Maximizing the Availability of Distributed Software Services. Peter Clutterbuck

Size: px
Start display at page:

Download "Maximizing the Availability of Distributed Software Services. Peter Clutterbuck"

Transcription

1 Maximizing the Availability of Distributed Software Services by Peter Clutterbuck Bachelor of Science (Maths and Computing), (CQU Australia) 1990 Graduate Diploma in Information Technology, (CQU Australia) 1993 Master of Science (Computing), (QUT Australia) 1996 Thesis submitted in accordance with the regulations for the Degree of Doctor of Philosophy Information Security Research Centre Faculty of Information Technology Queensland University of Technology 2 November, 2005 i

2 Keywords Availability, denial of service, wait time, replication, cluster, distributed service, trust, authentication, redirection, dispatching, scheduling, filtering, option. ii

3 Abstract In a commercial Internet environment, the quality of service experienced by a user is critical to competitive advantage and business survivability. The availability and response time of a distributed software service are central components of the overall quality of service provided to users. Traditionally availability is a measure of service down time. Traditionally availability measures the probability that the service will be live and is expressed in terms of failure occurrence and repair or recovery time. Response time is a measure of the time taken from when the service request is made, to when service provision occurs for the user. Deteriorating response time is also a valuable indicator to denial of service attacks which continue to pose a significant threat to service availability. The concept of the service cluster is increasingly being deployed to improve service availability and response time. Cluster processor replication increases service availability. Cluster dispatching of service requests across the replicated cluster processors increases service scalability and therefore response time. This thesis commences with a review of the research and current technology in the area of distributed software service availability. The review aims to identify any deficiencies within that area and propose critical features that mitigate those deficiencies. The three critical features proposed are in relation to user wait time, cluster dispatching, and the trust-based filtering of service requests. The user wait time proposal is that the availability of a distributed service should reflect both liveness probability level and probabalistic user access time of the service. The cluster dispatching proposal is that dispatching processing overhead is a function of the number of Internet Protocol (IP) datagrams/transport Control Protocol (TCP) segments that are received by the dispatcher in respect of each service request. Consequently the number of IP datagrams/tcp segments should be minimised ideally so that for each incoming service request there is one IP datagram/tcp segment. The trust-based filtering proposal is that the level of trust in respect of each service request should be identified by the service as this is critical in mitigating distributed denial of service attacks and therefore maximising the availability of the service A conceptual availability model which supports the three critical features within an Internet clustered service environment is then described. The conceptual model proposes an expanded availability definition and then describes the realization of this definition via additional capabilities positioned within the Transport layer of the Internet communication environment. The additional capabilities of this model also facilitate the minimization of cluster dispatcher processing load and the identification by the cluster dispatcher of request trust level. The model is then implemented within the Linux kernel. The implementation involves the addition of several options to the existing TCP specification and also the addition of several functions to the existing Socket API. The implementation is subsequently evaluated in a dispatcher-based clustered service environment. iii

4 Contents Keywords Abstract List of Figures Declaration Previously Published Material Acknowledgements ii iii vii ix x xi Chapter 1 Availability A Literature Review 1.1 Introduction Availability and Reliability Service Clustering Availability via Clustering Scalability via Clustering Availability and Denial of Service Kernel Based Denial of Service Protection Distributed Denial of Service Critical Features User Wait Time Server Side Dispatching Trust Conclusion 22 Chapter 2 An Availability Maximising Model 2.1 Introduction Distributed Service Infrastructure Internet Service, Cluster, Management Agents and Cluster Policies Naming Service, Network Infrastructure, Process Interface Service Request, Service Provision and Processing Type Infrastructure Deficiencies A Limiting Availability Definition Non-Optimal Dispatcher Load Service Request Validation Research Solutions An Extended Definition Decreasing Cluster Dispatcher Load Trust Based Filtering Detailed Design Wait-Time Objects Redirect Objects Trust-Based Filter Objects Conclusion 51 iv

5 Chapter 3 Evaluation Experimental Methodology 3.1 Introduction Network Infrastructure Overview Experimental Methodology: Deployment of Prototype Infrastructure Extended User-API IPSec and FreeS/WAN The Test Application and its Interaction with the Prototype Infrastructure Cluster Dispatcher Application Design Cluster Processing Application Design Key Requesting Client Application Design Evaluation Criteria Conclusion 67 Chapter 4 Model Implementation Protocol Level 4.1 Overview Existing TCP Specification TCP Core Operations TCP Options TCP State Information TCP Interfaces TCP Protocol Changes Cluster Initialization Cluster Dispatcher Initialization Cluster Processing Node Initialization Service Request Processing Client-Dispatcher Service Request Processing Client-Cluster Node Service Request Processing Cluster Node Dispatcher Update of Wait Time Trust Based Service Request Filtering Conclusion 96 Chapter 5 Model Implementation Linux Kernel and Socket API 5.1 Introduction Linux Networking Overview Linux System Calls Connection Initialization and Passive Opening Event 1 Socket Initialization Event 2 Port Binding Event 3 Cluster Dispatcher Passive Opening Event 4 Cluster Node Passive Opening Client Connection with Cluster Dispatcher Event 5 Client Connect Call Event 6 Cluster Dispatcher Receipt of SYN Segment Event 7 Client Receipt of Redirecting SYN+ACK Segment Client Connection with Cluster Node Event 8 Client Sending Redirected SYN Event 9 Cluster Node Receives Redirected SYN Event 10 Client Receives Cluster Node s SYN+ACK Event 11 Node Receives Client s ACK 128 v

6 5.7 Update Wait Time Cluster Node to Dispatcher Event 12 Node Calculates Updated Processing Time Event 13 Cluster Dispatcher Receives Node Updated Wait Time Trust Based Filtering Conclusion 135 Chapter 6 Experimental Results 6.1 Introduction Minimised Wait Times and Performance Minimised Wait Time Testing Operating System Kernel Performance Packet Count Performance Denial of Service Resilience LVS/TUN DoS Protection Algorithm TCP Redirection DoS Protection DoS Protection Algorithm and Timing Comparison API Usability Standard Client-Server API Usage Research Client-Server API Usage Cluster Dispatcher Research API Usage Cluster Processing Node Research API Usage API Compatibility Evaluation Summary and Limitations Conclusion 158 Chapter 7 Conclusion 7.1 Introduction A Summary Chapters 1 to Evaluation Results and Research Conclusions Future Directions Server Processing Paradigm Valid Initial Sequence Number Computation Interoperability Constraints Final Comments 165 Bibliography 166 Appendices Appendix A Linux Network Programming (TCP) Description 170 Appendix B TCP Options 381 vi

7 List of Figures 1.1 Replicated Service Availability Management Network Load Balancing Virtual Server via NAT Virtual Server via IP Tunnelling (LVS/TUN) The Maximum Waiting Time Concept The Dispatcher-Based Cluster Paradigm An Overview The Dispatcher-Based Cluster Paradigm A Detailed View Process Interface Concept The Internet TCP/IP Communication Model Service Provision and Service Provision Commencement Dispatching via IP Tunnelling Example State Information LVS/TUN Layers Involved with Dispatcher Processing Distributed Denial of Service Vulnerability Model Processing Overview Wait-Time Objects Initialisations Wait-Time Objects Cyclical Processing Actions Redirect Objects Processing Actions Initialisation Phase: Trust-Based Filter Object Filtering Phase: Trust-Based Filtering Object Network Infrastructure Overview Protocol Layering in RFC TCP State Transition Diagram TCP Options TCP State Information Send Sequence Number State Receive Sequence Number State Wait Time Option Prepared by Client Wait Time Option Prepared by Cluster Dispatcher Redirection Option Prepared by Cluster Dispatcher Wait Time Update Option Prepared by Cluster Node TCP Event Overview The Linux Network Layer Structure Four Tier User-Level Library Function Design Two Tier Library-Kernel Function Design Function Call Hierarchy for socket( ) Socket Data Structure Architecture Sock Struct and Selected Members Function Call Hierarchy for bind( ) TCP Bind Bucket Tables Bind Data Structures Function Call Hierarchy for sys_listen_and_send_redirect( ) The Listen Queue Function Call Hierarchy for listen_and_receive_redirect( ) 112 vii

8 5.14 The SYN Queue Data Structures Function Call Hierarchy for connect_with_wait_time( ) Wait Time Option Design ESTABLISHED and BIND Tables Function Hierarchy for SYN Processing by Dispatcher s TCP Dispatcher TCP s Wait Time Option Dispatcher TCP s Redirection Option Function Hierarchy for SYN+ACK+Options Processing Function Hierarchy for Sending (Redirected) SYN Function Hierarchy for Processing Incoming (Redirected) SYN Function Hierarchy for Processing Incoming SYN+ACK Function Hierarchy for Processing Incoming ACK The Accept Queue Function Hierarchy following update_wait_time( ) Update Wait Time Option Function Hierarchy for Processing Incoming Wait Time Update Function Hierarchy following trust_filter( ) Software/Hardware Infrastructure Maximum Client Wait Times Timing Comparison via select( ) and readtsc API Call Duration Packet Count Statistics for Redirection TCP and IP Tunnelling Dispatcher Event Count LVS/TUN Dispatching Dispatcher Event Count TCP Redirection Dispatching Denial of Service Protection Summary API Categories and Member Functions Standard Socket API Usage Client Research API Usage Cluster Dispatcher API Usage Cluster Processing Node Research API Usage Interoperability of Research and Standard Components Summarised Test Results 157 viii

9 1.2 Declaration The work contained in this thesis has not been previously submitted for a degree or diploma at any higher education institution. To the best of my knowledge and belief, the thesis contains no material previously published or written by another person except where due reference is made. Signed:. Date:.. ix

10 Previously Published Material The following papers have been published or presented, and contain material based on the content of the thesis. [1] Peter Clutterbuck and George Mohay. Increased Availability for Networked Software Services. Australasian Journal of Information Systems. Volume 7, number 2, pages May This publication relates to material from Chapters 1 and 2 of the thesis. [2] Peter Clutterbuck and George Mohay. Measuring Distributed Software Service Availability and Response Time via the Socket API and TCP Options. Proceedings of the International Conference on Internet Computing (IC 02). Volume 3, pages CSREA Press USA. June This publication relates to material from Chapters 2, 4, and 5 of the thesis. [3] Peter Clutterbuck and George Mohay. Internet Service Cluster Dispatching via a TCP Redirection Option. Proceedings of the International Conference on Internet Computing (IC 03). Volume 1, pages CSREA Press USA. June This publication relates to material form Chapters 2, 4, and 5 of the thesis. [4] Peter Clutterbuck and George Mohay. Increased Availability and Scalability for Clustered Services via the Wait Time Calculation, Trust Based Filtering and Redirection of TCP Connection Requests. Proceedings of the IEEE TENCON Conference. Volume 1, pages IEEE October This publication relates to material from Chapters 4, 5, and 6 of the thesis. x

11 Acknowledgements I would like to thank my principal supervisor Professor George Mohay. I am very grateful to Professor Mohay for his guidance, support and patience over the past several years. He has greatly assisted me in all areas of the research process. I wish to express my thanks to my associate supervisor Professor Mark Looi. I wish to also acknowledge the help and support I received during the initial stages of this research from the Distributed Systems Technology Centre (QUT). In particular I would like to thank Dr. Tim Redhead, Dean Povey and Simon Gibson. These three people made me feel very much part of their team and were very supportive in many important areas. My final acknowledgement is to my wife Ricki. I greatly valued and appreciated her encouragement and support during all stages of this research. Thank you very much. xi

12 Chapter 1 Availability A Literature Review 1.1 Introduction The research described within this thesis has the central aim of maximising the availability of a distributed software service. Availability, confidentiality, and integrity are listed consistently [18], [20], [27] as the major three deliverables of computing security research. Of these, [27] describes availability as the most difficult. [20] states that this difficulty has been caused by the temporal dimension that is associated with the availability challenge. The research described within this thesis focuses upon the following three specific research goals: The availability of a distributed software service should reflect both the liveness probability level and the probabilistic user access time of the software service. The dispatcher processing overhead is a function of the number of IP datagrams/tcp segments that are received or sent by the dispatcher in respect of each service request. Consequently the number of datagrams/tcp segments should be minimized, ideally so that for each incoming service request there is one IP datagram/tcp segment. The level of trust in respect of each service request received by the service cluster should be identified as this is critical in mitigating distributed denial of service attacks and therefore in maximising the availability of a distributed software service. The remainder of this chapter will describe the detailed derivation and meaning of these three research goals. The derivation and meaning of these three goals require the analysis of the major research themes that constitute the existing body of availability theory, together with the identification of the critical feature(s) within each major research theme. Each critical feature is then analysed in terms of its necessity and sufficiency as a core part of a complete availability theory. This analysis facilitates a progress check of where the established availability research has reached, and where future research may proceed most productively. Indeed this progress check ultimately points to the three research goals underpinning this research. The remainder of this chapter will unfold as follows. Section 1.2 discusses how availability is closely linked with reliability, and both concepts are subsets of dependable computing. Section 1.3 describes how current availability assurance strategies are primarily based on countering any single point of failure within the software service. Consequently, availability requires service replication, and this is facilitated via the concept of service clustering. Section 1.4 analyses how research into denial of service, a significant threat to software service availability, has developed historically along two main streams. Initial denial of service research focused upon solution strategies placed within the operating system kernel and in some cases other operating system (driver) modules. Later denial of service research 1

13 recognised that network software services were increasingly vulnerable to denial of service attacks mounted from remote machines. This later research, now known as distributed denial of service research, recognises that no single denial of service solution strategy exists, and that any practical level of protection must be based on several cooperating solution strategies that are located architecturally within the software service, within the operating system kernel/operating system driver modules, and also at strategic points across the network itself. Section 1.5 describes the critical features of each of the three major availability themes. These critical features in turn produce the three research goals that have been listed at the commencement of this chapter. Section 1.6 concludes the chapter and points to the content of Chapter Availability and Reliability A very early examination of software availability theory is contained within [1]. This description begins by describing reliability and availability as important performance measures for the quality of a system. Availability is introduced as a function applicable to a system that tolerates shutdown times caused by either planned or unplanned outages. The availability function, A(t), is defined as the probability that the system is operating at time t. In contrast, the reliability function R(t) is the probability that the system has operated over the interval 0 to t. The most important items for consideration are how frequently the system goes down and for how long it stays down. An important parameter that characterizes this down time is the mean time to (or between) failures (MTTF). In the general case Markov modelling is used to analyse system availability and derive the required probabilities. An important difference between A(t) and R(t) is their steady-state behaviour. As t becomes large, all reliability functions approach zero, whereas availability functions reach some steady-state value. As an example, if MTTF is 10 4 hours (a little over 1 year), and the mean repair time is 100 hours (about 4 days), then the steady-state availability probability of 0.99 is produced. Similar availability metrics are surveyed in [2]. Reliability is the conditional probability at a given confidence level that a system will perform its intended function properly without failure and satisfy specified performance requirements during a given time interval [0, t] when used in the manner and for the purpose intended while operating under the specified application and environment stress levels. Instantaneous availability, A(t), is the probability that a system is performing properly at time t and is equal to reliability for a system that does not tolerate shutdowns of any type. Steady state availability is the probability that a system will be operational at any random point of time and is expressed as the expected fraction of time a system is operational during the period it is required to be operational. More recently availability is defined in [3] as one of several reliability metrics. Reliability is described as the most important dynamic characteristic of almost all software systems. Informally, the reliability of a software system is a measure of how well users think it provides the services that they require. More formally, reliability is usually defined as the probability of failure-free operation for a specified time in a specified environment for a specified purpose. In the main, software reliability metrics have evolved from hardware reliability metrics. Metrics used for software reliability specification are as follows: 2

14 POFOD ROCOF MTTF AVAIL The probability of failure on demand. This is a measure of the likelihood that the system will fail when a service request is made. For example, a POFOD of means that 1 out of 1000 service requests may fail. POFOD is most relevant within safety-critical systems. The rate of failure occurrence. This is a measure of the frequency of occurrence with which unexpected behaviour is likely to occur. For example, a ROCOF of 2/100 means that 2 failures are likely to occur in each 100 time units. ROCOF is most relevant to operating systems and transaction processing systems. The mean time to failure. This is a measurement of the time between observed system failures. For example, an MTTF of 500 means that 1 failure can be expected every 500 time units. It is the reciprocal of ROCOF if the system is not being changed. MTTF is most relevant to systems with long transaction processing times. Availability is a measure of how likely the system is to be available for use. For example, an availability of means that in every 1000 time units, the system is likely to be available for 998 of these. Availability is most relevant to continuously running systems. Availability is the metric with which users or system operators are mostly concerned. Availability is the complement of down-time and as such takes into account the elapsed repair or restart time when a system failure occurs. If repair or restart time is brief, it is possible to have acceptable availability within a system that displays low reliability as measured by metrics such as ROCOF or MTTF. Strategies for achieving high levels of availability are discussed in [4]. The concept of downtime is essential in defining and achieving availability. Downtime is described as if a user cannot get his job done on time, the system is down. This strict definition is required because the system is provided for users to work in an efficient and timely way. When circumstances prevent a user from achieving this goal, the system is down. Causes of downtime include people factors, planned outages, environmental problems, hardware difficulties and software failures (server software and network software). 1.3 Service Clustering The clustered internet service concept takes the single service process of the traditional service architecture, and replicates this process to form a cluster or group of service processes. The cluster concept increases service availability and scalability by providing fault tolerance and greater processing power via hardware redundancy and software replication. The cluster concept is comprehensively treated in [5]. This section will firstly describe how availability is increased by clustering, and then describe how scalability is added on to enhance the availability management model. 3

15 1.3.1 Availability via Clustering The increased availability provided by a clustered service is based upon replicated service availability management that has been described in [6], [7], [8], [9], [10], [11], and [12]. Replicated service availability, as it is presented in [7], is illustrated in Figure 1.1. [7] assumes an asynchronous distributed system consisting of multiple host machines or nodes linked together into an arbitrary network topology. This service hosting network in turn has some arbitrary link with the service user community. The primary entities within the model include the distributed service, a service group, an availability policy, and a management service. The distributed service is characterised by its state, type and operational implementation. A service group is a collection of replicated operational implementations (i.e., processes). The service group consists of a single primary implementation and several backup implementations. A service group may comprise only those nodes capable of speedy communication with all nodes within the group. Group membership is dynamic. An availability policy is a tuple (replication, synchronization). Replication defines the number of service backup implementations maintained within the distributed system. Synchronization defines the mapping of updates from the primary state to the backup state. Close synchronization describes one to one updating across all group members, whilst loose synchronization describes less frequent updating across the group. A management service is the system entity that implements the availability policy of the distributed service. A management service is implemented as a group of cooperating management agents. The management agent groups maintain consistent state information. A management agent is located within each node hosting a member of the service group. A management agent may be constituted as part of the service member implementation or as a standalone process that is separate from the service member implementation (process). General User Community State Updating (Close Synchronization) Service Network Gateway Arbitrary Service Network Service Hosting Operating System and Node Service Secondary Process Service Primary Process Service Hosting Operating System and Node Management Service Agents Network Service / Service Group (Replication of 1 backup) Figure 1.1 Replicated Service Availability Management The model manages distributed service availability by ensuring that operational primary and backup implementations exist within the distributed system at all times. Each primary and backup implementation, depending on the level of synchronization specified within the availability policy, possess uniform service state information. 4

16 The only threat to model viability is total, simultaneous failure of all nodes. The model makes no distinction between network level communication faults, hardware or operating system faults at a node level, or service implementation (process) failure. A group member isolated or extinguished for any reason is removed from the group until the isolation is resolved. When group reconfigurations occur for any failure reason, the management service across the newly formed group selects a replacement primary server, and then creates an additional backup on a suitable host node within the distributed system Scalability via Clustering Whilst the availability management model described above provides hardware and software fault tolerance, it does not fully provide the scalability required for distributed services that process large and variable volumes of work. This is because secondary group members in the availability management model are utilised as failover backups and not for routine processing. This design choice reflects how that model viewed availability as a service liveness issue only. The cluster concept allows the addition of increased scalability to the availability management model by introducing load balancing strategies so that all replicated group members routinely participate in processing. These load balancing strategies therefore form a central issue in clustering. Load balancing strategies display a four-way taxonomy [14]: client side, server side Domain Name Service (DNS) Round-Robin, server side filtering, and server side dispatching. Developments in client side load balancing includes Berkeley s Smart Client [13]. The Smart Client requires that the internet service provide an applet running on the client side. The applet makes requests to the cluster to collect load information on all servers, and then chooses a server based on that information. The applet tries other servers within the cluster if it finds the initially selected server has failed. The Smart Client, as with other client side load balancing approaches, is not client-transparent and consequently requires modification of client applications. The client side approach also displays the potential to increase network traffic because of the extra cluster probing that is involved. DNS Round-Robin (DNS RR or DNS aliasing) is used by a significant number of Web servers to distribute load across the Web servers cooperating to provide the service [13]. DNS support for load balancing is described in [14]. A single logical hostname for the service is mapped onto multiple IP addresses. Each IP address represents a processing member of the service cluster. When a client resolves a hostname, alternative IP addresses are provided in a round-robin fashion. [13] outlines two major problems with DNS Round-Robin load balancing. Firstly, the randomized load balancing of DNS RR will not work as well for requests demonstrating wide variance in processing time (eg, some web requests may pull many pages from a site, and others may pull only one or very few). Secondly, DNS RR cannot account for geographic load balancing since DNS does not possess knowledge of client location or server capabilities. [15] also describes the unreliability of DNS RR when a server node fails, the appropriate change in IP mapping will take time to propagate through DNS. The change must be made within the appropriate DNS zone file(s). The delay is further exacerbated by the heavy use of caching name servers within DNS. Therefore client resolution requests will continue for some time to have the failed IP address returned to them. 5

17 Load balancing by server side filtering is the strategy underpinning Microsoft Network Load Balancing [16]. This clustering technology is included in Windows Advanced Server and Datacenter Server operating systems. Network Load Balancing is described with reference to Figure 1.2. Figure 1.2 shows four Network Load Balancing (NLB) hosts, or cluster members, supported by optional shared storage. The clustered service is assigned a primary IP address which is advertised to the user community via DNS. The clustered service consists of a maximum thirty two cluster members. Each cluster member is assigned a unique host priority in the range 1 to 32 where lower numbers denote higher priorities. The cluster member with the highest host priority (i.e., lowest numeric value) is called the default host. The essence of NLB is that service requests are filtered and not dispatched. This means that all incoming service requests are received by all cluster members at the device driver level there is no front end host receiving all requests and dispatching/routing each request to the most appropriate cluster member. Internet/Intranet Hub Router/Gateway Network Load Balancing Hosts (Cluster Members) Maximum of 32 Figure 1.2 Network Load Balancing (NLB) All service requests to the cluster arrive (via the hub) at each host and are then passed to the Network Load Balancing Driver, which is positioned on each host between the LAN device driver and TCP/IP. The Network Load Balancing Driver on each host performs a statistical mapping to determine which host should handle the request. This mapping uses a randomization function that calculates a host priority based on the client s IP address, port number, and other state information. The Network Load Balancing Driver then passes the accepted service requests to TCP/IP and discards the remaining requests. The NLB literature states that filtering delivers higher network throughput than dispatcher-based solutions. Whilst NLB requires no dedicated hardware, it can only be implemented on an Ethernet or FDDI LAN, and indeed only on a single segment of a LAN. No wide area deployment of the cluster members is possible. NLB does not monitor the detailed workload of the software services comprising the cluster. The NLB literature states that where client connections produce widely varying loads on the server, Network Load Balancing s load balancing algorithm is less effective. NTB s architecture takes advantage of the cluster subnet s hub to simultaneously deliver all incoming network traffic to each 6

18 and every cluster host. The NLB literature states that if the client-side network connections to the switch are significantly faster that the server-side connections, incoming traffic can occupy a prohibitively large portion of the server-side bandwidth. The NLB literature also states that NLB does not manage any incoming IP traffic other than TCP traffic, User Datagram Protocol (UDP) traffic, and Generic Routing Encapsulation (GRE) traffic (as part of PPTP traffic) for specified ports. It does not filter IGMP, ARP, the Internet Control Message Protocol (ICMP), or other IP protocols. All such traffic is passed unchanged to the TCP/IP protocol software on all of the hosts within the cluster. As a result, the cluster can generate duplicate responses from certain point-to-point TCP/IP programs (such as ping) when the cluster IP address is used. This appears to suggest a vulnerability whereby a NLB cluster may be used to amply the impact of a Smurf attack [71] on another network. The Smurf attack occurs when an attacker sends spoofed ICMP ECHO packets to the address of the amplifying network. The source address of the packets is forged to make it appear as if the victim system has initiated the request. Server-side dispatching is the load balancing strategy within the Linux Virtual Server architecture (LVS) [15]. Linux Virtual Server is implemented (for Internet services) in two main ways via Network Address Translation (LVS/NAT) and via IP tunnelling (LVS/TUN). Virtual Server via NAT is illustrated in Figure 1.3. USER Real Server 1 Internet/Intranet Virtual IP address Load Balancing Linux Box Switch/Hub Real Server 2 Figure 1.3 Virtual Server via NAT Private Network Real Server 3 The operation of Linux Virtual Server via NAT is as follows. When a user accesses the service provided by the server cluster, the request packet destined for the virtual IP address (the external IP address for the load balancer) arrives at the load balancer. The load balancer examines the packet s destination address and port number. If they are matched for a virtual service according to the virtual server rule table, a real server is chosen from the cluster by a scheduling algorithm, and the connection is added into the hash table which records all established connections. Then, the destination address and port of the packet are rewritten to those of the chosen server, and the packet is forwarded to the server. When further incoming packets belonging to this connection arrive at the load balancer (from the user), these packets are also rewritten and forwarded to the chosen server. When reply packets come back (from the chosen 7

19 server), the load balancer rewrites the source address and port of the packets to those of the virtual service. The major disadvantage of this dispatching approach is a lack of scalability due to the time taken by the load balancer in rewriting both the incoming and outgoing packets. [15] reports that the time taken by a Pentium machine to rewrite a packet of average length 536 bytes is around 60µs. [15] reports the maximum throughput of the tested Pentium load balancer is 8.93 MBytes/s and that it can schedule 22 real servers if the average throughput of real servers is 400Kbytes/s. A second disadvantage of the NAT approach is that the cluster machines must be deployed within a private network. Private IP addresses must be used for the cluster members (address space , to , and to Server-side dispatching via IP tunnelling (LVS/TUN) is also used as a load balancing strategy within the Linux Virtual Server architecture. IP tunnelling is a technique that allows IP datagrams for one IP address to be wrapped and redirected to another IP address. The original IP datagram is wrapped (encapsulated) inside another IP datagram. The Linux Virtual Server architecture via IP tunnelling is illustrated in Figure 1.4. USER Replies going directly to the user Real Server 1 Internet/Intranet Virtual IP address IP tunnel IP tunnel Load Balancing Linux Box Switch/Hub IP tunnel Real Server 2 Private Network Real Server 3 Figure 1.4 Virtual Server via IP Tunnelling (LVS/TUN) The workflow for virtual server via IP tunnelling is as follows: The user directs the request to the virtual IP address of the cluster. The request is received by the load balancer, which then proceeds to establish which of the cluster servers should action the request. The IP datagram containing the service request is then wrapped in another IP datagram, and sent to the selected server. The selected server unwraps the IP datagram (thereby obtaining the details of the original connection request TCP and IP headers), actions the request, and sends the service results directly to the user. This is the central difference between NAT and IP tunnelling load balancing strategies. Under NAT, traffic into the cluster and traffic out of the cluster all goes through the load balancer. There is substantial overhead in processing the bidirectional traffic. Under IP tunnelling, traffic into the cluster comes via the load balancer. However all reply traffic is sent directly by the processing server to the user. This produces a substantial saving in the processing load of the load balancer. Consequently [15] 8

20 states that the LVS/TUN load balancer can handle huge amounts of requests; it may schedule over 100 real servers and won t be the bottleneck of the system. 1.4 Availability and Denial of Service Denial of service (DoS) is defined in [58] as an inhibition of service. The attacker prevents a server from providing a service. Denial of service poses the same threat as an infinite delay. In [59] a denial of service attack is characterized by an explicit attempt to prevent the legitimate use of a service. DoS protection has been a long term fundamental goal within the security research community. Unfortunately DoS also has proven to be a non-static problem and has quickly evolved with the growth of computer networks. Distributed denial of service (DDoS) is the current manifestation in today s distributed systems of the original Denial of Service challenge [17]. [59] describes DDoS as being the deployment of multiple attacking entities to attain the DoS goal. It is also clear that denial of service attacks have increased significantly with the explosive growth of Internet computing. In 1983 Gligor reported in [18] that In the past ten years more than fifty distinct examples of denial of service have been presented in the literature. By 2001 [19] reported measurements by CAIDA/UCSD (the Cooperative Association for Internet Data Analysis - that detected more than 12,000 attacks against more than 5,000 victims during a three week study in February of that year. [20] states that 38% of security professionals surveyed declared that their sites had been the object of at least one DoS attack in the previous year. [21] describes in 2000 the largest malicious assault in the history of the Net, involving DoS attacks against corporate web sites including CNN, etrade, ZDNet, and Datak. This section will present denial of service research as it has developed along two paths. The first path will describe what is termed as kernel based denial of service protection. This protection has almost entirely consisted of resource access control solutions that are implemented within the operating system kernel/operating system (driver) modules. The second path will describe the research focus on distributed denial of service (DDoS) protection. This will show that the nature of DDoS renders the traditional operating system kernel based, access control model inadequate for DDoS protection, and that a much more network oriented and multi-party collaborative approach must be taken in solving the challenge. Indeed the description of DDoS research will show clearly that in overall terms denial of service remains a significant security challenge that requires a variety of mitigation controls. The detailed taxonomy of denial of service attack strategies and defences provided in [60] describes over thirty protection mechanisms that are deployed within the victim s network, the intermediate network(s), and also the source network. It must be stressed that the denial of service mitigation control that will be suggested in this chapter (and more fully defined in subsequent chapters) is one further control mechanism designed to work in concert with all other accepted controls Operating System Kernel Based Denial of Service Protection Operating system kernel based denial of service (DoS) theory was initially developed in [18], and subsequently expanded in [22], [23], [24], [25], [26], [27], [28], [29] and [63]. The central thread through all of this research is that DoS protection should be positioned within a trusted computing base and should consist of resource/service access monitoring and control functions that aim to enforce some form of service wait 9

Content Distribution Networks (CDNs)

Content Distribution Networks (CDNs) 229 Content Distribution Networks (CDNs) A content distribution network can be viewed as a global web replication. main idea: each replica is located in a different geographic area, rather then in the

More information

High Performance Cluster Support for NLB on Window

High Performance Cluster Support for NLB on Window High Performance Cluster Support for NLB on Window [1]Arvind Rathi, [2] Kirti, [3] Neelam [1]M.Tech Student, Department of CSE, GITM, Gurgaon Haryana (India) arvindrathi88@gmail.com [2]Asst. Professor,

More information

Ethernet. Ethernet. Network Devices

Ethernet. Ethernet. Network Devices Ethernet Babak Kia Adjunct Professor Boston University College of Engineering ENG SC757 - Advanced Microprocessor Design Ethernet Ethernet is a term used to refer to a diverse set of frame based networking

More information

Whitepaper Continuous Availability Suite: Neverfail Solution Architecture

Whitepaper Continuous Availability Suite: Neverfail Solution Architecture Continuous Availability Suite: Neverfail s Continuous Availability Suite is at the core of every Neverfail solution. It provides a comprehensive software solution for High Availability (HA) and Disaster

More information

Abstract. Introduction. Section I. What is Denial of Service Attack?

Abstract. Introduction. Section I. What is Denial of Service Attack? Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss

More information

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg

Outline. CSc 466/566. Computer Security. 18 : Network Security Introduction. Network Topology. Network Topology. Christian Collberg Outline Network Topology CSc 466/566 Computer Security 18 : Network Security Introduction Version: 2012/05/03 13:59:29 Department of Computer Science University of Arizona collberg@gmail.com Copyright

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

OpenFlow Based Load Balancing

OpenFlow Based Load Balancing OpenFlow Based Load Balancing Hardeep Uppal and Dane Brandon University of Washington CSE561: Networking Project Report Abstract: In today s high-traffic internet, it is often desirable to have multiple

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

Security vulnerabilities in the Internet and possible solutions

Security vulnerabilities in the Internet and possible solutions Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in

More information

A Study of Network Security Systems

A Study of Network Security Systems A Study of Network Security Systems Ramy K. Khalil, Fayez W. Zaki, Mohamed M. Ashour, Mohamed A. Mohamed Department of Communication and Electronics Mansoura University El Gomhorya Street, Mansora,Dakahlya

More information

Final exam review, Fall 2005 FSU (CIS-5357) Network Security

Final exam review, Fall 2005 FSU (CIS-5357) Network Security Final exam review, Fall 2005 FSU (CIS-5357) Network Security Instructor: Breno de Medeiros 1. What is an insertion attack against a NIDS? Answer: An insertion attack against a network intrusion detection

More information

Security Technology White Paper

Security Technology White Paper Security Technology White Paper Issue 01 Date 2012-10-30 HUAWEI TECHNOLOGIES CO., LTD. 2012. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without

More information

co Characterizing and Tracing Packet Floods Using Cisco R

co Characterizing and Tracing Packet Floods Using Cisco R co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN

MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN Kanika 1, Renuka Goyal 2, Gurmeet Kaur 3 1 M.Tech Scholar, Computer Science and Technology, Central University of Punjab, Punjab, India

More information

CloudFlare advanced DDoS protection

CloudFlare advanced DDoS protection CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch

More information

Communications and Computer Networks

Communications and Computer Networks SFWR 4C03: Computer Networks and Computer Security January 5-8 2004 Lecturer: Kartik Krishnan Lectures 1-3 Communications and Computer Networks The fundamental purpose of a communication system is the

More information

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7

20-CS-6053-00X Network Security Spring, 2014. An Introduction To. Network Security. Week 1. January 7 20-CS-6053-00X Network Security Spring, 2014 An Introduction To Network Security Week 1 January 7 Attacks Criminal: fraud, scams, destruction; IP, ID, brand theft Privacy: surveillance, databases, traffic

More information

Chapter 8 Security Pt 2

Chapter 8 Security Pt 2 Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,

More information

Protecting and controlling Virtual LANs by Linux router-firewall

Protecting and controlling Virtual LANs by Linux router-firewall Protecting and controlling Virtual LANs by Linux router-firewall Tihomir Katić Mile Šikić Krešimir Šikić Faculty of Electrical Engineering and Computing University of Zagreb Unska 3, HR 10000 Zagreb, Croatia

More information

About Firewall Protection

About Firewall Protection 1. This guide describes how to configure basic firewall rules in the UTM to protect your network. The firewall then can provide secure, encrypted communications between your local network and a remote

More information

Multi-layer switch hardware commutation across various layers. Mario Baldi. Politecnico di Torino. http://staff.polito.it/mario.

Multi-layer switch hardware commutation across various layers. Mario Baldi. Politecnico di Torino. http://staff.polito.it/mario. Multi-layer switch hardware commutation across various layers Mario Baldi Politecnico di Torino http://staff.polito.it/mario.baldi Based on chapter 10 of: M. Baldi, P. Nicoletti, Switched LAN, McGraw-Hill,

More information

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations

More information

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding? Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against

More information

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS)

Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Dos & DDoS Attack Signatures (note supplied by Steve Tonkovich of CAPTUS NETWORKS) Signature based IDS systems use these fingerprints to verify that an attack is taking place. The problem with this method

More information

Improving DNS performance using Stateless TCP in FreeBSD 9

Improving DNS performance using Stateless TCP in FreeBSD 9 Improving DNS performance using Stateless TCP in FreeBSD 9 David Hayes, Mattia Rossi, Grenville Armitage Centre for Advanced Internet Architectures, Technical Report 101022A Swinburne University of Technology

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

MOC 6435A Designing a Windows Server 2008 Network Infrastructure

MOC 6435A Designing a Windows Server 2008 Network Infrastructure MOC 6435A Designing a Windows Server 2008 Network Infrastructure Course Number: 6435A Course Length: 5 Days Certification Exam This course will help you prepare for the following Microsoft exam: Exam 70647:

More information

WAN Traffic Management with PowerLink Pro100

WAN Traffic Management with PowerLink Pro100 Whitepaper WAN Traffic Management with PowerLink Pro100 Overview In today s Internet marketplace, optimizing online presence is crucial for business success. Wan/ISP link failover and traffic management

More information

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX

Understanding TCP/IP. Introduction. What is an Architectural Model? APPENDIX APPENDIX A Introduction Understanding TCP/IP To fully understand the architecture of Cisco Centri Firewall, you need to understand the TCP/IP architecture on which the Internet is based. This appendix

More information

A1.1.1.11.1.1.2 1.1.1.3S B

A1.1.1.11.1.1.2 1.1.1.3S B CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security

More information

AS/400e. TCP/IP routing and workload balancing

AS/400e. TCP/IP routing and workload balancing AS/400e TCP/IP routing and workload balancing AS/400e TCP/IP routing and workload balancing Copyright International Business Machines Corporation 2000. All rights reserved. US Government Users Restricted

More information

Mobile IP. 10.1 The Requirements of Mobile IP CHAPTER 10. Adrian Farrel

Mobile IP. 10.1 The Requirements of Mobile IP CHAPTER 10. Adrian Farrel CHAPTER 10 Mobile IP Adrian Farrel Today s computers are smaller and more mobile than they once were. Processing power that used to take up a whole air-conditioned room can now be easily carried around

More information

Acquia Cloud Edge Protect Powered by CloudFlare

Acquia Cloud Edge Protect Powered by CloudFlare Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....

More information

Brocade NetIron Denial of Service Prevention

Brocade NetIron Denial of Service Prevention White Paper Brocade NetIron Denial of Service Prevention This white paper documents the best practices for Denial of Service Attack Prevention on Brocade NetIron platforms. Table of Contents Brocade NetIron

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

Networks: IP and TCP. Internet Protocol

Networks: IP and TCP. Internet Protocol Networks: IP and TCP 11/1/2010 Networks: IP and TCP 1 Internet Protocol Connectionless Each packet is transported independently from other packets Unreliable Delivery on a best effort basis No acknowledgments

More information

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Threat Paper Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Federal Computer Incident Response Center 7 th and D Streets S.W. Room 5060 Washington,

More information

Architecture of distributed network processors: specifics of application in information security systems

Architecture of distributed network processors: specifics of application in information security systems Architecture of distributed network processors: specifics of application in information security systems V.Zaborovsky, Politechnical University, Sait-Petersburg, Russia vlad@neva.ru 1. Introduction Modern

More information

Top-Down Network Design

Top-Down Network Design Top-Down Network Design Chapter Five Designing a Network Topology Copyright 2010 Cisco Press & Priscilla Oppenheimer Topology A map of an internetwork that indicates network segments, interconnection points,

More information

Multicast-based Distributed LVS (MD-LVS) for improving. scalability and availability

Multicast-based Distributed LVS (MD-LVS) for improving. scalability and availability Multicast-based Distributed LVS (MD-LVS) for improving scalability and availability Haesun Shin, Sook-Heon Lee, and Myong-Soon Park Internet Computing Lab. Department of Computer Science and Engineering,

More information

Networking TCP/IP routing and workload balancing

Networking TCP/IP routing and workload balancing System i Networking TCP/IP routing and workload balancing Version 5 Release 4 System i Networking TCP/IP routing and workload balancing Version 5 Release 4 Note Before using this information and the product

More information

GPRS and 3G Services: Connectivity Options

GPRS and 3G Services: Connectivity Options GPRS and 3G Services: Connectivity Options An O2 White Paper Contents Page No. 3-4 5-7 5 6 7 7 8-10 8 10 11-12 11 12 13 14 15 15 15 16 17 Chapter No. 1. Executive Summary 2. Bearer Service 2.1. Overview

More information

SURE 5 Zone DDoS PROTECTION SERVICE

SURE 5 Zone DDoS PROTECTION SERVICE SURE 5 Zone DDoS PROTECTION SERVICE Sure 5 Zone DDoS Protection ( the Service ) provides a solution to protect our customer s sites against Distributed Denial of Service (DDoS) attacks by analysing incoming

More information

CYBER ATTACKS EXPLAINED: PACKET CRAFTING

CYBER ATTACKS EXPLAINED: PACKET CRAFTING CYBER ATTACKS EXPLAINED: PACKET CRAFTING Protect your FOSS-based IT infrastructure from packet crafting by learning more about it. In the previous articles in this series, we explored common infrastructure

More information

Multi-Datacenter Replication

Multi-Datacenter Replication www.basho.com Multi-Datacenter Replication A Technical Overview & Use Cases Table of Contents Table of Contents... 1 Introduction... 1 How It Works... 1 Default Mode...1 Advanced Mode...2 Architectural

More information

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE Data Sheet V-Net Link 700 C Series Link Load Balancer V-NetLink:Link Load Balancing Solution from VIAEDGE V-NetLink : Link Load Balancer As the use of the Internet to deliver organizations applications

More information

Cisco Integrated Services Routers Performance Overview

Cisco Integrated Services Routers Performance Overview Integrated Services Routers Performance Overview What You Will Learn The Integrated Services Routers Generation 2 (ISR G2) provide a robust platform for delivering WAN services, unified communications,

More information

Scalable Linux Clusters with LVS

Scalable Linux Clusters with LVS Scalable Linux Clusters with LVS Considerations and Implementation, Part I Eric Searcy Tag1 Consulting, Inc. emsearcy@tag1consulting.com April 2008 Abstract Whether you are perusing mailing lists or reading

More information

hp ProLiant network adapter teaming

hp ProLiant network adapter teaming hp networking june 2003 hp ProLiant network adapter teaming technical white paper table of contents introduction 2 executive summary 2 overview of network addressing 2 layer 2 vs. layer 3 addressing 2

More information

Building a Highly Available and Scalable Web Farm

Building a Highly Available and Scalable Web Farm Page 1 of 10 MSDN Home > MSDN Library > Deployment Rate this page: 10 users 4.9 out of 5 Building a Highly Available and Scalable Web Farm Duwamish Online Paul Johns and Aaron Ching Microsoft Developer

More information

Security of IPv6 and DNSSEC for penetration testers

Security of IPv6 and DNSSEC for penetration testers Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions

More information

Classification of Firewalls and Proxies

Classification of Firewalls and Proxies Classification of Firewalls and Proxies By Dhiraj Bhagchandka Advisor: Mohamed G. Gouda (gouda@cs.utexas.edu) Department of Computer Sciences The University of Texas at Austin Computer Science Research

More information

UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04

UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04 UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04 REVISED 23 FEBRUARY 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation

More information

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu

VPN. Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu VPN Date: 4/15/2004 By: Heena Patel Email:hpatel4@stevens-tech.edu What is VPN? A VPN (virtual private network) is a private data network that uses public telecommunicating infrastructure (Internet), maintaining

More information

Internet Protocol: IP packet headers. vendredi 18 octobre 13

Internet Protocol: IP packet headers. vendredi 18 octobre 13 Internet Protocol: IP packet headers 1 IPv4 header V L TOS Total Length Identification F Frag TTL Proto Checksum Options Source address Destination address Data (payload) Padding V: Version (IPv4 ; IPv6)

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

Quality Certificate for Kaspersky DDoS Prevention Software

Quality Certificate for Kaspersky DDoS Prevention Software Quality Certificate for Kaspersky DDoS Prevention Software Quality Certificate for Kaspersky DDoS Prevention Software Table of Contents Definitions 3 1. Conditions of software operability 4 2. General

More information

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls. Ahmad Almulhem March 10, 2012 Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2

More information

Purpose-Built Load Balancing The Advantages of Coyote Point Equalizer over Software-based Solutions

Purpose-Built Load Balancing The Advantages of Coyote Point Equalizer over Software-based Solutions Purpose-Built Load Balancing The Advantages of Coyote Point Equalizer over Software-based Solutions Abstract Coyote Point Equalizer appliances deliver traffic management solutions that provide high availability,

More information

Creating Web Farms with Linux (Linux High Availability and Scalability)

Creating Web Farms with Linux (Linux High Availability and Scalability) Creating Web Farms with Linux (Linux High Availability and Scalability) Horms (Simon Horman) horms@verge.net.au December 2001 For Presentation in Tokyo, Japan http://verge.net.au/linux/has/ http://ultramonkey.org/

More information

CS 356 Lecture 16 Denial of Service. Spring 2013

CS 356 Lecture 16 Denial of Service. Spring 2013 CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

More information

SECURING APACHE : DOS & DDOS ATTACKS - I

SECURING APACHE : DOS & DDOS ATTACKS - I SECURING APACHE : DOS & DDOS ATTACKS - I In this part of the series, we focus on DoS/DDoS attacks, which have been among the major threats to Web servers since the beginning of the Web 2.0 era. Denial

More information

ERserver. iseries. TCP/IP routing and workload balancing

ERserver. iseries. TCP/IP routing and workload balancing ERserver iseries TCP/IP routing and workload balancing ERserver iseries TCP/IP routing and workload balancing Copyright International Business Machines Corporation 1998, 2001. All rights reserved. US

More information

VXLAN: Scaling Data Center Capacity. White Paper

VXLAN: Scaling Data Center Capacity. White Paper VXLAN: Scaling Data Center Capacity White Paper Virtual Extensible LAN (VXLAN) Overview This document provides an overview of how VXLAN works. It also provides criteria to help determine when and where

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Vulnerability Analysis 1 Roadmap Why vulnerability analysis? Example: TCP/IP related vulnerabilities

More information

Computer Network. Interconnected collection of autonomous computers that are able to exchange information

Computer Network. Interconnected collection of autonomous computers that are able to exchange information Introduction Computer Network. Interconnected collection of autonomous computers that are able to exchange information No master/slave relationship between the computers in the network Data Communications.

More information

Net Integrator Firewall

Net Integrator Firewall Net Integration Technologies, Inc. http://www.net itech.com Net Integrator Firewall Technical Overview Version 1.00 TABLE OF CONTENTS 1 Introduction...1 2 Firewall Architecture...2 2.1 The Life of a Packet...2

More information

1. Firewall Configuration

1. Firewall Configuration 1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets

More information

Chapter 1 - Web Server Management and Cluster Topology

Chapter 1 - Web Server Management and Cluster Topology Objectives At the end of this chapter, participants will be able to understand: Web server management options provided by Network Deployment Clustered Application Servers Cluster creation and management

More information

Post-Class Quiz: Telecommunication & Network Security Domain

Post-Class Quiz: Telecommunication & Network Security Domain 1. What type of network is more likely to include Frame Relay, Switched Multi-megabit Data Services (SMDS), and X.25? A. Local area network (LAN) B. Wide area network (WAN) C. Intranet D. Internet 2. Which

More information

Elfiq Link Load Balancer Frequently Asked Questions (FAQ)

Elfiq Link Load Balancer Frequently Asked Questions (FAQ) lin Elfiq Link Load Balancer Frequently Asked Questions (FAQ) For Elfiq Operating System (EOS) version 3.1.x Document Revision 1.8 May 2006 Elfiq Solutions www.elfiq.com Page 2 / 14 Table of contents 1

More information

Secure SCTP against DoS Attacks in Wireless Internet

Secure SCTP against DoS Attacks in Wireless Internet Secure SCTP against DoS Attacks in Wireless Internet Inwhee Joe College of Information and Communications Hanyang University Seoul, Korea iwjoe@hanyang.ac.kr Abstract. The Stream Control Transport Protocol

More information

Chapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc.

Chapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc. Chapter 2 TOPOLOGY SELECTION SYS-ED/ Computer Education Techniques, Inc. Objectives You will learn: Topology selection criteria. Perform a comparison of topology selection criteria. WebSphere component

More information

51-30-60 DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE

51-30-60 DATA COMMUNICATIONS MANAGEMENT. Gilbert Held INSIDE 51-30-60 DATA COMMUNICATIONS MANAGEMENT PROTECTING A NETWORK FROM SPOOFING AND DENIAL OF SERVICE ATTACKS Gilbert Held INSIDE Spoofing; Spoofing Methods; Blocking Spoofed Addresses; Anti-spoofing Statements;

More information

Network Traffic Analysis

Network Traffic Analysis 2013 Network Traffic Analysis Gerben Kleijn and Terence Nicholls 6/21/2013 Contents Introduction... 3 Lab 1 - Installing the Operating System (OS)... 3 Lab 2 Working with TCPDump... 4 Lab 3 - Installing

More information

IOS Server Load Balancing

IOS Server Load Balancing IOS Server Load Balancing This feature module describes the Cisco IOS Server Load Balancing (SLB) feature. It includes the following sections: Feature Overview, page 1 Supported Platforms, page 5 Supported

More information

Load Balancing for Microsoft Office Communication Server 2007 Release 2

Load Balancing for Microsoft Office Communication Server 2007 Release 2 Load Balancing for Microsoft Office Communication Server 2007 Release 2 A Dell and F5 Networks Technical White Paper End-to-End Solutions Team Dell Product Group Enterprise Dell/F5 Partner Team F5 Networks

More information

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski

Denial of Service attacks: analysis and countermeasures. Marek Ostaszewski Denial of Service attacks: analysis and countermeasures Marek Ostaszewski DoS - Introduction Denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended

More information

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks

More information

Firewalls Overview and Best Practices. White Paper

Firewalls Overview and Best Practices. White Paper Firewalls Overview and Best Practices White Paper Copyright Decipher Information Systems, 2005. All rights reserved. The information in this publication is furnished for information use only, does not

More information

Transport and Network Layer

Transport and Network Layer Transport and Network Layer 1 Introduction Responsible for moving messages from end-to-end in a network Closely tied together TCP/IP: most commonly used protocol o Used in Internet o Compatible with a

More information

Operating System Concepts. Operating System 資 訊 工 程 學 系 袁 賢 銘 老 師

Operating System Concepts. Operating System 資 訊 工 程 學 系 袁 賢 銘 老 師 Lecture 7: Distributed Operating Systems A Distributed System 7.2 Resource sharing Motivation sharing and printing files at remote sites processing information in a distributed database using remote specialized

More information

Distributed Systems: Concepts and Design

Distributed Systems: Concepts and Design Distributed Systems: Concepts and Design Edition 3 By George Coulouris, Jean Dollimore and Tim Kindberg Addison-Wesley, Pearson Education 2001. Chapter 2 Exercise Solutions 2.1 Describe and illustrate

More information

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong

Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application. Author: Fung, King Pong Dissertation Title: SOCKS5-based Firewall Support For UDP-based Application Author: Fung, King Pong MSc in Information Technology The Hong Kong Polytechnic University June 1999 i Abstract Abstract of dissertation

More information

UNCLASSIFIED. BlackBerry Enterprise Server Isolation in a Microsoft Exchange Environment (ITSG-23)

UNCLASSIFIED. BlackBerry Enterprise Server Isolation in a Microsoft Exchange Environment (ITSG-23) BlackBerry Enterprise Server Isolation in a Microsoft Exchange Environment (ITSG-23) March 2007 This page intentionally left blank. March 2007 Foreword The BlackBerry Enterprise Server Isolation in a Microsoft

More information

(Refer Slide Time: 02:17)

(Refer Slide Time: 02:17) Internet Technology Prof. Indranil Sengupta Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No #06 IP Subnetting and Addressing (Not audible: (00:46)) Now,

More information

ICMP Protocol and Its Security

ICMP Protocol and Its Security Lecture Notes (Syracuse University) ICMP Protocol and Its Security: 1 ICMP Protocol and Its Security 1 ICMP Protocol (Internet Control Message Protocol Motivation Purpose IP may fail to deliver datagrams

More information

SFWR 4C03: Computer Networks & Computer Security Jan 3-7, 2005. Lecturer: Kartik Krishnan Lecture 1-3

SFWR 4C03: Computer Networks & Computer Security Jan 3-7, 2005. Lecturer: Kartik Krishnan Lecture 1-3 SFWR 4C03: Computer Networks & Computer Security Jan 3-7, 2005 Lecturer: Kartik Krishnan Lecture 1-3 Communications and Computer Networks The fundamental purpose of a communication network is the exchange

More information

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services

What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services Firewalls What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services only authorized traffic is allowed Auditing and

More information

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family

Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family Intel Ethernet Switch Load Balancing System Design Using Advanced Features in Intel Ethernet Switch Family White Paper June, 2008 Legal INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL

More information

Survey on DDoS Attack Detection and Prevention in Cloud

Survey on DDoS Attack Detection and Prevention in Cloud Survey on DDoS Detection and Prevention in Cloud Patel Ankita Fenil Khatiwala Computer Department, Uka Tarsadia University, Bardoli, Surat, Gujrat Abstract: Cloud is becoming a dominant computing platform

More information

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a "traditional" NAT? Un article de Le wiki des TPs RSM.

Load Balancing. Final Network Exam LSNAT. Sommaire. How works a traditional NAT? Un article de Le wiki des TPs RSM. Load Balancing Un article de Le wiki des TPs RSM. PC Final Network Exam Sommaire 1 LSNAT 1.1 Deployement of LSNAT in a globally unique address space (LS-NAT) 1.2 Operation of LSNAT in conjunction with

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

Implementation, Simulation of Linux Virtual Server in ns-2

Implementation, Simulation of Linux Virtual Server in ns-2 Implementation, Simulation of Linux Virtual Server in ns-2 CMPT 885 Special Topics: High Performance Networks Project Final Report Yuzhuang Hu yhu1@cs.sfu.ca ABSTRACT LVS(Linux Virtual Server) provides

More information

IP - The Internet Protocol

IP - The Internet Protocol Orientation IP - The Internet Protocol IP (Internet Protocol) is a Network Layer Protocol. IP s current version is Version 4 (IPv4). It is specified in RFC 891. TCP UDP Transport Layer ICMP IP IGMP Network

More information