Denial-of-Service [Gligor, 84]DoS AttacksService-level DoSFront-endsFront-ends (contd.)DoS Attacks (1/4)DoS Attacks (2/4)Our Focus: Service-level Flooding DoSThe DoS ProblemSlide 13Honeypots [Spitzner][Provos]Roaming Honeypots [Khattab]Slide 16Packet Filtering in firewallsSlides mostly by Sherif Khattab1Denial-of-Service [Gligor, 84]``A group of otherwise-authorized users of a specificservice is said to deny service to another group ofotherwise-authorized users if the former group makesthe specified service unavailable to the latter group fora period of time which exceeds the intended (andadvertised) waiting time”Slides mostly by Sherif Khattab2DoS AttacksDoS attacks aim at reducing legitimate utilization of network and/or server resources through:resource destruction (exploit bugs in the OS)resource exhaustionvulnerability exploitation (e.g., SYN attack)brute-force floodingNetwork-level (e.g., lots of packets as in UDP floods)Service-level (e.g., flash crowds)Slides mostly by Sherif Khattab3Service-level DoSA large number of attack hosts request service from the victim server at a high rate. For instance,download files from an FTP server, orget web pages from an WWW serverSlides mostly by Sherif Khattab4Front-endsFront-ends form a tree with the back-ends as its logical root.Slides mostly by Sherif Khattab5Front-ends (contd.)Tree level of each front-end depends on its attack toleranceFront-ends can be the bottleneck that gets attacked. It usually can withstand a good amount of attack traffic.To join the network (or reconfigure), a front-end performs:Parent registrationAddress registrationSlides mostly by Sherif Khattab6DoS Attacks (1/4)They also consume server resources, such as interrupt processing capacity, operating system structures, processing time, etc.Legitimate packets consume network resources, such as router buffers and link capacityLegitimate ClientServerRouterDoS Attacks (2/4)Network-level DoS attacks flood network resourcesService-level DoS attacks exploit vulnerabilities to crash serversService-level DoS attacks flood server resources, so that legitimate clients’ packets will be dropped…7Slides mostly by Sherif KhattabSlides mostly by Sherif Khattab8Our Focus: Service-level Flooding DoSDoS AttacksDoS AttacksResource DestructionResource DestructionResourceExhaustionResourceExhaustionBrute-forceFloodingBrute-forceFloodingVulnerabilityExploitationVulnerabilityExploitationService-levelService-levelNetwork-levelNetwork-levelSlides mostly by Sherif Khattab9The DoS ProblemDistinguish attack packets/requests fromlegitimate packets/requestsquicklyaccurately (low false positives and false negatives) andefficiently (small overhead)Primary metricsLegitimate Response TimeLegitimate ThroughputSlides mostly by Sherif Khattab13Prevention Detection/RecoveryMitigationNetwork-levelNetwork-level puzzlesPacketScore; RED-PD; Heavy-hitter detection; DCAP; Pushback;MOVE; Capabilities;IP HoppingReplication;Overlay-basedService-levelApplication-level puzzles; Reservation-based SchemesDDoS Shield; Shadow Honeypots;Kill-BotsReplicationState-of-the-artSlides mostly by Sherif Khattab14Honeypots [Spitzner][Provos]Honeypots are:decoy resources to trap attackersuseful in detecting worm-infected hostsHowever, honeypots areat fixed locationsseparate from real serversDoS Attackers can evade honeypotsSlides mostly by Sherif Khattab15Roaming Honeypots [Khattab]In roaming honeypots, the locations ofhoneypots are:continuously changingunpredictable to non-compliant attackersdisguised within serversSlides mostly by Sherif Khattab16Unique, un-spoofable user identifier(dealing with proxy servers is an open problem)Main AssumptionProxy ServerSlides mostly by Sherif Khattab17Firewall??Packet Filtering in firewalls• White-list: • allow packets from certain users/Ips.• Not Scalable, because list grows with number of users• Black list:• do not allow certain IPs or users.• More Scalable: # attackers << #