Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks
|
|
- Trevor Stephens
- 8 years ago
- Views:
Transcription
1 Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks Jerry Chou, Bill Lin University of California, San Diego Subhabrata Sen, Oliver Spatscheck AT&T Labs-Research USENIX Security Symposium, San Jose, USA, July 30, 2008
2 Outline Problem Approach Experimental Results Summary USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 2
3 Motivation Seattle Sunnyvale Los Angeles Chicago New York Denver Indianapolis Kansas City Washington Atlanta Houston Large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of a network before reactive defenses can respond All traffic that share common route links will suffer collateral damage even if it is not under direct attack USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 3
4 Motivation Potential for large-scale bandwidth-based DDoS attacks exist e.g. large botnets with more than 100,000 bots exist today that, when combined with the prevalence of highspeed Internet access, can give attackers multiple tens of Gb/s of attack capacity Moreover, core networks are oversubscribed (e.g. some core routers in Abilene have more than 30 Gb/s incoming traffic from access networks, but only 20 Gb/s of outgoing capacity to the core USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 4
5 Example Scenario Seattle/NY: 3 Gb/s Seattle 10G New York Sunnyvale 10G Kansas City 10G Indianapolis Sunnyvale/NY: 3 Gb/s Houston Atlanta Suppose under normal condition Traffic between Seattle/NY + Sunnyvale/NY under 10 Gb/s USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 5
6 Example Scenario Seattle/NY: 3 Gb/s Seattle 10G New York Sunnyvale 10G Kansas City 10G Indianapolis Sunnyvale/NY: 3 Gb/s Houston Atlanta Houston/Atlanta: Attack 10 Gb/s Suppose sudden attack between Houston/Atlanta Congested links suffer high rate of packet loss Serious collateral damage on crossfire OD pairs USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 6
7 Impact on Collateral Damage US Europe OD pairs are classified into 3 types with respect to the attack traffic Attacked: OD pairs with attack traffic Crossfire: OD pairs sharing route links with attack traffic Non-crossfire: OD pairs not sharing route links with attack traffic Collateral damage occurs on crossfire OD pairs Even a small percentage of attack flows can affect substantial parts of the network USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 7
8 Related Works Most existing DDoS defense solutions are reactive in nature However, large-scale bandwidth-based DDoS attacks can quickly knock out substantial parts of a network before reactive defenses can respond Therefore, we need a proactive defense mechanism that works immediately when an attack occurs USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 8
9 Related Works (cont d) Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade Approximate fair dropping schemes aim to provide fair sharing between flows But attackers can launch many seemingly legitimate TCP connections with spoofed IP addresses and port numbers Both aggregate-based and flow-based router defense mechanisms can be defeated USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 9
10 Previous Solutions (cont d) Router-based defenses like Random Early Drop (RED, RED-PD, etc) can prevent congestion by dropping packets early before congestion But may drop normal traffic indiscriminately, causing responsive TCP flows to severely degrade In In general, defenses based on unauthenticated header information such as IP addresses and port numbers Approximate unauthenticated fair dropping header schemes information aim to provide such fair as sharing between flows But attackers can may launch many seemingly legitimate TCP connections not with be spoofed reliable IP addresses and port numbers Both aggregate-based and flow-based router defense mechanisms can be defeated USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 10
11 Outline Problem Approach Experimental Results Summary USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 11
12 Our Solution Provide bandwidth isolation between OD pairs, independent of IP spoofing or number of TCP/UDP connections We call this method Proactive Surge Protection (PSP) as it aims to proactively limit the damage that can be caused by sudden demand surges, e.g. sudden bandwidth-based DDoS attacks USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 12
13 Basic Idea: Bandwidth Isolation Seattle/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High Traffic received in NY: Seattle: 3 Gb/s Sunnyvale: 3 Gb/s Seattle Meter and tag packets on ingress as HIGH or LOW priority Based on historical traffic demands and network capacity Drop LOW packets under congestion inside network New York Kansas City 10G 10G Sunnyvale Indianapolis Proposed mechanism proactively drop attack Proposed mechanism proactively drop attack traffic immediately when attacks occur Sunnyvale/NY: Limit: 3.5 Gb/s Actual: 3 Gb/s All admitted as High Houston Atlanta 10G Houston/Atlanta: Limit: 3 Gb/s Actual: 210 Gb/s Gb/s All High: admitted 3 Gb/sas High Low: 7 Gb/s USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 13
14 Architecture Traffic Traffic Data Data Collector Collector Traffic Measurement Bandwidth Bandwidth Allocator Allocator Bandwidth Allocation Matrix Policy Plane Proposed mechanism readily available Data Planein Deployed at Network modern Routers routers tagged arriving packets packets Proposed mechanism readily available in forwarded packets Preferential Preferential Dropping Dropping Differential Differential Tagging Tagging dropped packets Deployed at Network Perimeter High priority Low priority USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 14
15 Allocation Algorithms Aggregate traffic at the core is very smooth and variations are predictable Compute a bandwidth allocation matrix for each hour based on historical traffic measurements e.g. allocation at 3pm is computed by traffic measurements during 3-4pm in the past 2 months Source: Roughan 03 on a Tier-1 US Backbone USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 15
16 Allocation Algorithms To account for measurement inaccuracies and provide headroom for traffic burstiness, we fully allocate the entire network capacity as an utility max-min fair allocation problem Mean-PSP: based on the mean of traffic demands CDF-PSP: based on the Cumulative Distribution Function (CDF) of traffic demands Utility Max-min fair allocation Iteratively allocate bandwidth in water-filling manner Each iteration maximize the common utility of all flows Remove the flows without residual capacity after each iteration USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 16
17 Utility Max-min Fair Bandwidth Allocation Utility functions A B Utility(%) Network A BW B C 5 Utility(%) BW Allocation B C BW 1st round AB Links BC Utility(%) BW A C BW 2nd round AB Links BC USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 17
18 Mean-PSP (Mean-based Max-min) Use mean traffic demand as the utility function f ij ( B Iteratively allocate bandwidth in waterfilling manner A ij ) = 10G 10G d ij B B ij /# measurement 10G 10G C A B C BW Mean Demand AB A B C st round BC CB Links 1 - BA A B C BW BW Allocation B ij - AB A B C nd round BC CB Links 4 - BA USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 18
19 CDF-PSP (CDF-based Max-min) Explicitly capture the traffic variance by using a Cumulative Distribution Function (CDF) model as utility functions f ij ( Bij) = PROB[ dij Bij] Maximize utility is equivalent to minimizing the drop probabilities for all flows in a max-min fair manner E.g : = Utility(%) d ij (1,1,1, 3, 5) BW When allocated 3 unit bandwidth, drop probability is 20% USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 19
20 Outline Problem Approach Experimental Results Summary USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 20
21 Networks US Backbone Large tier1 backbone network in US ~700 nodes, ~2000 links (1.5Mb/s 10Gb/s) 1-minute traffic traces: 07/01/07-09/03/07 Europe Backbone Large tier1 backbone network in Europe ~900 nodes, ~3000 links (1.5Mb/s 10Gb/s) 1-minute traffic traces: 07/01/07-09/03/07 USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 21
22 Evaluation Methodology NS2 Simulation Normal traffic: Based on actual traffic demands over 24 hour period for each backbone Attack traffic: US Backbone: highly distributed attack scenario Based on commercial anomaly detection systems From 40% ingress routers to 25% egress routers Europe Backbone: targeted attack scenario Created by synthetic attack flow generator From 40% ingress routes to only 2% egress routers USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 22
23 Packet Loss Rate Comparison US Europe Both PSP schemes greatly reduced packet loss rates Peak hours have higher packet loss rates USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 23
24 Relative Loss Rate Comparison US Europe PSP reduced packet loss rates by more than 75% USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 24
25 Behavior Under Scaled Attacks Packet drop rate under attack demand scaled by factor up to 3x US Europe Under PSP, the loss remains small throughout the range! USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 25
26 Summary of Contributions Proactive solution for protecting networks that provides a first line of defense when sudden DDoS attacks occur Very effective in protecting network traffic from collateral damage Not dependent on unauthenticated header information, thus robust to IP spoofing Readily deployable using existing router mechanisms USENIX Security Symposium, San Jose, USA, July 30, 2008 Slide 26
27 Questions? USENIX Security Symposium, San Jose, USA, July 30, 2008
DDoS Attack Prevention - A Case Study
Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks Jerry Chou, Bill Lin, Subhabrata Sen, Oliver Spatscheck University of California San Diego, AT&T Labs-Research Abstract Large-scale
More informationSOFTWARE DEFINED NETWORKING: A PATH TO PROGRAMMABLE NETWORKS. Jason Kleeh September 27, 2012
SOFTWARE DEFINED NETWORKING: A PATH TO PROGRAMMABLE NETWORKS Jason Kleeh September 27, 2012 What if you could Build your next data center optimized for highest demands in flexibility, reliability, and
More informationDenial of Service Attacks and Resilient Overlay Networks
Denial of Service Attacks and Resilient Overlay Networks Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University Motivation: Network Service Availability Motivation:
More informationQuality of Service using Traffic Engineering over MPLS: An Analysis. Praveen Bhaniramka, Wei Sun, Raj Jain
Praveen Bhaniramka, Wei Sun, Raj Jain Department of Computer and Information Science The Ohio State University 201 Neil Ave, DL39 Columbus, OH 43210 USA Telephone Number: +1 614-292-3989 FAX number: +1
More informationFlexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks
Flexible Deterministic Packet Marking: An IP Traceback Scheme Against DDOS Attacks Prashil S. Waghmare PG student, Sinhgad College of Engineering, Vadgaon, Pune University, Maharashtra, India. prashil.waghmare14@gmail.com
More informationQueuing Algorithms Performance against Buffer Size and Attack Intensities
Global Journal of Business Management and Information Technology. Volume 1, Number 2 (2011), pp. 141-157 Research India Publications http://www.ripublication.com Queuing Algorithms Performance against
More informationSDN Applications for IXPs and Service Providers. Jason Kleeh Senior Product Manager January, 2013
SDN Applications for IXPs and Service Providers Jason Kleeh Senior Product Manager January, 2013 What if you could Build Networks Without Having to Manage an Endless List of Resource Limits Virtualize
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationThe Coremelt Attack. Ahren Studer and Adrian Perrig. We ve Come to Rely on the Internet
The Coremelt Attack Ahren Studer and Adrian Perrig 1 We ve Come to Rely on the Internet Critical for businesses Up to date market information for trading Access to online stores One minute down time =
More informationUsing Fuzzy Logic Control to Provide Intelligent Traffic Management Service for High-Speed Networks ABSTRACT:
Using Fuzzy Logic Control to Provide Intelligent Traffic Management Service for High-Speed Networks ABSTRACT: In view of the fast-growing Internet traffic, this paper propose a distributed traffic management
More informationA Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds
International Journal of Research Studies in Science, Engineering and Technology Volume 1, Issue 9, December 2014, PP 139-143 ISSN 2349-4751 (Print) & ISSN 2349-476X (Online) A Novel Distributed Denial
More informationCongestion Control Review. 15-441 Computer Networking. Resource Management Approaches. Traffic and Resource Management. What is congestion control?
Congestion Control Review What is congestion control? 15-441 Computer Networking What is the principle of TCP? Lecture 22 Queue Management and QoS 2 Traffic and Resource Management Resource Management
More informationSecurity Toolsets for ISP Defense
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
More informationICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.
ICND2 NetFlow Question 1 What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring B. Network Planning C. Security Analysis D. Accounting/Billing Answer: A C D NetFlow
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationCisco Network Foundation Protection Overview
Cisco Network Foundation Protection Overview June 2005 1 Security is about the ability to control the risk incurred from an interconnected global network. Cisco NFP provides the tools, technologies, and
More informationFiltering Based Techniques for DDOS Mitigation
Filtering Based Techniques for DDOS Mitigation Comp290: Network Intrusion Detection Manoj Ampalam DDOS Attacks: Target CPU / Bandwidth Attacker signals slaves to launch an attack on a specific target address
More informationMining Anomalies in Network-Wide Flow Data. Anukool Lakhina, Ph.D. with Mark Crovella and Christophe Diot
Mining Anomalies in Network-Wide Flow Data Anukool Lakhina, Ph.D. with Mark Crovella and Christophe Diot SANOG-7, Mumbai, January, 00 Network Anomaly Diagnosis Am I being attacked? Is someone scanning
More informationDDoS Mitigation Solutions
DDoS Mitigation Solutions The Real Cost of DDOS Attacks Hosting, including colocation at datacenters, dedicated servers, cloud hosting, shared hosting, and infrastructure as a service (IaaS) supports
More informationQuality of Service versus Fairness. Inelastic Applications. QoS Analogy: Surface Mail. How to Provide QoS?
18-345: Introduction to Telecommunication Networks Lectures 20: Quality of Service Peter Steenkiste Spring 2015 www.cs.cmu.edu/~prs/nets-ece Overview What is QoS? Queuing discipline and scheduling Traffic
More informationInternet Quality of Service
Internet Quality of Service Weibin Zhao zwb@cs.columbia.edu 1 Outline 1. Background 2. Basic concepts 3. Supporting mechanisms 4. Frameworks 5. Policy & resource management 6. Conclusion 2 Background:
More informationFlash Crowds & Denial of Service Attacks
Flash Crowds & Denial of Service Attacks Characterization and Implications for CDNs and Web sites Jaeyeon Jung MIT Laboratory for Computer Science Balachander Krishnamurthy and Michael Rabinovich AT&T
More informationHow To Provide Qos Based Routing In The Internet
CHAPTER 2 QoS ROUTING AND ITS ROLE IN QOS PARADIGM 22 QoS ROUTING AND ITS ROLE IN QOS PARADIGM 2.1 INTRODUCTION As the main emphasis of the present research work is on achieving QoS in routing, hence this
More informationRouter Based Mechanism for Mitigation of DDoS Attack- A Survey
Router Based Mechanism for Mitigation of DDoS Attack- A Survey Tamana Department of CE UCOE, Punjabi University Patiala, India Abhinav Bhandari Department of CE UCOE, Punjabi University Patiala, India
More information5 Performance Management for Web Services. Rolf Stadler School of Electrical Engineering KTH Royal Institute of Technology. stadler@ee.kth.
5 Performance Management for Web Services Rolf Stadler School of Electrical Engineering KTH Royal Institute of Technology stadler@ee.kth.se April 2008 Overview Service Management Performance Mgt QoS Mgt
More informationAn Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks
2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh
More informationTechnology Overview. Class of Service Overview. Published: 2014-01-10. Copyright 2014, Juniper Networks, Inc.
Technology Overview Class of Service Overview Published: 2014-01-10 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net Juniper Networks, Junos,
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationCisco Quality of Service and DDOS
Cisco Quality of Service and DDOS Engineering Issues for Adaptive Defense Network MITRE 7/25/2001 Contents 1. INTRODUCTION...1 2. TESTBED SETUP...1 3. QUALITY OF SERVICE (QOS) TESTS...3 3.1. FIRST IN,
More informationAnalyzing Large DDoS Attacks Using Multiple Data Sources
Analyzing Large DDoS Attacks Using Multiple Data Sources Z. Morley Mao, Vyas Sekar, Oliver Spatscheck, Jacobus van der Merwe, Rangarajan Vasudevan University of Michigan, zmao,ranga @eecs.umich.edu Carnegie
More informationMining Trends From Network Traffic Data for Security Systems
Mining Trends From Network Traffic Data for Security Systems Jennifer Li Computer Science Department Louisiana State University jli13@tigers.lsu.edu Graduate Mentor: Blaine Nelson, Saurabh Amin, and Dr.
More informationDenial of Service attacks: analysis and countermeasures. Marek Ostaszewski
Denial of Service attacks: analysis and countermeasures Marek Ostaszewski DoS - Introduction Denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended
More informationChapter 1 Reading Organizer
Chapter 1 Reading Organizer After completion of this chapter, you should be able to: Describe convergence of data, voice and video in the context of switched networks Describe a switched network in a small
More informationShould the IETF do anything about DDoS attacks? Mark Handley
Should the IETF do anything about DDoS attacks? Mark Handley The Problem The Internet architecture was designed to delivery packets to the destination efficiently. Even if the destination does not want
More informationStrategies to Protect Against Distributed Denial of Service (DD
Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics
More informationAdaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow. Feedback
Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow Correlation Coeff icient with Collective Feedback N.V.Poorrnima 1, K.ChandraPrabha 2, B.G.Geetha 3 Department of Computer
More informationInternet Infrastructure Security
Internet Infrastructure Security Simon Fraser University Scott Wakelin 4/27/2004 1 Road Map Project Goals and Overview Project Status Network Infrastructure ISP Topology ISP Interconnection Routing Protocols
More informationDDoS Attack Traceback
DDoS Attack Traceback and Beyond Yongjin Kim Outline Existing DDoS attack traceback (or commonly called IP traceback) schemes * Probabilistic packet marking Logging-based scheme ICMP-based scheme Tweaking
More informationSafeguards Against Denial of Service Attacks for IP Phones
W H I T E P A P E R Denial of Service (DoS) attacks on computers and infrastructure communications systems have been reported for a number of years, but the accelerated deployment of Voice over IP (VoIP)
More informationRestorable Logical Topology using Cross-Layer Optimization
פרויקטים בתקשורת מחשבים - 236340 - סמסטר אביב 2016 Restorable Logical Topology using Cross-Layer Optimization Abstract: Today s communication networks consist of routers and optical switches in a logical
More informationThe Coremelt Attack. Ahren Studer and Adrian Perrig. Carnegie Mellon University {astuder, perrig}@cmu.edu
The Coremelt Attack Ahren Studer and Adrian Perrig Carnegie Mellon University {astuder, perrig}@cmu.edu Abstract. Current Denial-of-Service (DoS) attacks are directed towards a specific victim. The research
More informationInternet Protocol trace back System for Tracing Sources of DDoS Attacks and DDoS Detection in Neural Network Packet Marking
Internet Protocol trace back System for Tracing Sources of DDoS Attacks and DDoS Detection in Neural Network Packet Marking 1 T. Ravi Kumar, 2 T Padmaja, 3 P. Samba Siva Raju 1,3 Sri Venkateswara Institute
More informationObjectives for Service Provider Shared Transport of 802.3 Higher Speed Ethernet
Objectives for Service Provider Shared Transport of 802.3 Higher Speed Ethernet George Young AT&T george_young@labs.att.com IEEE 802.3 HSSG - November, 2006 802.3 HSE MAN/WAN Transport Issues 802.3 HSE
More informationNetwork Security: Network Flooding. Seungwon Shin GSIS, KAIST
Network Security: Network Flooding Seungwon Shin GSIS, KAIST Detecting Network Flooding Attacks SYN-cookies Proxy based CAPCHA Ingress/Egress filtering Some examples SYN-cookies Background In a TCP 3-way
More informationA New Fault Tolerant Routing Algorithm For GMPLS/MPLS Networks
A New Fault Tolerant Routing Algorithm For GMPLS/MPLS Networks Mohammad HossienYaghmae Computer Department, Faculty of Engineering, Ferdowsi University of Mashhad, Mashhad, Iran hyaghmae@ferdowsi.um.ac.ir
More informationECE 578 Term Paper Network Security through IP packet Filtering
ECE 578 Term Paper Network Security through IP packet Filtering Cheedu Venugopal Reddy Dept of Electrical Eng and Comp science Oregon State University Bin Cao Dept of electrical Eng and Comp science Oregon
More informationOverview. Firewall Security. Perimeter Security Devices. Routers
Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security
More informationTackling Congestion to Address Distributed Denial of Service: A Push-Forward Mechanism
Tackling Congestion to Address Distributed Denial of Service: A Push-Forward Mechanism Srinivasan Krishnamoorthy and Partha Dasgupta Computer Science and Engineering Department Arizona State University
More informationNetwork Design with MPLS TE
Network Design with MPLS TE Source: Traffic Engineering with MPLS cgnet of Nortel s OPi Project Slide 1 Motivation Have covered how MPLS TE works How do you use MPLS TE in the network design? Slide 2 Types
More informationA Simulation Study of Effect of MPLS on Latency over a Wide Area Network (WAN)
A Simulation Study of Effect of MPLS on Latency over a Wide Area Network (WAN) Adeyinka A. Adewale, Samuel N. John, and Charles Ndujiuba 1 Department of Electrical and Information Engineering, Covenant
More informationSaisei FlowCommand FLOW COMMAND IN ACTION. No Flow Left Behind. No other networking vendor can make this claim
Saisei FlowCommand The Saisei FlowCommand family of network performance enforcement (NPE) solutions offers a new paradigm for real-time user- and application-policy enforcement and visibility made possible
More informationThe Taming of The Shrew: Mitigating Low-Rate TCP-Targeted Attack
IEEE TRANSACTIONS ON NETWORK SERVICE MANAGEMENT, VOL. 7, NO., MARCH The Taming of The Shrew: Mitigating Low-Rate TCP-Targeted Attack Chia-Wei Chang, Seungjoon Lee, Bill Lin, Jia Wang Abstract A Shrew attack,
More information2015 NFL Annual Selection Meeting R P O CLUB PLAYER POS COLLEGE ROUND 2
ROUND 2 2 1 33 TENNESSEE 2 2 34 TAMPA BAY 2 3 35 OAKLAND 2 4 36 JACKSONVILLE 2 5 37 NEW YORK JETS 2 6 38 WASHINGTON 2 7 39 CHICAGO 2 8 40 NEW YORK GIANTS 2 9 41 ST. LOUIS 2 10 42 ATLANTA 2 11 43 CLEVELAND
More informationAnalyzing Large DDoS Attacks Using Multiple Data Sources
Analyzing Large DDoS Attacks Using Multiple Data Sources Z. Morley Mao University of Michigan zmao@umich.edu Vyas Sekar Carnegie Mellon University vyass@cs.cmu.edu Oliver Spatscheck AT&T Labs-Research
More informationActive Queue Management (AQM) based Internet Congestion Control
Active Queue Management (AQM) based Internet Congestion Control October 1 2002 Seungwan Ryu (sryu@eng.buffalo.edu) PhD Student of IE Department University at Buffalo Contents Internet Congestion Control
More informationHow To Protect Your Network From A Ddos Attack On A Network With Pip (Ipo) And Pipi (Ipnet) From A Network Attack On An Ip Address Or Ip Address (Ipa) On A Router Or Ipa
Defenses against Distributed Denial of Service Attacks Adrian Perrig, Dawn Song, Avi Yaar CMU Internet Threat: DDoS Attacks Denial of Service (DoS) attack: consumption (exhaustion) of resources to deny
More informationPassive Queue Management
, 2013 Performance Evaluation of Computer Networks Objectives Explain the role of active queue management in performance optimization of TCP/IP networks Learn a range of active queue management algorithms
More informationDetecting Network Anomalies. Anant Shah
Detecting Network Anomalies using Traffic Modeling Anant Shah Anomaly Detection Anomalies are deviations from established behavior In most cases anomalies are indications of problems The science of extracting
More informationCHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS
137 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 CONCLUSION In this thesis, efficient schemes have been designed and analyzed to control congestion and distribute the load in the routing process of
More informationAnalysis of Automated Model against DDoS Attacks
Analysis of Automated Model against DDoS Attacks Udaya Kiran Tupakula Vijay Varadharajan Information and Networked Systems Security Research Division of Information and Communication Sciences Macquarie
More informationImproving our Evaluation of Transport Protocols. Sally Floyd Hamilton Institute July 29, 2005
Improving our Evaluation of Transport Protocols Sally Floyd Hamilton Institute July 29, 2005 Computer System Performance Modeling and Durable Nonsense A disconcertingly large portion of the literature
More informationV.Priyadharshini 1, Dr.K.Kuppusamy 2 Dept of Computer Science & Engg Alagappa University, Karaikudi,Tamilnadu,India
Applications (IJERA) ISSN: 2248-9622 www.ijera.com Prevention of DDOS Attacks using New Cracking Algorithm V.Priyadharshini 1, Dr.K.Kuppusamy 2 Dept of Computer Science & Engg Alagappa University, Karaikudi,Tamilnadu,India
More informationService Description DDoS Mitigation Service
Service Description DDoS Mitigation Service Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK Tel: +800 4683 7681 Email: info@interoute.com Contents Contents 1 Introduction...3 2 An Overview...3
More informationDDoS Attack and Defense: Review of Some Traditional and Current Techniques
1 DDoS Attack and Defense: Review of Some Traditional and Current Techniques Muhammad Aamir and Mustafa Ali Zaidi SZABIST, Karachi, Pakistan Abstract Distributed Denial of Service (DDoS) attacks exhaust
More informationPolicy-Based Fault Management for Integrating IP over Optical Networks
Policy-Based Fault Management for Integrating IP over Optical Networks Cláudio Carvalho 1, Edmundo Madeira 1, Fábio Verdi 2, and Maurício Magalhães 2 1 Institute of Computing (IC-UNICAMP) 13084-971 Campinas,
More informationProvisioning algorithm for minimum throughput assurance service in VPNs using nonlinear programming
Provisioning algorithm for minimum throughput assurance service in VPNs using nonlinear programming Masayoshi Shimamura (masayo-s@isnaistjp) Guraduate School of Information Science, Nara Institute of Science
More informationA System for in-network Anomaly Detection
A System for in-network Anomaly Detection Thomas Gamer Institut für Telematik, Universität Karlsruhe (TH), Germany Abstract. Today, the Internet is used by companies frequently since it simplifies daily
More informationA Hybrid Approach for Detecting, Preventing, and Traceback DDoS Attacks
A Hybrid Approach for Detecting, Preventing, and Traceback DDoS Attacks ALI E. EL-DESOKY 1, MARWA F. AREAD 2, MAGDY M. FADEL 3 Department of Computer Engineering University of El-Mansoura El-Gomhoria St.,
More informationMONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN
MONITORING OF TRAFFIC OVER THE VICTIM UNDER TCP SYN FLOOD IN A LAN Kanika 1, Renuka Goyal 2, Gurmeet Kaur 3 1 M.Tech Scholar, Computer Science and Technology, Central University of Punjab, Punjab, India
More informationOnline Identification of Multi-Attribute High-Volume Traffic Aggregates Through Sampling
Online Identification of Multi-Attribute High-Volume Traffic Aggregates Through Sampling Yong Tang Shigang Chen Department of Computer & Information Science & Engineering University of Florida, Gainesville,
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, JUNE 2010, ISSUE: 02 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS S.Seetha 1 and P.Raviraj 2 Department of
More informationThe Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network
Pioneering Technologies for a Better Internet Cs3, Inc. 5777 W. Century Blvd. Suite 1185 Los Angeles, CA 90045-5600 Phone: 310-337-3013 Fax: 310-337-3012 Email: info@cs3-inc.com The Reverse Firewall: Defeating
More informationA Preferred Service Architecture for Payload Data Flows. Ray Gilstrap, Thom Stone, Ken Freeman
A Preferred Service Architecture for Payload Data Flows Ray Gilstrap, Thom Stone, Ken Freeman NASA Research and Engineering Network NASA Advanced Supercomputing Division NASA Ames Research Center Outline
More informationEntropy-Based Collaborative Detection of DDoS Attacks on Community Networks
Entropy-Based Collaborative Detection of DDoS Attacks on Community Networks Krishnamoorthy.D 1, Dr.S.Thirunirai Senthil, Ph.D 2 1 PG student of M.Tech Computer Science and Engineering, PRIST University,
More informationDefending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial
Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks
More informationChapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
More information1. The subnet must prevent additional packets from entering the congested region until those already present can be processed.
Congestion Control When one part of the subnet (e.g. one or more routers in an area) becomes overloaded, congestion results. Because routers are receiving packets faster than they can forward them, one
More informationExperimentation driven traffic monitoring and engineering research
Experimentation driven traffic monitoring and engineering research Amir KRIFA (Amir.Krifa@sophia.inria.fr) 11/20/09 ECODE FP7 Project 1 Outline i. Future directions of Internet traffic monitoring and engineering
More informationEfficient Detection of Ddos Attacks by Entropy Variation
IOSR Journal of Computer Engineering (IOSRJCE) ISSN: 2278-0661, ISBN: 2278-8727 Volume 7, Issue 1 (Nov-Dec. 2012), PP 13-18 Efficient Detection of Ddos Attacks by Entropy Variation 1 V.Sus hma R eddy,
More informationIntroduction. The Inherent Unpredictability of IP Networks # $# #
Introduction " $ % & ' The Inherent Unpredictability of IP Networks A major reason that IP became the de facto worldwide standard for data communications networks is its automated resiliency based on intelligent
More informationDifferentiated Services
March 19, 1998 Gordon Chaffee Berkeley Multimedia Research Center University of California, Berkeley Email: chaffee@bmrc.berkeley.edu URL: http://bmrc.berkeley.edu/people/chaffee 1 Outline Architecture
More informationNetflow Overview. PacNOG 6 Nadi, Fiji
Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools
More informationCase Study: Instrumenting a Network for NetFlow Security Visualization Tools
Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at
More informationFuzzy Active Queue Management for Assured Forwarding Traffic in Differentiated Services Network
Fuzzy Active Management for Assured Forwarding Traffic in Differentiated Services Network E.S. Ng, K.K. Phang, T.C. Ling, L.Y. Por Department of Computer Systems & Technology Faculty of Computer Science
More informationWhitepaper. Controlling the Network Edge to Accommodate Increasing Demand
Whitepaper Controlling the Network Edge to Accommodate Increasing Demand February 2007 Introduction A common trend in today s distributed work environment is to centralize applications and the data previously
More informationDenial of Service and Anomaly Detection
Denial of Service and Anomaly Detection Vasilios A. Siris Institute of Computer Science (ICS) FORTH, Crete, Greece vsiris@ics.forth.gr SCAMPI BoF, Zagreb, May 21 2002 Overview! What the problem is and
More informationNetwork Bandwidth Denial of Service (DoS)
Network Bandwidth Denial of Service (DoS) Angelos D. Keromytis Department of Computer Science Columbia University Synonyms Network flooding attack, packet flooding attack, network DoS Related Concepts
More informationRouter Scheduling Configuration Based on the Maximization of Benefit and Carried Best Effort Traffic
Telecommunication Systems 24:2 4, 275 292, 2003 2003 Kluwer Academic Publishers. Manufactured in The Netherlands. Router Scheduling Configuration Based on the Maximization of Benefit and Carried Best Effort
More informationPacket-Marking Scheme for DDoS Attack Prevention
Abstract Packet-Marking Scheme for DDoS Attack Prevention K. Stefanidis and D. N. Serpanos {stefanid, serpanos}@ee.upatras.gr Electrical and Computer Engineering Department University of Patras Patras,
More informationLow-rate TCP-targeted Denial of Service Attack Defense
Low-rate TCP-targeted Denial of Service Attack Defense Johnny Tsao Petros Efstathopoulos University of California, Los Angeles, Computer Science Department Los Angeles, CA E-mail: {johnny5t, pefstath}@cs.ucla.edu
More informationDr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu. DDoS and IP Traceback. Overview
DDoS and IP Traceback Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu Louisiana State University DDoS and IP Traceback - 1 Overview Distributed Denial of Service
More informationWhy Congestion Control. Congestion Control and Active Queue Management. Max-Min Fairness. Fairness
Congestion Control and Active Queue Management Congestion Control, Efficiency and Fairness Analysis of TCP Congestion Control A simple TCP throughput formula RED and Active Queue Management How RED wors
More informationOpenFlow Based Load Balancing
OpenFlow Based Load Balancing Hardeep Uppal and Dane Brandon University of Washington CSE561: Networking Project Report Abstract: In today s high-traffic internet, it is often desirable to have multiple
More informationLecture 16: Quality of Service. CSE 123: Computer Networks Stefan Savage
Lecture 16: Quality of Service CSE 123: Computer Networks Stefan Savage Final Next week (trust Blink wrt time/location) Will cover entire class Style similar to midterm I ll post a sample (i.e. old) final
More informationQuality of Service (QoS) EECS 122: Introduction to Computer Networks Resource Management and QoS. What s the Problem?
Quality of Service (QoS) EECS 122: Introduction to Computer Networks Resource Management and QoS The Internet s most contentious subject - Inside vs. Outside the Network (see P&D, pp. 519-520) Computer
More information2004 Networks UK Publishers. Reprinted with permission.
Riikka Susitaival and Samuli Aalto. Adaptive load balancing with OSPF. In Proceedings of the Second International Working Conference on Performance Modelling and Evaluation of Heterogeneous Networks (HET
More informationWharf T&T Limited DDoS Mitigation Service Customer Portal User Guide
Table of Content I. Note... 1 II. Login... 1 III. Real-time, Daily and Monthly Report... 3 Part A: Real-time Report... 3 Part 1: Traffic Details... 4 Part 2: Protocol Details... 5 Part B: Daily Report...
More informationNetwork Management & Monitoring
Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationEVERYBODY S NETWORK CLOUD
PRIVATE INTERNET WAN PUBLIC CONNECT PARTNERS SERVICE PROVIDER CLOUD EVERYBODY S NETWORK CLOUD THE WIN-WIN WAN MARKET CONTEXT The cloud is the new IT architecture for enterprises. 85% of global IT decision-makers
More information