1 / 25

Tiered Incentives for Integrity Based Queuing

Tiered Incentives for Integrity Based Queuing. Fariba Khan , Carl A. Gunter University of Illinois at Urbana-Champaign. Outline. Problem setting Challenges and existing work Infrastructures for IBQ Queuing Analytic and experimental results. Internet DDoS Attack.

shelly
Télécharger la présentation

Tiered Incentives for Integrity Based Queuing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tiered Incentives for Integrity Based Queuing Fariba Khan, Carl A. Gunter University of Illinois at Urbana-Champaign

  2. Outline • Problem setting • Challenges and existing work • Infrastructures for IBQ • Queuing • Analytic and experimental results

  3. Internet DDoS Attack • Finding the source of an attack is difficult • It is often difficult to detect an attack packet

  4. Internet DDoS Attack • Finding the source of an attack is difficult • It is often difficult to detect an attack packet • Legitimate client has to get through • Could we make it so that the magnitude of the attack packet is less important

  5. Head of line blocking All Eve’s Fair-queuing • Figure she is the good guy and skip the long line? • No? Cannot tell if a packet is from an Alice or Eve • May be give everybody opportunity to send one packet • No one gets to send a million All Alice’s Eve 1 Eve 2 Alice 1 Eve 3 Alice 2 Eve 4 Alice 3

  6. Fair-queue: Head of Line Blocking Eve Alice 1 Alice 2 Alice 3 Alice 4 Alice 5 Alice 6 Alice 7

  7. Performance of Integrity Protection and Fairness ns2 Simulation Setup: Depth 10, 1024 clients/flows, 10Mbps links, 102 attackers, 10 Mbps/attacker, Client bandwidth 0.01 Mbps

  8. Source Address Validation • Ingress Filtering: Neither a complete nor verifiable • IP of a filtered domain can be spoofed • In the same domain • From an unfiltered domain 1-4 1-8 1,2 1-8 1-8 3,4 1 2 1-8 1-8 1-8 1-8 3,4 3,4 1 2 3 4 5 6 7 8 RFC 2827

  9. Motivation • Effectiveness of fair-queuing is dependent on accurate flow classification. • Even with partial authentication legitimate flows can be spoofed by the spoofed origin flows. • As the legitimate flows are choked, an ISP cannot see the benefit of deploying filtering or an advanced protocol. Client: received level of service ∝ participation

  10. Concept: Integrity Based Queuing (IBQ)

  11. Cycle of Network Assurance

  12. Design • Integrity Levels • MAC • Queue

  13. Integrity Levels: Spoofing Index Table • Strict filtering vs Regular filtering: • The address range is divided in smaller subdomains • Spoofing is restricted within that subdomain only • Example • In University of Illinois a host can spoof 511 neighboring addresses within its /23 prefix • Spoofing index = 9 for University of Illinois or AS3 • Spoofing index table for all autonomous systems available for routers BB05

  14. MAC RFC4301, YPS03, YWA05, LLY08, GH09, YL09

  15. Queue Per source high integrity queues =0 Spoofing Index ? >0 Per integrity-block queues Y MAC verified? Low integrity queue N 15

  16. Analytic Results • α >> s >> β • Spoofing index, i • Probability that A and B are in the same domain, p = 1/232 – i • Loss rate,

  17. Experimental Results • 2000 clients, 256 AS, 16-512 attackers • Client rate 64kbps, attacker 64 Mbps Effort = Integrity level = Success

  18. Experimental Results – Example Traffic VoIP • 2000 clients, 256 AS, 16-512 attackers • Client rate 64kbps, attacker 64 Mbps

  19. Experimental Results: Two Attack Styles

  20. Conclusion • Thesis • Using IBQ gives legitimate users an avenue to communicate with a server while the network is under attack. The service they get directly relates to the effort their ISP spent for integrity protection and validation thus incentivizing its investment. • Future Work • Experiment with real DDoS attack data • Overhead Measurement • Use of IBQ for network assurance

  21. Thank You Questions?

  22. Other Work [0] Adaptive Selective Verification: An Efficient Adaptive Countermeasure to Thwart DoS Attacks. S. Khanna, S. S. Venkatesh, O. Fatemieh, F. Khan, and C. A. Gunter. (Submission) IEEE Transactions on Network (ToN). [1] Attribute-Based Messaging: Access Control and Confidentiality. R. Bobba, O. Fatemieh, F. Khan, A. Khan, C. A. Gunter, H. Khurana, and M. Prabhakaran. (First three authors in alphabetic order) IN ACM Transactions on Information and System Security (TISSEC). [2] Adaptive Selective Verification,SanjeevKhanna, Santosh S. Venkatesh, OmidFatemieh, Fariba Khan, and Carl A. Gunter,IEEE Conference on Computer Communications (INFOCOM '08), Phoenix, AZ, April 2008. [3] Using Attribute-Based Access Control to Enable Attribute-Based Messaging,RakeshBobba, OmidFatemieh, Fariba Khan, Carl A. Gunter, and HimanshuKhurana. (First three authors in alphabetic order) IEEE Annual Computer Security Applications Conference (ACSAC '06) , Miami, FL, December 2006. [4] Using Attribute-Based Access Control to Enable Attribute-Based Messaging. Fariba Khan Master's Thesis, University of Illinois, October 2006.

  23. Fairness • 1974: The Internet was designed with an openness • 1989: FQ->active research for congestion control ->RED • 1999: FQ-> again for congestion control -> 40Gbps • 2005: FQ-> active research for DDoS defenses

  24. Related Work Analysis • 1024 hosts • 33 routers • 32 subdomains • Spoofing index: 8 (scaled down for small topology) • Links • 200 Mbps links, 10 ms delay • 5% of channel for request (10 Mbps) • Bottleneck 1Gbps • Comparative to 40-100 Gbps Internet links. • 10% hosts are attackers • Attack bandwidth 100-700 Mbps • 50B request from a client

More Related