Network Security: Network Flooding. Seungwon Shin GSIS, KAIST
|
|
- Virginia Verity Simpson
- 8 years ago
- Views:
Transcription
1 Network Security: Network Flooding Seungwon Shin GSIS, KAIST
2 Detecting Network Flooding Attacks SYN-cookies Proxy based CAPCHA Ingress/Egress filtering Some examples
3 SYN-cookies Background In a TCP 3-way handshake a client sends a TCP SYN packet with its own random sequence number: SEQ-C a server sends back to a TCP SYN/ACK packet with its own random sequence number: SEQ-S when the server received a TCP ACK packet, it should check Key point whether its acknowledge number is SEQ-S + 1 a server should remember SEQ-S for each client for a client A for a client B state should be maintained reason why a TCP SYN flooding attack is feasible: state explosion
4 SYN-cookies Idea stateless management of TCP connection trials scenario when a server receives a TCP SYN packet, the server should answer with a TCP SYN/ACK packet At this time, how to choose the sequence number for a TCP SYN/ACK packet a number based on client information SEQ-S = hash(src IP, SRC PORT, DST IP, DST PORT, SEQ-C) when the server receives a TCP ACK packet with its acknowledge number (AN) NO state!!!! if (AN - 1) == hash(src IP, SRC PORT, DST IP, DST PORT, (SEQ-C)) OK, it is a valid packet, make a TCP session
5 SYN-cookies Server No state maintained Cookie is an unforgeable token SYN C SYN S, ACK C (Seq# = Cookie) ACK S (Cookie+1) Client
6 Prolexic Idea Prolexic use a proxy only forward a successfully established TCP sessions Idea: only forward established TCP connections to site Lots-of-SYNs Lots-of-SYN/ACKs Few ACKs Prolexic Proxy Forward to site Web site Prolexic capacity: 20Gb/sec link can handle SYN/sec 19
7 CAPCHAs Idea connections trials from human or bots? mitigate application level DDoS attacks Case study Killbot paper Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds (MIT), NSDI 2005 During attack, generate CAPCHA to differentiate human from bots present one CAPCHA per source IP address
8 Ingress/Egress Filtering Idea attackers commonly use spoofed IP addresses they can generate huge amount of fake source IP addresses 1. Ingress filtering (RFC 2827, 2000) how to filter spoofed IP addresses ISP checks whether a packet has a valid source IP address Big problem: DDoS with spoofed source IPs Question: how to find packet origin? ISP Internet Ingress filtering policy: ISP only forwards packets with legitimate source IP. (see also SAVE protocol)
9 Ingress Filtering Feasibility? Implementation problems Ingress filtering based on global trust Can you trust ISP A? ALL ISPs must do this. Egress filtering routers should check all outgoing packets Can you implement this function with low cost? Requires global trust.! If 10% of ISPs do not implement no defense Another non-solution: enforce source IP at peer AS R 1 R 2 R 3 R 4 dest Source AS Transit AS Dest AS Can transit AS validate packet source IP? No
10 Research Work
11 dfence: Transparent Network-based Denial of Service Mitigation People Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang University of Texas at Austin Published at NSDI, 2007
12 dfence Principle Transparency No software modifications to end-hosts or routers In-Network defense Filter attack traffic before it gets close to server Shared on-demand infrastructure Multiplex defense resources to protect multiple customers No performance penalty during peace time Stateful mitigation Necessary for effective defenses against a broad range of DoS attacks
13 dfence Overview Apply stateful filtering Other Customer Networks Internet Service Provider Attack Detected Distributed Set of Middleboxes Only Good traffic Customer Network under protection
14 dfence Server Verify cookie & establish state SYN S, ACK C (Seq# = Value S ) ACK S (Value S +1) Middlebox No State Maintained SYN C Acknowledgement # translation SYN S, ACK C (Seq# = Cookie) Window = 0 Sequence # translation SYN S, ACK C (Seq# = Cookie) Re-open window SYN C Choke client ACK S (Cookie+1) Un-choke client ACK S (Cookie+1) Client
15 Anomaly Based Detection Approach find normal network profile detect abnormal network patterns e.g., CPD - change point detection Change-point monitoring for the detection of DoS attacks, TDSC, 2004 CUSUM (cumulative sum) with x(n) process S(0) = 0 S(n+1) = max (0, S(n) + x(n) - w) what if S(n) exceeds some threshold value?
16 Capability Based Mitigation Idea propose a new network architecture servers can specify what packets they want How to client requests capability in SYN packet server responds with capability Key points router only forward request packet, and packets with valid capability
17 Capability Based Mitigation Capability based defense Capabilities can be revoked if source is attacking blocks attacks Capabilities packets can close be revoked to source if source is attacking! Blocks attack packets close to source R 1 R 2 R 3 R 4 dest Source AS Transit AS Dest AS Attack packets dropped 56
18 Jump to SDN
19 Background First, we need to talk about traditional network devices Consist of two main components Control plane (path) decision module (e.g., routing) Data plane (path) packet forwarding module Network Switch Control Plane Data Plane
20 The Ossified Network Feature) Feature) millions of lines of code Opera&ng) System) Specialized*Packet* Forwarding*Hardware* 5400 RFC billions of gates Hardware tightly coupled Many complex functions baked into the infrastructure OSPF, BGP, multicast, differentiated services, Traffic Engineering, NAT, firewalls, MPLS, redundant layers, An industry with a mainframe-mentality, reluctant to change
21 Problem of Legacy Network Too complicated control plane is implemented with complicated S/W and ASIC Closed platform vendor specific Hard to modify (nearly impossible) hard to add new functionalities New proposal: Software Defined Networking separate the control plane from the data plane provide a standardized way to control the data plane
22 Figure 1 depicts a logical view of the SDN architecture. Network intelligence Software Defined Networking (SDN) Three layer Application layer infrastructure to be abstracted for applications and network services, which can treat the network as a logical or virtual entity. is (logically) centralized in software-based SDN controllers, which maintain a global view of the network. As a result, the network appears to the applications and policy engines as a single, logical switch. With SDN, enterprises and carriers gain vendor-independent control over the entire network from a single logical point, which greatly simplifies the network design and operation. SDN also greatly simplifies the network devices themselves, since they no longer need to understand and process thousands of protocol standards but merely accept instructions from the SDN controllers. Application part of control layer Implement logic for flow control FIGURE 1 Software-Defined Network Architecture APPLICATION LAYER Business Applications Control layer (Controller) Kernel part of control layer CONTROL LAYER API SDN Control Software API API Network Services Run applications to control network flows INFRASTRUCTURE LAYER OpenFlow Control Data Plane interface (e.g., OpenFlow) Network Device Network Device Network Device Infrastructure layer Network Device Network Device Data plane Network switch or router from Open Networking Foundation Perhaps most importantly, network operators and administrators can programmatically configure this simplified network abstraction rather than having to hand-code tens of thousands of lines of configuration scattered among thousands of devices. In addition, leveraging the SDN controller s centralized intelligence, IT can alter network behavior in real-time and deploy new applications and network services in a matter of hours or days,
23 SDN Operation L2 Forwarding Controller connect to B Host A deliver packet Switch A -> B: Forward Host B
24 SDN Actions Way of handling network packets OpenFlow case Forward Drop Set modify a packet header e.g., DST IP > DST IP
25 Load Balancing Load Balancing Controller connect to C Host C Host A Switch connect to C Host B A -> C: Forward B -> C: DST IP = D B -> D: Forward Host D Clone
26 Firewall Main operation drop packets based on security policies Administrator DROP Attacker Firewall Switch Server
27 Firewall example scenario tenant 1 Attacker tenant 4 tenant 2 tenant 3
28 Firewall Possible solution distributed firewall tenant 1 Attacker tenant 4 tenant 2 tenant 3
29 Firewall with SDN Drop packets based on security policies at network devices Firewall Controller Administrator DROP Attacker A Firewall Switch Server S A -> S: Drop
30 Distributed Firewall with SDN Firewall tenant 1 Controller Attacker DROP DROP tenant 4 tenant 2 tenant 3
dfence: Transparent Network-based Denial of Service Mitigation
dfence: Transparent Network-based Denial of Service Mitigation Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang Department of Computer Sciences, The University of Texas USENIX NSDI
More informationFRESCO: Modular Composable Security Services for So;ware- Defined Networks
FRESCO: Modular Composable Security Services for So;ware- Defined Networks Seungwon Shin, Phil Porras, Vinod Yegneswaran, MarIn Fong, Guofei Gu, and Mabry Tyson SUCCESS LAB, Texas A&M and SRI Interna7onal
More informationAn Introduction to Software-Defined Networking (SDN) Zhang Fu
An Introduction to Software-Defined Networking (SDN) Zhang Fu Roadmap Reviewing traditional networking Examples for motivating SDN Enabling networking as developing softwares SDN architecture SDN components
More informationTowards Autonomic DDoS Mitigation using Software Defined Networking
Towards Autonomic DDoS Mitigation using Software Defined Networking Authors: Rishikesh Sahay, Gregory Blanc, Zonghua Zhang, Hervé Debar NDSS Workshop on Security of Emerging Networking Technologies (SENT
More informationA1.1.1.11.1.1.2 1.1.1.3S B
CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security
More informationdfence: Transparent Network-based Denial of Service Mitigation
dfence: Transparent Network-based Denial of Service Mitigation Ajay Mahimkar, Jasraj Dange, Vitaly Shmatikov, Harrick Vin, Yin Zhang Department of Computer Sciences, The University of Texas at Austin {mahimkar,jasraj,shmat,vin,yzhang}@cs.utexas.edu
More informationContent Distribution Networks (CDN)
229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web replication. main idea: each replica is located in a different geographic area, rather then in the
More informationFirewalls P+S Linux Router & Firewall 2013
Firewalls P+S Linux Router & Firewall 2013 Firewall Techniques What is a firewall? A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network
More informationHow To Block A Ddos Attack On A Network With A Firewall
A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial
More informationWHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems
WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for
More informationUsing SYN Flood Protection in SonicOS Enhanced
SonicOS Using SYN Flood Protection in SonicOS Enhanced Introduction This TechNote will describe SYN Flood protection can be activated on SonicWALL security appliance to protect internal networks. It will
More informationRadware s Attack Mitigation Solution On-line Business Protection
Radware s Attack Mitigation Solution On-line Business Protection Table of Contents Attack Mitigation Layers of Defense... 3 Network-Based DDoS Protections... 3 Application Based DoS/DDoS Protection...
More informationLineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks
LineSwitch: Efficiently Managing Switch Flow in Software-Defined Networking while Effectively Tackling DoS Attacks Moreno Ambrosin, Mauro Conti, Fabio De Gaspari, University of Padua, Italy {surname}@math.unipd.it
More informationVirtualization, SDN and NFV
Virtualization, SDN and NFV HOW DO THEY FIT TOGETHER? Traditional networks lack the flexibility to keep pace with dynamic computing and storage needs of today s data centers. In order to implement changes,
More informationMulti-layer switch hardware commutation across various layers. Mario Baldi. Politecnico di Torino. http://staff.polito.it/mario.
Multi-layer switch hardware commutation across various layers Mario Baldi Politecnico di Torino http://staff.polito.it/mario.baldi Based on chapter 10 of: M. Baldi, P. Nicoletti, Switched LAN, McGraw-Hill,
More informationChapter 11 Cloud Application Development
Chapter 11 Cloud Application Development Contents Motivation. Connecting clients to instances through firewalls. Chapter 10 2 Motivation Some of the questions of interest to application developers: How
More informationGetting to know OpenFlow. Nick Rutherford Mariano Vallés {nicholas,mariano}@ac.upc.edu
Getting to know OpenFlow Nick Rutherford Mariano Vallés {nicholas,mariano}@ac.upc.edu OpenFlow Switching 1. A way to run experiments in the networks we use everyday. A pragmatic compromise Allow researchers
More informationDos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)
Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Signature based IDS systems use these fingerprints to verify that an attack is taking place. The problem with this method
More informationFlow processing and the rise of the middle.
Flow processing and the rise of the middle. Mark Handley, UCL With acknowledgments to Michio Honda, Laurent Mathy, Costin Raiciu, Olivier Bonaventure, and Felipe Huici. Part 1 Today s Internet Protocol
More informationDDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT
DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad
More informationINTRODUCTION TO FIREWALL SECURITY
INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ
More informationDDoS Protection Technology White Paper
DDoS Protection Technology White Paper Keywords: DDoS attack, DDoS protection, traffic learning, threshold adjustment, detection and protection Abstract: This white paper describes the classification of
More informationSoftware Defined Networking A quantum leap for Devops?
Software Defined Networking A quantum leap for Devops? TNG Technology Consulting GmbH, http://www.tngtech.com/ Networking is bottleneck in today s devops Agile software development and devops is increasing
More informationFirewalls. Ahmad Almulhem March 10, 2012
Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2
More informationCS 356 Lecture 16 Denial of Service. Spring 2013
CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter
More informationEnabling Practical SDN Security Applications with OFX (The OpenFlow extension Framework)
Enabling Practical SDN Security Applications with OFX (The OpenFlow extension Framework) John Sonchack, Adam J. Aviv, Eric Keller, and Jonathan M. Smith Outline Introduction Overview of OFX Using OFX Benchmarks
More informationFirewalls. Chapter 3
Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border
More informationStrategies to Protect Against Distributed Denial of Service (DD
Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics
More informationDefending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial
Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks
More informationNetwork Security. Chapter 3. Cornelius Diekmann. Version: October 21, 2015. Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik
Network Security Chapter 3 Cornelius Diekmann Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Version: October 21, 2015 IN2101, WS 15/16, Network Security 1 Security Policies and
More informationSOFTWARE-DEFINED NETWORKING AND OPENFLOW
SOFTWARE-DEFINED NETWORKING AND OPENFLOW Freddie Örnebjär TREX Workshop 2012 2012 Brocade Communications Systems, Inc. 2012/09/14 Software-Defined Networking (SDN): Fundamental Control
More informationSoftware Defined Networking
Software Defined Networking Stefano Giordano Dipartimento di Ingegneria dell Informazione Università di Pisa 3D Reference model of ISDN Hourglass reference model of a TCP/IP network Network Ossification
More informationNetwork Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Part I: Attack Prevention Network Security Chapter 9 Attack prevention, detection and response Part Part I:
More informationBest Practices Guide: Vyatta Firewall. SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA February 2013
Best Practices Guide: Vyatta Firewall SOFTWARE-BASED NETWORKING & SECURITY FROM VYATTA February 2013 INTRODUCTION Vyatta Network OS is a software-based networking and security solution that delivers advanced
More informationBrocade SDN/OpenFlow. Norival Figueira Office of the CTO. January 9, 2015 2014/2015 BROCADE COMMUNICATIONS SYSTEMS, INC. ALL RIGHTS RESERVED.
Brocade SDN/OpenFlow Norival Figueira Office of the CTO January 9, 2015 2014/2015 BROCADE COMMUNICATIONS SYSTEMS, INC. ALL RIGHTS RESERVED. 1 Legal Disclaimer All or some of the products detailed in this
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationIntroduction TELE 301. Routers. Firewalls
Introduction TELE 301 Lecture 21: s Zhiyi Huang Computer Science University of Otago Discernment of Routers, s, Gateways Placement of such devices Elementary firewalls Stateful firewalls and connection
More informationTesting Software Defined Network (SDN) For Data Center and Cloud VERYX TECHNOLOGIES
Testing Software Defined Network (SDN) For Data Center and Cloud VERYX TECHNOLOGIES Table of Contents Introduction... 1 SDN - An Overview... 2 SDN: Solution Layers and its Key Requirements to be validated...
More informationDenial of Service Attacks and Countermeasures. Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS)
Denial of Service Attacks and Countermeasures Extreme Networks, Inc. All rights reserved. ExtremeXOS Implementing Advanced Security (EIAS) Student Objectives Upon successful completion of this module,
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationSDN AND SECURITY: Why Take Over the Hosts When You Can Take Over the Network
SDN AND SECURITY: Why Take Over the s When You Can Take Over the Network SESSION ID: TECH0R03 Robert M. Hinden Check Point Fellow Check Point Software What are the SDN Security Challenges? Vulnerability
More informationSecuring Local Area Network with OpenFlow
Securing Local Area Network with OpenFlow Master s Thesis Presentation Fahad B. H. Chowdhury Supervisor: Professor Jukka Manner Advisor: Timo Kiravuo Department of Communications and Networking Aalto University
More informationInternet Ideal: Simple Network Model
Middleboxes Reading: Ch. 8.4 Internet Ideal: Simple Network Model Globally unique identifiers Each node has a unique, fixed IP address reachable from everyone and everywhere Simple packet forwarding Network
More informationCS5008: Internet Computing
CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is
More informationDenial of Service Attacks
2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,
More informationSOFTWARE DEFINED NETWORKS REALITY CHECK. DENOG5, Darmstadt, 14/11/2013 Carsten Michel
SOFTWARE DEFINED NETWORKS REALITY CHECK DENOG5, Darmstadt, 14/11/2013 Carsten Michel Software Defined Networks (SDN)! Why Software Defined Networking? There s a hype in the industry!! Dispelling some myths
More informationChapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationLayer 4-7 Server Load Balancing. Security, High-Availability and Scalability of Web and Application Servers
Layer 4-7 Server Load Balancing Security, High-Availability and Scalability of Web and Application Servers Foundry Overview Mission: World Headquarters San Jose, California Performance, High Availability,
More informationCloud Networking Disruption with Software Defined Network Virtualization. Ali Khayam
Cloud Networking Disruption with Software Defined Network Virtualization Ali Khayam In the next one hour Let s discuss two disruptive new paradigms in the world of networking: Network Virtualization Software
More informationRestorable Logical Topology using Cross-Layer Optimization
פרויקטים בתקשורת מחשבים - 236340 - סמסטר אביב 2016 Restorable Logical Topology using Cross-Layer Optimization Abstract: Today s communication networks consist of routers and optical switches in a logical
More informationsoftware networking Jithesh TJ, Santhosh Karipur QuEST Global
software defined networking Software Defined Networking is an emerging trend in the networking and communication industry and it promises to deliver enormous benefits, from reduced costs to more efficient
More informationSDN/Virtualization and Cloud Computing
SDN/Virtualization and Cloud Computing Agenda Software Define Network (SDN) Virtualization Cloud Computing Software Defined Network (SDN) What is SDN? Traditional Network and Limitations Traditional Computer
More informationShould the IETF do anything about DDoS attacks? Mark Handley
Should the IETF do anything about DDoS attacks? Mark Handley The Problem The Internet architecture was designed to delivery packets to the destination efficiently. Even if the destination does not want
More informationSoftware Defined Networks
Software Defined Networks Dr. Uttam Ghosh, CDAC, Bangalore uttamg@cdac.in Outline Networking Planes OpenFlow Software Defined Network (SDN) SDN Origin What is SDN? SDN Architecture SDN Operation Why We
More informationIntroducing FortiDDoS. Mar, 2013
Introducing FortiDDoS Mar, 2013 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline
More informationFederal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks
Threat Paper Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Federal Computer Incident Response Center 7 th and D Streets S.W. Room 5060 Washington,
More informationAcquia Cloud Edge Protect Powered by CloudFlare
Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....
More informationCS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24
Introduction to Computer Networks Lecture24 Network security (continued) Key distribution Secure Shell Overview Authentication Practical issues Firewalls Denial of Service Attacks Definition Examples Key
More informationCIT 480: Securing Computer Systems. Firewalls
CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring
More informationConfiguring IP Load Sharing in AOS Quick Configuration Guide
Configuring IP Load Sharing in AOS Quick Configuration Guide ADTRAN Operating System (AOS) includes IP Load Sharing for balancing outbound IP traffic across multiple interfaces. This feature can be used
More informationNetwork Security Demonstration - Snort based IDS Integration -
Network Security Demonstration - Snort based IDS Integration - Hyuk Lim (hlim@gist.ac.kr) with TJ Ha, CW Jeong, J Narantuya, JW Kim Wireless Communications and Networking Lab School of Information and
More informationCloudFlare advanced DDoS protection
CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationOpenDaylight Project Proposal Dynamic Flow Management
OpenDaylight Project Proposal Dynamic Flow Management Ram (Ramki) Krishnan, Varma Bhupatiraju et al. (Brocade Communications) Sriganesh Kini et al. (Ericsson) Debo~ Dutta, Yathiraj Udupi (Cisco) 1 Table
More informationSoftware-Defined Networking for the Data Center. Dr. Peer Hasselmeyer NEC Laboratories Europe
Software-Defined Networking for the Data Center Dr. Peer Hasselmeyer NEC Laboratories Europe NW Technology Can t Cope with Current Needs We still use old technology... but we just pimp it To make it suitable
More information1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?
Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against
More information642 523 Securing Networks with PIX and ASA
642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall
More informationDistributed Denial of Service Attacks defenses and OpenFlow:
Aalto University School of Science Degree Programme in Computer Science and Engineering Alvaro Garcia de la Villa Distributed Denial of Service Attacks defenses and OpenFlow: Implementing denial-of-service
More informationAvailability Digest. www.availabilitydigest.com. Prolexic a DDoS Mitigation Service Provider April 2013
the Availability Digest Prolexic a DDoS Mitigation Service Provider April 2013 Prolexic (www.prolexic.com) is a firm that focuses solely on mitigating Distributed Denial of Service (DDoS) attacks. Headquartered
More informationLeveraging SDN and NFV in the WAN
Leveraging SDN and NFV in the WAN Introduction Software Defined Networking (SDN) and Network Functions Virtualization (NFV) are two of the key components of the overall movement towards software defined
More informationCSE331: Introduction to Networks and Security. Lecture 12 Fall 2006
CSE331: Introduction to Networks and Security Lecture 12 Fall 2006 Announcements Midterm I will be held Friday, Oct. 6th. True/False Multiple Choice Calculation Short answer Short essay Project 2 is on
More informationA Presentation at DGI 2014 Government Cloud Computing and Data Center Conference & Expo, Washington, DC. September 18, 2014.
A Presentation at DGI 2014 Government Cloud Computing and Data Center Conference & Expo, Washington, DC September 18, 2014 Charles Sun www.linkedin.com/in/charlessun @CharlesSun_ 1 What is SDN? Benefits
More informationHow To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address
Inter-provider Coordination for Real-Time Tracebacks Kathleen M. Moriarty 2 June 2003 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations, conclusions, and
More informationSoftware Defined Networking
Software Defined Networking Richard T. B. Ma School of Computing National University of Singapore Material from: Scott Shenker (UC Berkeley), Nick McKeown (Stanford), Jennifer Rexford (Princeton) CS 4226:
More informationTDC s perspective on DDoS threats
TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)
More informationWedge Networks: Transparent Service Insertion in SDNs Using OpenFlow
Wedge Networks: EXECUTIVE SUMMARY In this paper, we will describe a novel way to insert Wedge Network s multiple content security services (such as Anti-Virus, Anti-Spam, Web Filtering, Data Loss Prevention,
More informationChapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall
Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure
More informationCIT 480: Securing Computer Systems. Firewalls
CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring
More informationFirewalls. CS461/ECE422 Spring 2012
Firewalls CS461/ECE422 Spring 2012 Reading Material Text chapter 9 Firewalls and Internet Security: Repelling the Wily Hacker, Cheswick, Bellovin, and Rubin. Firewall Goal Insert a"er the fact security
More informationSerro Solutions Enables Managed Security Service Providers to Optimize Networking Performance and Cost
Serro Solutions Enables Managed Security Service Providers to Optimize Networking Performance and Cost Serro s SDN Controller automates Internet connections on a global scale to migrate traffic to lower
More informationLoad Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.
Load Balancing Un article de Le wiki des TPs RSM. PC Final Network Exam Sommaire 1 LSNAT 1.1 Deployement of LSNAT in a globally unique address space (LS-NAT) 1.2 Operation of LSNAT in conjunction with
More informationFirewalls. Basic Firewall Concept. Why firewalls? Firewall goals. Two Separable Topics. Firewall Design & Architecture Issues
CS 155 May 20, 2004 Firewalls Basic Firewall Concept Separate local area net from internet Firewall John Mitchell Credit: some text, illustrations from Simon Cooper Router All packets between LAN and internet
More informationV-ISA Reputation Mechanism, Enabling Precise Defense against New DDoS Attacks
Enabling Precise Defense against New DDoS Attacks 1 Key Points: DDoS attacks are more prone to targeting the application layer. Traditional attack detection and defensive measures fail to defend against
More informationDISTRIBUTED DENIAL OF SERVICE OBSERVATIONS
: DDOS ATTACKS DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1 DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s
More informationNetwork Services in the SDN Data Center
Network Services in the SDN Center SDN as a Network Service Enablement Platform Whitepaper SHARE THIS WHITEPAPER Executive Summary While interest about OpenFlow and SDN has increased throughout the tech
More informationFirewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)
s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware
More informationSafeguards Against Denial of Service Attacks for IP Phones
W H I T E P A P E R Denial of Service (DoS) attacks on computers and infrastructure communications systems have been reported for a number of years, but the accelerated deployment of Voice over IP (VoIP)
More informationOpen Source Network: Software-Defined Networking (SDN) and OpenFlow
Open Source Network: Software-Defined Networking (SDN) and OpenFlow Insop Song, Ericsson LinuxCon North America, Aug. 2012, San Diego CA Objectives Overview of OpenFlow Overview of Software Defined Networking
More informationVIEWABILL. Cloud Security and Operational Architecture. featuring RUBY ON RAILS
VIEWABILL Cloud Security and Operational Architecture featuring RUBY ON RAILS VAB_CloudSecurity V1 : May 2014 Overview The Viewabill.com cloud is a highly-secure, scalable and redundant solution that enables
More informationGame-based Analysis of Denial-of- Service Prevention Protocols. Ajay Mahimkar Class Project: CS 395T
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T Overview Introduction to DDoS Attacks Current DDoS Defense Strategies Client Puzzle Protocols for DoS
More informationDDoS attacks in CESNET2
DDoS attacks in CESNET2 Ondřej Caletka 15th March 2016 Ondřej Caletka (CESNET) DDoS attacks in CESNET2 15th March 2016 1 / 22 About CESNET association of legal entities, est. 1996 public and state universities
More informationDoS/DDoS Attacks and Protection on VoIP/UC
DoS/DDoS Attacks and Protection on VoIP/UC Presented by: Sipera Systems Agenda What are DoS and DDoS Attacks? VoIP/UC is different Impact of DoS attacks on VoIP Protection techniques 2 UC Security Requirements
More information20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7
20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, JUNE 2010, ISSUE: 02 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS S.Seetha 1 and P.Raviraj 2 Department of
More informationMiddleboxes. Firewalls. Internet Ideal: Simple Network Model. Internet Reality. Middleboxes. Firewalls. Globally unique idenpfiers
Ideal: Simple Network Model Middleboxes Jennifer Rexford COS 461: Computer Networks Lectures: MW 10-10:50am in Architecture N101 hgp://www.cs.princeton.edu/courses/archive/spr12/cos461/ Globally unique
More informationWhite Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation
White Paper Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation Table of Contents Introduction... 3 Common DDoS Mitigation Measures...
More informationMalice Aforethought [D]DoS on Today's Internet
Malice Aforethought [D]DoS on Today's Internet Henry Duwe and Sam Mussmann http://bit.ly/cs538-ddos What is DoS? "A denial of service (DoS) attack aims to deny access by legitimate users to shared services
More informationDefinition of firewall
Internet Firewalls Definitions: firewall, policy, router, gateway, proxy NAT: Network Address Translation Source NAT, Destination NAT, Port forwarding NAT firewall compromise via UPnP/IGD Packet filtering
More informationWhite Paper. SDN 101: An Introduction to Software Defined Networking. citrix.com
SDN 101: An Introduction to Software Defined Networking citrix.com Over the last year, the hottest topics in networking have been software defined networking (SDN) and Network ization (NV). There is, however,
More information