Denial-of-Service [Gligor, 84]DoS AttacksService-level DoSFront-endsFront-ends (contd.)DoS Attacks (1/4)DoS Attacks (2/4)Our Focus: Service-level Flooding DoSThe DoS ProblemSlide 13Honeypots [Spitzner][Provos]Roaming Honeypots [Khattab]Slide 16Packet Filtering in firewallsSlides mostly by Sherif Khattab1Denial-of-Service [Gligor, 84]``A group of otherwise-authorized users of a specificservice is said to deny service to another group ofotherwise-authorized users if the former group makesthe specified service unavailable to the latter group fora period of time which exceeds the intended (andadvertised) waiting time”Slides mostly by Sherif Khattab2DoS AttacksDoS attacks aim at reducing legitimate utilization of network and/or server resources through:resource destruction (exploit bugs in the OS)resource exhaustionvulnerability exploitation (e.g., SYN attack)brute-force floodingNetwork-level (e.g., lots of packets as in UDP floods)Service-level (e.g., flash crowds)Slides mostly by Sherif Khattab3Service-level DoSA large number of attack hosts request service from the victim server at a high rate. For instance,download files from an FTP server, orget web pages from an WWW serverSlides mostly by Sherif Khattab4Front-endsFront-ends form a tree with the back-ends as its logical root.Slides mostly by Sherif Khattab5Front-ends (contd.)Tree level of each front-end depends on its attack toleranceFront-ends can be the bottleneck that gets attacked. It usually can withstand a good amount of attack traffic.To join the network (or reconfigure), a front-end performs:Parent registrationAddress registrationSlides mostly by Sherif Khattab6DoS Attacks (1/4)They also consume server resources, such as interrupt processing capacity, operating system structures, processing time, etc.Legitimate packets consume network resources, such as router buffers and link capacityLegitimate ClientServerRouterDoS Attacks (2/4)Network-level DoS attacks flood network resourcesService-level DoS attacks exploit vulnerabilities to crash serversService-level DoS attacks flood server resources, so that legitimate clients’ packets will be dropped…7Slides mostly by Sherif KhattabSlides mostly by Sherif Khattab8Our Focus: Service-level Flooding DoSDoS AttacksDoS AttacksResource DestructionResource DestructionResourceExhaustionResourceExhaustionBrute-forceFloodingBrute-forceFloodingVulnerabilityExploitationVulnerabilityExploitationService-levelService-levelNetwork-levelNetwork-levelSlides mostly by Sherif Khattab9The DoS ProblemDistinguish attack packets/requests fromlegitimate packets/requestsquicklyaccurately (low false positives and false negatives) andefficiently (small overhead)Primary metricsLegitimate Response TimeLegitimate ThroughputSlides mostly by Sherif Khattab13Prevention Detection/RecoveryMitigationNetwork-levelNetwork-level puzzlesPacketScore; RED-PD; Heavy-hitter detection; DCAP; Pushback;MOVE; Capabilities;IP HoppingReplication;Overlay-basedService-levelApplication-level puzzles; Reservation-based SchemesDDoS Shield; Shadow Honeypots;Kill-BotsReplicationState-of-the-artSlides mostly by Sherif Khattab14Honeypots [Spitzner][Provos]Honeypots are:decoy resources to trap attackersuseful in detecting worm-infected hostsHowever, honeypots areat fixed locationsseparate from real serversDoS Attackers can evade honeypotsSlides mostly by Sherif Khattab15Roaming Honeypots [Khattab]In roaming honeypots, the locations ofhoneypots are:continuously changingunpredictable to non-compliant attackersdisguised within serversSlides mostly by Sherif Khattab16Unique, un-spoofable user identifier(dealing with proxy servers is an open problem)Main AssumptionProxy ServerSlides mostly by Sherif Khattab17Firewall??Packet Filtering in firewalls• White-list: • allow packets from certain users/Ips.• Not Scalable, because list grows with number of users• Black list:• do not allow certain IPs or users.• More Scalable: # attackers << #
View Full Document