Midterm Score Distribution
description
Transcript of Midterm Score Distribution
Midterm Score Distribution
You should worryif you are belowthis point
Your projected and optimistically projected grades should be in the grade center soono Projected:
Your current weighted score /30 * 100o Optimistic:
(Your current weighted score+70)/100o Just for your feedback
Quiz 1 is postedo Do it before your lab slot but after this week’s
lab lectureoOpen book open notes, unlimited timeoYou will do the same version again after your
lab – to be posted soon. Better score counts.
More Announcements
Don’t allow an individual attack machine to use many of a target’s resources
Requires:o Authentication, oro Making the sender do special work (puzzles)
Authentication schemes are often expensive for the receiver
Existing legitimate senders largely not set up to handle doing special work
Can still be overcome with a large enough army of zombies
Resource Limitations
Make it hard for anyone but legitimate clients to deliver messages at all
E.g., keep your machine’s identity obscureA possible solution for some potential
targetso But not for others, like public web servers
To the extent that approach relies on secrecy, it’s fragileo Some such approaches don’t require secrecy
Hiding From the Attacker
As attacker demands more resources, supply them
Essentially, never allow resources to be depleted
Not always possible, usually expensiveNot clear that defender can keep ahead of
the attackerBut still a good step against limited attacksMore advanced versions might use
Akamai-like techniques
Resource Multiplication
Figure out which machines attacks come fromGo to those machines (or near them) and stop
the attacksTracing is trivial if IP source addresses aren’t
spoofedo Tracing may be possible even if they are spoofed
May not have ability/authority to do anything once you’ve found the attack machines
Not too helpful if attacker has a vast supply of machines
Trace and Stop Attacks
The basis for most defensive approachesAddresses the core of the problem by
limiting the amount of work presented to target
Key question is: o What do you drop?
Good solutions drop all (and only) attack traffic
Less good solutions drop some (or all) of everything
Filtering Attack Streams
Filtering drops packets with particular characteristicso If you get the characteristics right, you do little
collateral damageo At odds with the desire to drop all attack traffic
Rate limiting drops packets on basis of amount of traffico Can thus assure target is not overwhelmedo But may drop some good traffic
Filtering Vs. Rate Limiting
Where Do You Filter?
Near the target?
Near the source?
In the network core?
In multiple places?
Near targetNear sourceIn core
Filtering Location Choices
Near targeto Easier to detect attacko Sees everythingo May be hard to prevent collateral damageo May be hard to handle attack volume
Near sourceIn core
Filtering Location Choices
Near targetNear source
o May be hard to detect attacko Doesn’t see everythingo Easier to prevent collateral damageo Easier to handle attack volume
In core
Filtering Location Choices
Near targetNear sourceIn core
o Easier to handle attack volumeo Sees everything (with sufficient deployment)o May be hard to prevent collateral damageo May be hard to detect attack
Filtering Location Choices
Have database of attack signaturesDetect anomalous behavior
o By measuring some parameters for a long time and setting a baseline Detecting when their values are abnormally
higho By defining which behavior must be obeyed
starting from some protocol specification
How Do You Detect Attacks?
Devise filters that encompass most of anomalous traffic
Drop everything but give priority to legitimate-looking traffico It has some parameter valueso It has certain behavior
How Do You Filter?
Need for a distributed response Economic and social factorsLack of detailed attack informationLack of defense system benchmarksDifficulty of large-scale testingMoving target
DDoS Defense Challenges
Attacker sends lots of TCP SYN packetsoVictim sends an ack, allocates space in memoryoAttacker never repliesoGoal is to fill up memory before entries time out
and get deletedUsually spoofed traffico Otherwise patterns may be used for filteringo OS at the attacker or spoofed address may
send RST and free up memory
TCP SYN Flood
Effective defense against TCP SYN floodoVictim encodes connection information and time
in ACK numberoMust be hard to craft values that get encoded
into the same ACK number – use crypto for encoding
oMemory is only reserved when final ACK comesOnly the server must changeoBut TCP options are not supportedoAnd lost SYN ACKs are not repeated
TCP SYN Cookies
Overwhelm routersoCreate a lot of ppsoExhaust CPUoMost routers can’t handle full bandwidth’s load
of small packetsNo real solution, must filter packets
somehow to reduce router load
Small-Packet Floods
Periodically slam the victim with short, high-volume pulsesoLead to congestion drops on client’s TCP trafficoTCP backs offoIf loss is large back off to 1 MSS per RTToAttacker slams again after a few RTTs
Solution requires TCP protocol changes oTough to implement since clients must be
changed
Shrew Attack
Generate legitimate application traffic to the victimoE.g., DNS requests, Web requestsoUsually not spoofedoIf enough bots are used no client appears too
aggressiveoReally hard to filter since both traffic and client
behavior seem identical between attackers and legitimate users
Flash-Crowd Attack
Generate service requests to public servers spoofing the victim’s IPoServers reply back to the victim overwhelming
itoUsually done for UDP and ICMP traffic (TCP SYN
flood would only overwhelm CPU if huge number of packets is generated)
oOften takes advantage of amplification effect – some service requests lead to huge replies; this lets attacker amplify his attack
Reflector Attack
Sample Research DefensesPushbackTracebackSOSProof-of-work systems
Pushback1
Goal: Preferentially drop attack traffic to relieve congestion
Local ACC: Enable core routers to respond to congestion locally by:o Profiling traffic dropped by REDo Identifying high-bandwidth aggregateso Preferentially dropping aggregate traffic to
enforce desired bandwidth limit Pushback: A router identifies the
upstream neighbors that forward the aggregate traffic to it, requests that they deploy rate-limit
1”Controlling high bandwidth aggregates in the network,” Mahajan, Bellovin, Floyd, Paxson, Shenker, ACM CCR, July 2002
Can it Work?Even a few core routers are able to
control high-volume attacksSeparation of traffic aggregates
improves current situation o Only traffic for the victim is droppedo Drops affect a portion containing the attack
trafficLikely to successfully control the attack,
relieving congestion in the InternetWill inflict collateral damage on
legitimate traffic
26
Advantages and Limitations+ Routers can handle high traffic volumes+ Deployment at a few core routers can
affectmany traffic flows, due to core topology
+ Simple operation, no overhead for routers+ Pushback minimizes collateral damage by
placing response close to the sources– Pushback only works in contiguous
deployment– Collateral damage is inflicted by response,
whenever attack is not clearly separable– Requires modification of existing core
routers
Traceback1
Goal: locate the agent machinesEach packet header may carry a mark,
containing:o EdgeID (IP addresses of the routers) specifying an
edge it has traversed o The distance from the edge
Routers mark packets probabilisticallyIf a router detects half-marked packet
(containing only one IP address) it will complete the mark
Victim under attack reconstructs the path from the marked packets
1“Practical network support for IP Traceback,” Savage, Wetherall, Karlin, Anderson, ACM SIGCOMM 2000
Traceback and IP SpoofingTraceback does nothing to stop DDoS
attacksIt only identifies attackers’ true locations
o Comes to a vicinity of attackerIf IP spoofing were not possible in the
Internet, traceback would not be necessary
There are other approaches to filter out spoofed traffic
Can it Work?Incrementally deployable, a few disjoint
routers can provide beneficial informationModerate router overhead (packet
modification)A few thousand packets are needed even for
long path reconstructionDoes not work well for highly distributed
attacksPath reassembly is computationally
demanding, and is not 100% accurate:o Path information cannot be used for legal purposeso Routers close to the sources can efficiently block
attack traffic, minimizing collateral damage
Advantages and Limitations+ Incrementally deployable+ Effective for non-distributed attacks and
for highly overlapping attack paths+ Facilitates locating routers close to the
sources– Packet marking incurs overhead at
routers, must be performed at slow path– Path reassembly is complex and prone
to errors– Reassembly of distributed attack paths
is prohibitively expensive
31
SOS1
Goal: route only “verified user” traffic to the server, drop everything else
Clients use overlay network to reach the server
Clients are authenticated at the overlay entrance, their packets are routed to proxies
Small set of proxies are “approved” to reach the server, all other traffic is heavily filtered out
1“ SOS: Secure Overlay Services,” Keromytis, Misra, Rubensteain, ACM SIGCOMM 2002
32
SOSUser first contacts nodes that can check its
legitimacy and let him access the overlay – access points
An overlay node uses Chord overlay routing protocol to send user’s packets to a beacon
Beacon sends packets to a secret servletSecret servlets tunnel packets to the firewallFirewall only lets through packets with an IP
of a secret servleto Secret servlet’s identity has to be hidden, because
their source address is a passport for the realm beyond the firewall
o Beacons are nodes that know the identity of secret servlets
If a node fails, other nodes can take its role
33
Can It Work?SOS successfully protects
communication with a private server:o Access points can distinguish legitimate from
attack communications o Overlay protects traffic flowo Firewall drops attack packets
Redundancy in the overlay and secrecy of the path to the target provide security against DoS attacks on SOS
34
Advantages And Limitations+ Ensures communication of “verified user”
with the victim+ Resilient to overlay node failure+ Resilient to DoS on the defense system– Does not work for public service– Traffic routed through the overlay travels
on suboptimal path– Brute force attack on links leading to the
firewall still possible
35
Client Puzzles1
Goal: defend against connection depletion attacks
When under attack:o Server distributes small cryptographic puzzles to
clients requesting serviceo Clients spend resources to solve the puzzleso Correct solution, submitted on time, leads to
state allocation and connection establishmento Non-validated connection packets are dropped
Puzzle generation is statelessClient cannot reuse puzzle solutionsAttacker cannot make use of intercepted
packets
1“Client puzzles: A cryptographic countermeasure against connection depletion attacks,” Juels, Brainard, NDSS 1999
36
Can It Work?Client puzzles guarantee that each client
has spent a certain amount of resourcesServer determines the difficulty of the
puzzle according to its resource consumptiono Effectively server controls its resource
consumptionProtocol is safe against replay or
interception attacksOther flooding attacks will still work
37
Advantages And Limitations+ Forces the attacker to spend resources,
protects server resources from depletion+ Attacker can only generate a certain
number of successful connections from one agent machine
+ Low overhead on server– Requires client modification– Will not work against highly distributed
attacks– Will not work against bandwidth
consumption attacks (Defense By Offense paper changes this)