Академический Документы
Профессиональный Документы
Культура Документы
Bao-Tung Wang, Henning Schulzrinne IRT, Columbia University Friday, September 12, 2003
Overview
Definitions ICMP Caddie Messages IP Traceback Using Caddie Messages Evaluations Conclusion
Introduction
DoS (Denial-of-Service) DDoS (Distributed DoS) Attacks Direct DDoS Reflective DDoS IP Traceback
Direct DDoS Attack
Attacker
Masters (Handlers)
Reflective DDoS Attack
Slaves (Daemons)
Victim
Proposed Solutions
DoS Attacks
Targets
Network Connectivity
Network Bandwidth
Network Infrastructure
Attacks
Packet Flooding
Packet Dropping
Solutions
System Tuning
IP Traceback
Packet Filtering
Storage Overhead
Low/Low Very High/Low Low /Low None/Very High Low/High None/High High/Fair Low/Low
Computation Overhead
Low/Low Fair/Low Low /Low Low/Very High Low/High Low/Very High Low/High Low /Fair
Link Testing Router Inference Logging Overlaying In-Band Marking Out-of-Band ICMP Messaging SPIE CenterTrack PPM AAM iTrace ID-iTrace iCaddie
(A/B indicates the overhead in the network is A and that at the destination is B)
Router
Caddie Propagator
Caddie Propagator
Router
Caddie Propagator
Caddie Propagator
Caddie Propagator
Attack Victim/Tracer
1 4
Caddie Selector
C addie G enerator
3
P P B P P P P P P P P C
Input port (Inp ut queue) B . T he ball p acket C . Th e C addie m essage P. Regular p ackets 1. 2. 3. 4. 5. 6. 7. 8.
Trigger ball pack et selection Select a ball p ack et E xtract the ball p ack et U pdate the Caddie tim er Cop y th e ball pack et header Trigger C addie generation G enerate a session key (O ptional) Inject Caddie m essage in th e front of output port
3 2
Caddie Propagator
4 1
Input port (Input queue) B. The ball packet C. The Caddie message P. Regular packets 1. 2. 3. 4.
Receive an ICMP Caddie message in an input port Update the Caddie timer Generate a session key (Optional) Update and inject Caddie message into an output port
A Caddie Message
TYPE CODE DIGEST SOURCE DESTINATION SECURITY ROUTER ID PREVIOUS ROUTER ID NEXT HOP ROUTER ID TTL TIMESTAMP HMAC ROUTER ID PREVIOUS ROUTER ID NEXT HOP ROUTER ID TTL TIMESTAMP HMAC CHECKSUM
TIMESTAMP
Kt-1
Kt
Time
C1 C2 C3 C4 C5 C6 C7 C8 C9
IP Traceback
IP Traceback for Direct DDoS
Attack Agent CI CP CI CP CP Attack Agent
CP Attacker CP
CP
CP
Victim
IP Traceback (Cont.)
IP Traceback for Reflective DDoS
A t ta c k A g e n t A t ta c k A g e n t A tta c k R e fle c to r CI CI CP CP CP CP CP A tt a c k R e fle c to r
Evaluations
Incremental Deployment Scalability
The Source The Source Router Router Caddie Initiator Router Caddie Initiator Router
Router
Regular Router
Caddie Propagator
Router
Regular Router
Regular Router
Caddie Propagator
Attack Victim/Tracer
Evaluations (Cont.)
Workload Distribution
Local networks ISP
Evaluations (Cont.)
Security HMACs Robustness False positives Political Issues ISPs cooperation Privacy
Evaluations (Cont.)
Bandwidth Overhead Number of attack packets required Number of ICMP messages generated Storage Overhead In the network At the victim Computational Overhead In the network At the victim
Conclusion
Effective Secure DoS-Resistant
Q&A
Thank You Very Much