1 / 13

Panel: Current Research on Stopping Unwanted Traffic

Panel: Current Research on Stopping Unwanted Traffic. Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006. Unwanted Traffic. From the end host perspective (D)DoS on a service Exploit traffic attacking on end host vulnerabilities Botnet traffic

omer
Download Presentation

Panel: Current Research on Stopping Unwanted Traffic

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Panel: Current Research on Stopping Unwanted Traffic Vern Paxson, Stefan Savage, Helen J. Wang IAB Workshop on Unwanted Traffic March 10, 2006

  2. Unwanted Traffic • From the end host perspective • (D)DoS on a service • Exploit traffic attacking on end host vulnerabilities • Botnet traffic • Undesirable application data, e.g., spam • From the network perspective • Unwanted traffic to end systems + • Attacks on the network service • Flooding a link • Attacks to the network operations • E.g., BGP prefix spoofing/hijacking, router compromise

  3. The Economy behind Unwanted Traffic • Stefan to fill in • Botnet/software-flaw economy

  4. General Approaches • Stop the known bad • Uncover the new bad • Filtering as close to the attack source as possible • Increase the cost of unwanted • The cost of solution should be less than the cost of DoS [Simon et al 06]

  5. End-Host: DDoS on a Service • Challenge: DDoS and flash crowd hard to distinguish • Detect and eliminate zombie requests • CAPCHA • Pi • Bolts-4-sale (NSDI 2005) • BINDER (Usenix 2005) • Same solution as flash crowd • Akamai

  6. End-Host: Exploit Traffic • Network intrusion detection systems • Bro, Snort • Fast attack signature generation • EarlyBird (OSDI 04), AutoGraph (sUsenix Security 04) • Vulnerability-driven filtering • Shield (SIGCOMM 04), BrowserShield (06 under submission) • Detecting new vulnerabilities • TaintCheck (NDSS 04), Minos, Vigilante (SOSP 05), HoneyMonkey (NDSS 06) • Automatic response to fast-spreading worms • TaintCheck, Vigilante • Reduce the attack surface • Off by default! (HotNets 05), separate client/server address space (Handley, et al FDNA 04) • Undermining the attacks on end hosts • StackGuard, ASLR, ISR, program shepherding (Usenix Security 02), control flow integrity • Attack traffic analysis • Backscatter, Internet background radiation, Witty worm analysis • Honeyfarm • Roleplayer, Potemkin, vGround

  7. End-Host: Spam • New e-mail client • Spam filtering • …

  8. EndHost: Outgoing Attack Traffic • BINDER • Vern to fill out

  9. Network: Unwanted Traffic from End Systems • Infer application-unwanted traffic: • Packet Symmetry (HotNets 05) • Applications need to be DoS-aware

  10. Network: Bandwidth Attacks • First goal: defeat low cost DDoS attacks where a single compromised machine sends many DoS messages • Deadlock (Greenhalgh, et al SRUTI 05) • No source address spoofing because of no filtering mechanism • Little deployment of ingress filtering because of no source address spoofing • No automated filtering because attacks could source-address spoof to bypass it • Greenhalgh et al SRUTI 05 • Server-net filtering mechanism using routing/tunneling assuming no source spoofing • Internet Accountability (Simon et al 06 under submission) • Ingress filtering among “good” ISPs, others’ traffic marked with “evil” bit with worse treatment during peak traffic • Filtering infrastructure

  11. Network: Bandwidth Attacks • IP traceback • IP pushback • New capability infrastructure to the Internet: • SIFF (Oakland 04), Yang et al SIGCOMM 05

  12. Network: Attacks on Operations • Securing BGP • SPV (Sigcomm 04)

  13. Acknowledgement • This slide deck benefited from discussions with Adam M. Costello, Sharad Agarwal, and Dan Simon.

More Related