1 / 1

Adaptive DoS Defense

Selective Verification. A. S. Adaptive DoS Defense. Attacker. seclab.uiuc.edu. Omid Fatemieh, Fariba Khan, Michael B. Greenwald, Carl A. Gunter, Sanjeev Khanna, Jose Messeguer, and Santosh Venkantesh. C. Legitimate Client. A. S. A gets reduced channel. S makes channels lossy.

abia
Télécharger la présentation

Adaptive DoS Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Selective Verification A S Adaptive DoS Defense Attacker seclab.uiuc.edu Omid Fatemieh, Fariba Khan, Michael B. Greenwald, Carl A. Gunter, Sanjeev Khanna, Jose Messeguer, and Santosh Venkantesh C Legitimate Client A S A gets reduced channel S makes channels lossy Denial of Service Protection • Defense mechanism questions: • When should they be triggered? • What is the desired level of strictness? • How should the parameters be set to achieve the desired level of strictness? • What are the trade-offs? • Two possibilities for mechanisms: • Protection is intrinsic or has no cost (e.g. IPSec, Syn Cookies) • Protection has costs (e.g. Client Puzzles, Filtering Schemes) • Need to control trade-offs • Need adaptation strategy C L adds redundancy Classification from Adaptation Perspective Network –based Filtering Target-based Filtering Capabilities Proof-of-work Adaptive Selective Verification Selective Verification Trade-offs • Server capacity: s REQ/sec • Clients’ rate: r ≤ s/2c; c ≥ 1 • Attackers’ rate up to s2a; (c ≥ 3 lg a) • Client: Set j=0 • Send 2jREQ messages to server • If no ACK in T time units, j=j+1 • If j ≤ a+c go to step 2, else exit • Server: Every T seconds choose uniformly at random sT pkts from receiving buffer; Discard remaining pkts • Omniscient case: Clients and server have global knowledge about attack • Summary of analysis results: Client’s chance of success is equal to, and bandwidth consumption is O(a/c) times, the omniscient case • Mitigate DoS attacks that target computationally expensive protocols • Intelligently trade bandwidth resources for CPU resources • Idea: process only a random subset of requests. Ask clients to send n duplicates for each request. • Adapting n • Cost(n) = CCPU * processed requests + CBW * incoming requests • Goal: At regular intervals, determine n such that Cost(n) is minimized: • Bandwidth limitations • Elevator rise but soft landing Research Directions 1. Better understand the inherent trade-offs in DoS defense solutions 2. Use the adaptation-aware DoS classification and trade-off analyses to propose for each category: 2.1. Procedures that, with minimal change, can be applied to existing approaches to make them adaptive 2.2. Design guidelines that would help the introduction of next generation protocols with adaptation in mind Sponsored by ONR, NSF and MacArthur Foundation Information Trust Institute University of Illinois at Urbana-Champaign www.iti.uiuc.edu

More Related