tva a dos limiting network architecture n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
TVA: A DoS-limiting Network Architecture PowerPoint Presentation
Download Presentation
TVA: A DoS-limiting Network Architecture

Loading in 2 Seconds...

play fullscreen
1 / 30

TVA: A DoS-limiting Network Architecture - PowerPoint PPT Presentation


  • 72 Views
  • Uploaded on

TVA: A DoS-limiting Network Architecture. Xiaowei Yang (UC Irvine) David Wetherall (Univ. of Washington) Thomas Anderson (Univ. of Washington). DoS is not even close to be solved. Address validation is insufficient (botnets) Traceback is too little too late (detection only)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'TVA: A DoS-limiting Network Architecture' - robert-barr


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
tva a dos limiting network architecture

TVA: A DoS-limiting Network Architecture

Xiaowei Yang (UC Irvine)

David Wetherall (Univ. of Washington)

Thomas Anderson (Univ. of Washington)

dos is not even close to be solved
DoS is not even close to be solved
  • Address validation is insufficient (botnets)
  • Traceback is too little too late (detection only)
  • Pushback lacks discrimination (imprecise)
  • Secure overlay filtering requires offline authenticators (public servers)

capabilities are a promising approach
Capabilities are a promising approach
  • Destination control
    • The destinations know better.
  • Network filtering based on explicit and unforgeable packet state, i.e., capabilities
    • Only the network can shed load before the damage has been made.
  • Anderson et al. [Anderson03], Yarr et al. [Yarr04]
sketch of the capability approach
Sketch of the capability approach
  • Source requests permission to send.
  • Destination authorizes source for limited transfer, e.g, 32KB in 10 secs
    • A capability is the proof of a destination’s authorization.
  • Source places capabilities on packets and sends them.
  • Network filters packets based on capabilities.

cap

capabilities alone do not effectively limit dos
Capabilities alone do not effectively limit DoS
  • Goal: minimize the damage of the arbitrary behavior of k attacking hosts.
    • Non-goal: make DoS impossible
  • Problems
    • Request or authorized packet floods
    • Added functionality in a router’s forwarding path
    • Authorization policies
    • Deployment
  • TVA addresses all of the above.
challenges
Challenges
  • Counter a broad range of attacks, including request and authorized packet floods
  • Router processing with bounded state and computation
  • Effective authorization policies
  • Incrementally deployable
request packet floods
Request packet floods
  • Request packets do not carry capabilities.
counter request packet floods i
Counter request packet floods (I)
  • Rate-limit request packets

cap

cap

cap

counter request packet floods ii
Counter request packet floods (II)
  • Rate-limit request packets
  • Routers insert path identifier tags [Yarr03].
  • Fair queue requests using the most recent tags.

1

2

Per path-id queues

1

1

counter authorized packet floods

cap

Counter authorized packet floods
  • Per-destination queues
  • TVA bounds the number of queues.

cap

cap

cap

cap

cap

challenges1
Challenges
  • Counter a broad range of attacks, including request packet floods and authorized packet floods
  • Router processing with bounded state and computation
  • Effective authorization policies
tva s implementation of capabilities

cap2

cap1

TVA’s implementation of capabilities
  • Routers stamp pre-capabilities on request packets
    • (timestamp, hash(src, dst, key, timestamp)
  • Destinations return fine-grained capabilities
    • (N, T, timestamp, hash(pre-cap, N, T))
    • send N bytes in the next T seconds, e.g. 32KB in 10 seconds

pre2

pre1

validating fine grained capabilities

data

cap2

cap1

Validating fine-grained capabilities

N, T, timestamp, hash(pre-cap, N, T)

  • A router verifies that the hash value is correct.
  • Checks for expiration: timestamp + T · now
  • Checks for byte bound: sent + pkt_len · N

bounded computation
Bounded computation
  • The main computation overhead is hash validation.
  • On a Pentium Xeon 3.2GHz PC
    • Stamping pre-capabilities takes 460ns
    • Validating capabilities takes 1486ns
bounded state

data

cap2

cap1

Bounded state
  • Create a slot if a capability sends faster than N/T.
  • For a link with a fixed capacity C, there are at most C/(N/T) flows
  •  Number of slots is bounded by C / (N/T)

N, T, timestamp, hash(pre-cap, N, T)

sent + pkt_len · N

worst case byte bound is 2n in t seconds
Worst case byte bound is 2N in T seconds

bytes · N

  • If a slot expires, it indicates that a capability sends slower than N/T.

TTL

average rate · N/T

average rate · N/T

bytes · N

t5

t4

t2

t1

t3

t · T

T

0

a slot is expired

a slot is created

bounded number of queues
Bounded number of queues

Queue on most recent tags

  • Tag space bounds the number of request queues.
  • Number of destination queues is bounded by C/R

requests

path-identifier queue

regular packets

per-destination queue

Y

Validate capability

N

legacy packets

low priority queue

Keeps a queue if a destination receives faster than a threshold rate R

challenges2
Challenges
  • Counter a broad range of attacks, including request packet floods and authorized packet floods
  • Router processing with bounded state and computation
  • Effective authorization policies
simple policies can be effective
Simple policies can be effective
  • Fine-grained capabilities tolerate authorization mistakes.
  • Client policy
    • Authorize requests that match outgoing ones
  • Public server policy
    • Authorize all initial requests
    • Stop misbehaving senders
    • A server has control over its incoming traffic when overload occurs.
overview of different schemes
Overview of different schemes
  • SIFF [Yarr04]
    • request and legacy traffic have the same priority
    • authorized traffic has a higher priority
    • time-limited capabilities
  • Pushback [Mahajan01, Ioannidis02]
    • Network controlled filtering
  • Legacy Internet
    • best-effort
ns 2 simulation setup

Ns-2 Simulation Setup

10 legitimate users

  • Scale down topology to speed up simulations
  • Two metrics:
    • The transfer time of a fixed-length file (20KB)
    • Fraction of completed transfers

destination

1Mb

10Mb

colluder

bottleneck

1Mb

1-100 attackers

tva is able to limit legacy packet floods

SIFF

Internet

Internet

pushback

pushback

TVA

TVA

SIFF

TVA is able to limit legacy packet floods
conclusion
Conclusion
  • Key contribution
    • a comprehensive and practical capability system for the first time.
  • We made TVA practical in three aspects
    • Counter a broad range of attacks
    • Bounded state and computation
    • Simple and effective authorization policies
  • Coming next
    • Testbed implementation
      • Request rate limit, queuing scheme
    • Robust service differentiation
      • Traffic with different priority
types of queues inside a tva router
Types of Queues inside a TVA-router
  • TVA bounds the number of queues.

requests

path-identifier queue

regular packets

per-destination queue

Y

Validate capability

N

legacy packets

low priority queue

tva s implementation of capabilities1

data

cap2

cap2

cap1

cap1

TVA’s implementation of capabilities
  • Routers stamp pre-capabilities on request packets
    • (timestamp, hash(src, dst, key, timestamp)
  • Destinations return fine-grained capabilities
    • (N, T, timestamp, hash(pre-cap, N, T))
    • send N bytes in the next T seconds, e.g. 32KB in 10 seconds

pre2

pre1