityFirst
Interdomain Routing Design for MobilityFirst October 6, 2011 Z. Morley Mao, University of Michigan In collaboration with Mike Reiter s group 1 Interdomain routing design requirements Mobility support Network
More informationNetwork Policy Enforcement
CHAPTER 6 Baseline network policy enforcement is primarily concerned with ensuring that traffic entering a network conforms to the network policy, including the IP address range and traffic types. Anomalous
More informationSecurity+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks
Security+ Guide to Network Security Fundamentals, Fourth Edition Network Attacks Denial of service Attacks Introduction: What is DoS? DoS attack is an attempt (malicious or selfish) by an attacker to cause
More informationPERFORMANCE EVALUATION OF ROUTE-BASED DISTRIBUTED PACKET FILTERING FOR DDOS PREVENTION IN LARGE-SCALE NETWORKS. A Thesis. Submitted to the Faculty
PERFORMANCE EVALUATION OF ROUTE-BASED DISTRIBUTED PACKET FILTERING FOR DDOS PREVENTION IN LARGE-SCALE NETWORKS A Thesis Submitted to the Faculty of Purdue University by HyoJeong Kim In Partial Fulfillment
More informationBootstrapping evolvability for inter-domain routing with D-BGP. Raja Sambasivan David Tran-Lam, Aditya Akella, Peter Steenkiste
Bootstrapping evolvability for inter-domain routing with D-BGP Raja Sambasivan David Tran-Lam, Aditya Akella, Peter Steenkiste This talk in one slide Q What evolvability features needed in any inter-domain
More informationDetection of Spoofing Attacks Using Intrusive Filters For DDoS
IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.10, October 2008 339 Detection of Spoofing Attacks Using Intrusive Filters For DDoS V.Shyamaladevi Asst.Prof.Dept of IT KSRCT
More informationA Survey on Different IP Traceback Techniques for finding The Location of Spoofers Amruta Kokate, Prof.Pramod Patil
www.ijecs.in International Journal Of Engineering And Computer Science ISSN: 2319-7242 Volume 4 Issue 12 Dec 2015, Page No. 15132-15135 A Survey on Different IP Traceback Techniques for finding The Location
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationCSE Computer Security (Fall 2006)
CSE 543 - Computer Security (Fall 2006) Lecture 18 - Network Security November 7, 2006 URL: http://www.cse.psu.edu/~tjaeger/cse543-f06/ 1 Denial of Service Intentional prevention of access to valued resource
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationTo Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets. Xiaowei Yang Duke Unversity
To Filter or to Authorize: Network-Layer DoS Defense against Multimillion-node Botnets Xiaowei Yang Duke Unversity Denial of Service (DoS) flooding attacks Send packet floods to a targeted victim Exhaust
More informationOn the State of the Inter-domain and Intra-domain Routing Security
On the State of the Inter-domain and Intra-domain Routing Security Mingwei Zhang April 19, 2016 Mingwei Zhang Internet Routing Security 1 / 54 Section Internet Routing Security Background Internet Routing
More informationMitigating IP Spoofing by Validating BGP Routes Updates
IJCSNS International Journal of Computer Science and Network Security, VOL.9 No.5, May 2009 7 Mitigating IP Spoofing by Validating BGP Routes Updates Junaid Israr, Mouhcine Guennoun, and Hussein T. Mouftah
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 8 Denial of Service First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Denial of Service denial of service (DoS) an action
More informationSurvey of Several IP Traceback Mechanisms and Path Reconstruction
Available online at www.worldscientificnews.com WSN 40 (2016) 12-22 EISSN 2392-2192 Survey of Several IP Traceback Mechanisms and Path Reconstruction Dr. M. Newlin Rajkumar 1,a, R. Amsarani 2,b, M. U.
More informationIllegitimate Source IP Addresses At Internet Exchange Points
Illegitimate Source IP Addresses At Internet Exchange Points @ DENOG8, Darmstadt Franziska Lichtblau, Florian Streibelt, Philipp Richter, Anja Feldmann 23.11.2016 Internet Network Architectures, TU Berlin
More informationDDOS Attack Prevention Technique in Cloud
DDOS Attack Prevention Technique in Cloud Priyanka Dembla, Chander Diwaker CSE Department, U.I.E.T Kurukshetra University Kurukshetra, Haryana, India Email: priyankadembla05@gmail.com Abstract Cloud computing
More informationLecture 10. Denial of Service Attacks (cont d) Thursday 24/12/2015
Lecture 10 Denial of Service Attacks (cont d) Thursday 24/12/2015 Agenda DoS Attacks (cont d) TCP DoS attacks DNS DoS attacks DoS via route hijacking DoS at higher layers Mobile Platform Security Models
More informationBGP Security. Kevin s Attic for Security Research
Kevin s Attic for Security Research kevinkoo001@gmail.com Table 1. BGP Operation (1): Concept & Topology 2. BGP Operation (2): Message Exchange, Format and Path Decision Algorithm 3. Potential Attacks
More informationUnicast Reverse Path Forwarding Loose Mode
The feature creates a new option for Unicast Reverse Path Forwarding (Unicast RPF), providing a scalable anti-spoofing mechanism suitable for use in multihome network scenarios. This mechanism is especially
More informationAn Authentication Based Source Address Spoofing Prevention Method Deployed in IPv6 Edge Network
An Authentication Based Source Address Spoofing Prevention Method Deployed in IPv6 Edge Network Lizhong Xie, Jun Bi, and Jianpin Wu Network Research Center, Tsinghua University, Beijing, 100084, China
More informationControlling IP Spoofing Through Inter-Domain Packet Filters
Controlling IP Spoofing Through Inter-Domain Packet Filters Zhenhai Duan, Member, IEEE, Xin Yuan, Member, IEEE, and Jaideep Chandrashekar, Member, IEEE Abstract The Distributed Denial of Services (DDoS)
More informationDesign and development of the reactive BGP peering in softwaredefined routing exchanges
Design and development of the reactive BGP peering in softwaredefined routing exchanges LECTURER: HAO-PING LIU ADVISOR: CHU-SING YANG (Email: alen6516@gmail.com) 1 Introduction Traditional network devices
More informationDenial of Service (DoS) attacks and countermeasures
Dipartimento di Informatica Università di Roma La Sapienza Denial of Service (DoS) attacks and countermeasures Definitions of DoS and DDoS attacks Denial of Service (DoS) attacks and countermeasures A
More informationINTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY
Gayatri Chavan,, 2013; Volume 1(8): 832-841 T INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY A PATH FOR HORIZING YOUR INNOVATIVE WORK RECTIFIED PROBABILISTIC PACKET MARKING
More informationAnalysis. Group 5 Mohammad Ahmad Ryadh Almuaili
Analysis Group 5 Mohammad Ahmad Ryadh Almuaili Outline Introduction Previous Work Approaches Design & Implementation Results Conclusion References WHAT IS DDoS? DDoS: Distributed denial of service attack
More informationA10 DDOS PROTECTION CLOUD
DATA SHEET A10 DDOS PROTECTION CLOUD A10 Networks provides full spectrum DDoS defenses. This includes multi-vector protection from attacks of any type to ensure the availability of enterprise business
More informationInternational Journal of Scientific & Engineering Research, Volume 7, Issue 12, December ISSN
International Journal of Scientific & Engineering Research, Volume 7, Issue 12, December-2016 360 A Review: Denial of Service and Distributed Denial of Service attack Sandeep Kaur Department of Computer
More informationFirewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.
Firews and NAT 1 Firews By conventional definition, a firew is a partition made of fireproof material designed to prevent the spread of fire from one part of a building to another. firew isolates organization
More informationChapter 7. Denial of Service Attacks
Chapter 7 Denial of Service Attacks DoS attack: An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU),
More informationAS Connectedness Based on Multiple Vantage Points and the Resulting Topologies
AS Connectedness Based on Multiple Vantage Points and the Resulting Topologies Steven Fisher University of Nevada, Reno CS 765 Steven Fisher (UNR) CS 765 CS 765 1 / 28 Table of Contents 1 Introduction
More informationDDoS and Traceback 1
DDoS and Traceback 1 Denial-of-Service (DoS) Attacks (via Resource/bandwidth consumption) malicious server legitimate Tecniche di Sicurezza dei Sistemi 2 TCP Handshake client SYN seq=x server SYN seq=y,
More informationIP Spoof Prevented Technique to Prevent IP Spoofed Attack
Available ONLINE www.visualsoftindia.com/vsrd/vsrdindex.html VSRD-TNTJ, Vol. I (3), 2010, 173-177 S H O R T C O M M U N I C A T I O N IP Spoof Prevented Technique to Prevent IP Spoofed Attack 1 Rajiv Ranjan*,
More informationSingle Packet IP Traceback in AS-level Partial Deployment Scenario
Single Packet IP Traceback in AS-level Partial Deployment Scenario Chao Gong, Trinh Le, Turgay Korkmaz, Kamil Sarac Department of Computer Science, University of Texas at San Antonio 69 North Loop 64 West,
More informationComputer Science Department University of California, Los Angeles. Problem Current countermeasures Our model Simulation & conclusions
Jiejun Kong, Mansoor Mirza,, James Shu,, Christian Yoedhana, Mario Gerla, Songwu Lu Computer Science Department University of California, Los Angeles Problem Current countermeasures Our model Simulation
More informationPIX-IE An SDN-based Programmable Internet exchange
PIX-IE An SDN-based Programmable Internet exchange Kazuya Okada The University of Tokyo/WIDE Project/NSPIXP Project okada@ecc.u-tokyo.ac.jp Internet2 1 Our Background Operating an academic IX (DIX-IE)
More informationA DoS-Resistant IP Traceback Approach. Bao-Tung Wang, Henning Schulzrinne IRT, Columbia University Friday, September 12, 2003
A DoS-Resistant I Traceback Approach Bao-Tung Wang, Henning Schulzrinne IRT, Columbia University Friday, September 12, 2003 Overview Definitions ICM Messages I Traceback Using Messages Evaluations Conclusion
More informationSoftware Systems for Surveying Spoofing Susceptibility
Software Systems for Surveying Spoofing Susceptibility Matthew Luckie, Ken Keys, Ryan Koga, Bradley Huffaker, Robert Beverly, kc claffy https://spoofer.caida.org/ NANOG68, October 18th 2016 www.caida.o
More informationDenial of Service, Traceback and Anonymity
Purdue University Center for Education and Research in Information Assurance and Security Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS Network
More informationQoS Services with Dynamic Packet State
QoS Services with Dynamic Packet State Ion Stoica Carnegie Mellon University (joint work with Hui Zhang and Scott Shenker) Today s Internet Service: best-effort datagram delivery Architecture: stateless
More informationRouting Support for Wide Area Network Mobility. Z. Morley Mao Associate Professor Computer Science and Engineering University of Michigan
Routing Support for Wide Area Network Mobility Z. Morley Mao Associate Professor Computer Science and Engineering University of Michigan 1 Outline Introduction Inter-AS Mobility Support Intra-AS Mobility
More informationQuery Control Mechanisms for the Zone Routing Protocol (ZRP)
Query Control Mechanisms for the Zone Routing Protocol (ZRP) Zygmunt J. Haas and Marc R. Pearlman Wireless Networks Laboratory Cornell University 9/3/98 SIGCOMM '98 1 Agenda Introduction - Routing in Mobile
More informationThe Protocols that run the Internet
The Protocols that run the Internet Attack types in the Internet Seminarvortrag Sommersemester 2003 Jens Gerken Content Internet Attacks Introduction Network Service Attacks Distributed Denial of Service
More informationUnicast Routing in Mobile Ad Hoc Networks. Dr. Ashikur Rahman CSE 6811: Wireless Ad hoc Networks
Unicast Routing in Mobile Ad Hoc Networks 1 Routing problem 2 Responsibility of a routing protocol Determining an optimal way to find optimal routes Determining a feasible path to a destination based on
More informationData Plane Protection. The googles they do nothing.
Data Plane Protection The googles they do nothing. Types of DoS Single Source. Multiple Sources. Reflection attacks, DoS and DDoS. Spoofed addressing. Can be, ICMP (smurf, POD), SYN, Application attacks.
More informationSDN Applications and Use Cases. Copyright 2015 ITRI
SDN Applications and Use Cases Copyright 20 ITRI Bachelor B Ph.D (IR) (ITRI) Engineer 20 Copyright 20 ITRI 2 Outline SDN Basics SDN Use Cases & Applications Google B WAN NEC VTN OpenDefenseFlow Firewall
More informationDenial of Service. Serguei A. Mokhov SOEN321 - Fall 2004
Denial of Service Serguei A. Mokhov SOEN321 - Fall 2004 Contents DOS overview Distributed DOS Defending against DDOS egress filtering References Goal of an Attacker Reduce of an availability of a system
More informationCheck Point DDoS Protector Simple and Easy Mitigation
Check Point DDoS Protector Simple and Easy Mitigation Jani Ekman janie@checkpoint.com Sales Engineer DDoS Protector 1 (D)DoS Attacks 2 3 4 DDoS Protector Behavioral DoS Protection Summary 2 What is an
More informationNetwork Security. Chapter 0. Attacks and Attack Detection
Network Security Chapter 0 Attacks and Attack Detection 1 Attacks and Attack Detection Have you ever been attacked (in the IT security sense)? What kind of attacks do you know? 2 What can happen? Part
More informationRouting protocols in WSN
Routing protocols in WSN 1.1 WSN Routing Scheme Data collected by sensor nodes in a WSN is typically propagated toward a base station (gateway) that links the WSN with other networks where the data can
More informationImma Chargin Mah Lazer
Imma Chargin Mah Lazer How to protect against (D)DoS attacks Oliver Matula omatula@ernw.de #2 Denial of Service (DoS) Outline Why is (D)DoS protection important? Infamous attacks of the past What types
More informationCSE Computer Security
CSE 543 - Computer Security Lecture 22 - Denial of Service November 15, 2007 URL: http://www.cse.psu.edu/~tjaeger/cse543-f07/ 1 Denial of Service Intentional prevention of access to valued resource CPU,
More informationConfiguring Unicast RPF
20 CHAPTER This chapter describes how to configure Unicast Reverse Path Forwarding (Unicast RPF) on NX-OS devices. This chapter includes the following sections: Information About Unicast RPF, page 20-1
More informationA New Perspective in Defending against DDoS
A New Perspective in Defending against DDoS Shigang Chen Randy Chow Department of Computer & Information Science & Engineering University of Florida, Gainesville, FL 326, USA {sgchen, chow}@cise.ufl.edu
More informationConclusions and Future Scope. Chapter 7
Conclusions and Future Scope 1 Chapter 7 Conclusions and Future Scope 7.1 Summary of Experimental Finding The value of network simulator in the communication field is indispensible as they provide support
More informationCOMPUTER NETWORK SECURITY
COMPUTER NETWORK SECURITY Prof. Dr. Hasan Hüseyin BALIK (7 th Week) 7. Denial-of-Service Attacks 7.Outline Denial of Service Attacks Flooding Attacks Distributed Denial of Service Attacks Application Based
More informationA New Mechanism For Approach of IP Spoofers: Passive IP Traceback Using Backscatter Messages
A New Mechanism For Approach of IP Spoofers: Passive IP Traceback Using Backscatter Messages Dharam Pavithra 1, B. Narasimha Swamy 2, Dr.A. Sudhir Babu 3 1 M.Tech (CSE), 2 Sr.Assistant Professor, 3 Professor
More informationMITIGATION OF DENIAL OF SERVICE ATTACK USING ICMP BASED IP TRACKBACK. J. Gautam, M. Kasi Nivetha, S. Anitha Sri and P. Madasamy
MITIGATION OF DENIAL OF SERVICE ATTACK USING ICMP BASED IP TRACKBACK J. Gautam, M. Kasi Nivetha, S. Anitha Sri and P. Madasamy Department of Information Technology, Velammal College of Engineering and
More informationNetwork Security: Network Flooding. Seungwon Shin GSIS, KAIST
Network Security: Network Flooding Seungwon Shin GSIS, KAIST Detecting Network Flooding Attacks SYN-cookies Proxy based CAPCHA Ingress/Egress filtering Some examples SYN-cookies Background In a TCP 3-way
More informationAnalysis of GPS and Zone Based Vehicular Routing on Urban City Roads
Analysis of GPS and Zone Based Vehicular Routing on Urban City Roads Aye Zarchi Minn 1, May Zin Oo 2, Mazliza Othman 3 1,2 Department of Information Technology, Mandalay Technological University, Myanmar
More informationImpact of Hello Interval on Performance of AODV Protocol
Impact of Hello Interval on Performance of AODV Nisha Bhanushali Priyanka Thakkar Prasanna Shete ABSTRACT The multi-hop ad hoc networks are self organizing networks with dynamic topology. The reactive
More informationFortiDDoS Deployment Guide for Cloud Signaling with Verisign OpenHybrid
FortiDDoS Deployment Guide for Cloud Signaling with Verisign OpenHybrid FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com
More informationNetwork Configuration Example
Network Configuration Example Configuring Active Flow Monitoring Version 9 Modified: 2017-01-18 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net All
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. IP-level vulnerabilities
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2014 www.cs.cmu.edu/~prs/15-441-f14 Yes: Creating a secure channel for communication (Part I) Protecting
More informationDefending of IP Spoofing by Ingress Filter in Extended-Inter Domain Packet Key Marking System
I. J. Computer Network and Information Security, 2013, 5, 47-54 Published Online April 2013 in MECS (http://www.mecs-press.org/) DOI: 10.5815/ijcnis.2013.05.06 Defending of IP Spoofing by Ingress Filter
More informationEXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS
EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS Andry Putra Fajar and Tito Waluyo Purboyo Faculty of Electrical Engineering,
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationCredit-Based Authorization
Credit-Based Authorization draft-vogt-mipv6-credit-based-authorization Christian Vogt, chvogt@tm.uka.de Jari Arkko, jari.arkko@nomadiclab.com Roland Bless, bless@tm.uka.de Mark Doll, doll@tm.uka.de Tobias
More informationDDoS Testing with XM-2G. Step by Step Guide
DDoS Testing with XM-G Step by Step Guide DDoS DEFINED Distributed Denial of Service (DDoS) Multiple compromised systems usually infected with a Trojan are used to target a single system causing a Denial
More informationFlashback.. Internet design goals. Security Part One: Attacks and Countermeasures. Why did they leave it out? Security Vulnerabilities
Flashback.. Internet design goals Security Part One: Attacks and Countermeasures 15-441 With slides from: Debabrata Dash,Nick Feamster, Vyas Sekar 15-411: F08 security 1 1. Interconnection 2. Failure resilience
More informationRealizing a Source Authentic Internet
Realizing a Source Authentic Internet Toby Ehrenkranz 1, Jun Li 1, and Patrick McDaniel 2 1 Department of Computer and Information Science University of Oregon Eugene, OR 97403 USA tehrenkr,lijun@cs.uoregon.edu
More informationARDA Program: P2INGS (Proactive And Predictive Information Assurance For Next Generation Systems)
ARDA Program: P2INGS (Proactive And Predictive Information Assurance For Next Generation Systems) Abhrajit Ghosh Sudha Ramesh Scott Alexander, Giovanni DiCrescenzo PI: Rajesh Talpade CEWAS background DETER
More informationSecurity Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest (Cisco ASR 920)
Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Everest 16.5.1 (Cisco ASR 920) First Published: 2017-05-06 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San
More informationChapter 3 Part 2 Switching and Bridging. Networking CS 3470, Section 1
Chapter 3 Part 2 Switching and Bridging Networking CS 3470, Section 1 Refresher We can use switching technologies to interconnect links to form a large network What is a hub? What is a switch? What is
More informationGLOBAL INTERNET ROUTING FORENSICS Validation of BGP Paths using ICMP Traceback
Chapter 14 GLOBAL INTERNET ROUTING FORENSICS Validation of BGP Paths using ICMP Traceback Eunjong Kim, Dan Massey and Indrajit Ray Abstract The Border Gateway Protocol (BGP), the Internet's global routing
More informationLive Demo: Top Deployed SD-WAN Use Cases
#FutureWAN Live Demo: Top Deployed SD-WAN Use Cases David Klebanov @DavidKlebanov david@viptela.com Demonstration Topology and Customer Journey Internet Palo Alto Firewall Hub 1 Snort IDS Cloud From MPLS
More informationDefending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial
Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Paper by Rocky K C Chang, The Hong Kong Polytechnic University Published in the October 2002 issue of IEEE Communications
More informationSecurity Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series)
Security Configuration Guide: Unicast Reverse Path Forwarding, Cisco IOS XE Fuji 16.7.x (NCS 4200 Series) First Published: 2017-12-24 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San
More informationSun Mgt Bonus Lab 2: Zone and DoS Protection on Palo Alto Networks Firewalls 1
Sun Mgt Bonus Lab 2: Zone and DoS Protection on Palo Alto Networks Firewalls 1 Overview Denial of Service (DoS) and Distributed Denial of Service (DDoS) types of attack are attempts to disrupt network
More informationDistributed Denial of Service
Distributed Denial of Service John Ioannidis ji@research.att.com AT&T Labs Research Joint work with Steve Bellovin, Matt Blaze (AT&T), Sally Floyd, Vern Paxson, Scott Shenker (ICIR), Ratul Mahajan (University
More informationProceedings of the 9th USENIX Security Symposium
USENIX Association Proceedings of the 9th USENIX Security Symposium Denver, Colorado, USA August 14 17, 2000 THE ADVANCED COMPUTING SYSTEMS ASSOCIATION 2000 by The USENIX Association All Rights Reserved
More informationPeer-to-peer systems and overlay networks
Complex Adaptive Systems C.d.L. Informatica Università di Bologna Peer-to-peer systems and overlay networks Fabio Picconi Dipartimento di Scienze dell Informazione 1 Outline Introduction to P2P systems
More informationTowards a Robust Protocol Stack for Diverse Wireless Networks Arun Venkataramani
Towards a Robust Protocol Stack for Diverse Wireless Networks Arun Venkataramani (in collaboration with Ming Li, Devesh Agrawal, Deepak Ganesan, Aruna Balasubramanian, Brian Levine, Xiaozheng Tie at UMass
More informationDefeating Reflector Based Denial-of-Service Attacks using Single Packet Filters
Defeating Reflector Based Denial-of-Service Attacks using Single Packet Filters Ashok Singh Sairam ashok@iitp.ac.in Dept. of Computer Science and Engineering Indian Institute of Technology Patna Late Ashish
More informationDDoS Defense Mechanisms for IXP Infrastructures
DDoS Defense Mechanisms for IXP Infrastructures Tim Dijkhuizen Lennart van Gijtenbeek Supervisor: Stavros Konstantaras (AMS-IX) SNE: Research Project II 03-07-2018 Introduction Distributed Denial of Service
More informationData Sheet. DPtech Anti-DDoS Series. Overview. Series
Data Sheet DPtech Anti-DDoS Series DPtech Anti-DDoS Series Overview DoS (Denial of Service) leverage various service requests to exhaust victims system resources, causing the victim to deny service to
More informationDefenses against Wormhole Attack
Defenses against Wormhole Attack Presented by: Kadhim Hayawi, ID: 20364216 COURSE PRESENTATION FOR ECE750 - INTELLIGENT SENSORS AND SENSOR NETWORKS Prof. Otman A. Basir Outline Introduction Packet Leashes
More informationThe Internet is not always a friendly place In fact, hosts on the Internet are under constant attack How to deal with this is a large topic
CSE 123 Computer Networking Fall 2009 Network security NAT, Firewalls, DDoS Geoff Voelker Network security The Internet is not always a friendly place In fact, hosts on the Internet are under constant
More informationData Plane Monitoring in Segment Routing Networks Faisal Iqbal Cisco Systems Clayton Hassen Bell Canada
Data Plane Monitoring in Segment Routing Networks Faisal Iqbal Cisco Systems (faiqbal@cisco.com) Clayton Hassen Bell Canada (clayton.hassen@bell.ca) Reference Topology & Conventions SR control plane is
More informationSpoofer Location Detection Using Passive Ip Trace back
Spoofer Location Detection Using Passive Ip Trace back 1. PALDE SUDHA JYOTHI 2. ARAVA NAGASRI 1.Pg Scholar, Department Of ECE, Annamacharya Institute Of Technology And Sciences,Piglipur, Batasingaram(V),
More informationCollective responsibility for security and resilience of the global routing system
Collective responsibility for security and resilience of the global routing system Phil Roberts roberts@isoc.org Andrei Robachevsky www.internetsociety.org Let us look at the problem
More informationPart I. Wireless Communication
1 Part I. Wireless Communication 1.5 Topologies of cellular and ad-hoc networks 2 Introduction Cellular telephony has forever changed the way people communicate with one another. Cellular networks enable
More informationAPT: A Practical Transit-Mapping Service Overview and Comparisons
APT: A Practical Transit-Mapping Service Overview and Comparisons draft-jen-apt Dan Jen, Michael Meisel, Dan Massey, Lan Wang, Beichuan Zhang, and Lixia Zhang The Big Picture APT is similar to LISP at
More informationSENSS: Software-defined Security Service
SENSS: Software-defined Security Service Minlan Yu University of Southern California Joint work with Abdulla Alwabel, Ying Zhang, Jelena Mirkovic 1 Growing DDoS Attacks Average monthly size of DDoS attacks
More informationAparna Rani Dept. of Computer Network Engineering Poojya Doddappa Appa College of Engineering Kalaburagi, Karnataka, India
Capturing the Origins of IP Spoofers Using Passive IP Traceback Aparna Rani Dept. of Computer Network Engineering Poojya Doddappa Appa College of Engineering Kalaburagi, Karnataka, India aparna.goura@gmail.com
More informationChapter 10: Denial-of-Services
Chapter 10: Denial-of-Services Technology Brief This chapter, "Denial-of-Service" is focused on DoS and Distributed Denial-of-Service (DDOS) attacks. This chapter will cover understanding of different
More information