SlideShare a Scribd company logo

Presentation of "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets" by Jammy

Jammy Wang
Jammy Wang

Presentation of "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets" by Jammy for Next-Generation Internet Class

EducationTechnology
1 of 36
On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets WANG Jiamian kfc315@gmail.com May 17, 2013
About the paper On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets metric and evaluation approach problem solved 1 2 3
• SIGCOMM ’01, typical SIGCOMM-style • The formalizing steps are, to some degree, subtle and hard to fully understand • So, patience and deeper thinking are preferred First of all...
On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internetsproblem solved 1
• DoS is a pressing problem on the Internet • When the attack is distributed, the impact can be proportionally severe • Susceptibility to DoS is an intrinsic problem of any service provisioning system Background DoS attack
• Preventing DoS • identification of the attackers / traffic • if compromised, track back the attackers’ ids • Proactive prevention of spoofed IP packets from reaching their destination • Reactive source identification of spoofed IP flows Background Two complementary problems
On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets approach 2
• Uses routing information to determine if a packet arriving at a router is valid with respect to its inscribed source/destination addresses • If a single router... • If all AS’s perform filtering... • Like setting up road blocks to apprehend bank robbers Route-based detection and discarding of spoofed IP packet Simple idea
• Host of attempting a DoS attack targeted at a server residing in • by using a forged source IP belonging to Route-based detection and discarding of spoofed IP packet Simple idea illustrated
• If knows the route topology, then it will recognize that a packet from to would not enter through link ( , ) • So the source address must be spoofed • Spoofed packets are discarded at , protect Route-based detection and discarding of spoofed IP packet Simple idea illustrated
• only need to inspect the source IP address to determine no packet “from ” can arrive link ( , ) • The model is somehow imprecise: • There are multiple edges between ASes • Different paths • Ignoring in-domain routing Route-based detection and discarding of spoofed IP packet Advantages and imprecisions
• However, if host of attempting a DoS attack targeted at a server residing in • by using a forged source IP belonging to • Then can do nothing Route-based detection and discarding of spoofed IP packet Single deployment achieves little
i) Maximize proactive filtering of spoofed IP packets ii) If some bogus packets do get through, minimize the number of sites that could have sent the packets (for IP trackback) iii) Achieve i) and ii) while minimizing # of sites at which route-based filtering is carried out iv) in tandem with iii), find the optimum sites where filtering is to be performed Route-based detection and discarding of spoofed IP packet Objectives
Maximal and semi-maximal filters Formalization • Undirected graph : Internet AS topology • : all loop-free paths from to • : computed routes, • : an IP packet • If : multiple paths G = (V, E) L(u, v) R(u, v) L(u, v)R(u, v) u v M(u, v) s t |R(s, t)| > 1
Maximal and semi-maximal filters Formalization • , map function, for linkFe : V 2 {0, 1} e = (u, v) E Fe(s, t) = 0 Fe(s, t) = 1 • Call a route-based packet filter with respect to if • here denotes that link is on some path belonging to Fe R Fe(s, t) = 0, e R(s, t) e R(s, t) e R(s, t)
Maximal and semi-maximal filters Maximal filters • A route-based filter is maximal, • if it satisfies • if and only if • Thus a maximal route-based filter can filter all spoofed IP traffic, without affecting routing of non-spoofed IP packets determined by Fe(s, t) = 0 f R(s, t), e f R
Maximal and semi-maximal filters Maximal filters • But computing a maximal route-based filter requires in general space, which is unacceptableO(n2 ), n = |V |
Maximal and semi-maximal filters Semi-maximal filters • A semi-maximal filter is a maximal filter which uses only the source IP address to perform filtering • i.e. and is a projection of :Fe : V 2 {0, 1} Fe Fe • A semi-maximal filter requires linear space Fe(s, t) = 0, if e R(s, v) for some v V 1, otherwise
Performance Measures for DPF Notations • Notations: • : nodes where filtering is performed • : coverage ratio • Two key performance metrics • proactive: the fraction of AS’s from which no spoofed IP packet can reach its target wherever it may be, denoted by • reactive: the fraction of AS’s which upon receiving a spoofed IP packet can localize its true source within T V = |T|/|V |
Performance Measures for DPF Two key performance metrics • proactive • the fraction of AS’s from which no spoofed IP packet can reach its target wherever it may be • denoted by • reactive • the fraction of AS’s which upon receiving a spoofed IP packet can localize its true source within sites • denoted by 1( ) 2(1)
• : the set of nodes that an attacker at AS can use as spoofed source IP addresses to reach without being discarded by filters in • i.e. defined from the attacker’s perspective • : the set of nodes that could have sent an packet with spoofed source IP address and destination address which didn’t get filtered on its way • i.e. defined from the victim’s perspective Sa,t T a t Cs,t M(s, t) s t Performance Measures for DPF Two more high-level performance measures
Performance Measures for DPF Illustration • Without route-based filtering, an attacker residing can disguise himself with IP addresses belonging to ~ • i.e. S1,9 = {0, 1, · · · , 8}
Performance Measures for DPF Illustration • With route-based filtering at , are no more spoofable • i.e. S1,9 = {0, 1, · · · , 5} F
Performance Measures for DPF Illustration • With route-based filtering at , are no more spoofable • i.e. S1,9 = {1, 2} F F
• • then measures the fraction of attack sites from which sending spoofed IP packets targeted at other AS’s is futile Performance Measures for DPF Proactive filtering measures 2( ) = |{a : t V, |Sa,t| }| n 2(1) 1( ) = |{t : a V, |Sa,t }| n
• • e.g. represents the fraction of AS’s which when attacked with an arbitrary spoofed IP packet, can resolve the attack location to within 5 possible attack sites Performance Measures for DPF Reactive filtering measure 1( ) = |{t : s V, |Cs,t| }| n 1(5)
metric and evaluation 3On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets
• Formally, a route-based (semi)maximal distributed filter is a triple • is the AS graph • where the route-based filter is performed • is the routing algorithm • Evaluating the effectiveness of with respect to the proactive and reactive performance measures • i.e. the dependence on Performance evaluation Overview F F = < G, T, R > G = (V, E) T V R F G, T, R
• Tools set • Dataset • 1997–1999 Internet AS topologies taken from NLANR • i.e. power-law network topology • Artificial Internet topologies Performance evaluation Set-up
• How to choose nodes? • How about sample from uniformly randomly until the target coverage size is reached? • Power-law graphs have “centers”, so, finding vertex cover (VC) may achieve a small coverage ratio Performance evaluation Set-up |T| V
• Finding a minimalVC in a graph is an NP-C problem • Use two approximation algorithms to find smallVCs, and the minimumVC found by the two algorithms is Performance evaluation determining T T
• measures the fraction of attack sites from which sending spoofed IP packets targeted at other AS’s is futile • Thus it is an upper bound on the distributedness of DDoS attacks Proactive filtering and DDoS 2(1)
• represents the fraction of AS’s which when attacked with an arbitrary spoofed IP packet, can resolve the attack location to within possible attack sites Reactive filtering effect 1( )
Maximal vs. semi-maximal filters 1( ) 2(1)
• This paper: Park, K., & Lee, H. (2001). On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. Presented at the SIGCOMM '01: Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications,  ACM Request Permissions. doi: 10.1145/383059.383061 • Wikipedia,“vertex cover”, http://en.wikipedia.org/wiki/Vertex_cover References
Thank you. 谢谢。)

Recommended

мат 5 р анги
мат 5 р ангимат 5 р анги
мат 5 р ангиnaraa21
 
φαινότυποι άσθματος
φαινότυποι άσθματοςφαινότυποι άσθματος
φαινότυποι άσθματος
swotanalysi
 
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
Ponraj
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
stollen_fusion
 
Vulnerabilities in IP Protocols
Vulnerabilities in IP ProtocolsVulnerabilities in IP Protocols
Vulnerabilities in IP Protocols
babak danyal
 
26 security2
26 security226 security2
26 security2
congiodiqua
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
Vinil Patel
 
vulnerabilities in IP.pdf
vulnerabilities in IP.pdfvulnerabilities in IP.pdf
vulnerabilities in IP.pdf
MuhammadSufyanAbbasi1
 

Recommended

мат 5 р анги
мат 5 р ангимат 5 р анги
мат 5 р ангиnaraa21
 
φαινότυποι άσθματος
φαινότυποι άσθματοςφαινότυποι άσθματος
φαινότυποι άσθματος
swotanalysi
 
Protecting Web Services from DDOS Attack
Protecting Web Services from DDOS AttackProtecting Web Services from DDOS Attack
Protecting Web Services from DDOS Attack
Ponraj
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
stollen_fusion
 
Vulnerabilities in IP Protocols
Vulnerabilities in IP ProtocolsVulnerabilities in IP Protocols
Vulnerabilities in IP Protocols
babak danyal
 
26 security2
26 security226 security2
26 security2
congiodiqua
 
NETWORK SECURITY
NETWORK SECURITYNETWORK SECURITY
NETWORK SECURITY
Vinil Patel
 
vulnerabilities in IP.pdf
vulnerabilities in IP.pdfvulnerabilities in IP.pdf
vulnerabilities in IP.pdf
MuhammadSufyanAbbasi1
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
sumita02
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
jepoy808
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
anakorang28
 
Duan
DuanDuan
Duan
samuelrajueda
 
Network Layer Protocol.pptx
Network Layer Protocol.pptxNetwork Layer Protocol.pptx
Network Layer Protocol.pptx
SeekayAlaisKaruppaia
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapela
Hai Nguyen
 
Security attacks
Security attacksSecurity attacks
Security attacks
Tejaswi Potluri
 
ip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.ppt
ip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.pptip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.ppt
ip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.ppt
VINAYTANWAR18
 
Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasures
dkaya
 
Anonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsAnonymity in the web based on routing protocols
Anonymity in the web based on routing protocols
Biagio Botticelli
 
Uccn1003 -may10_-_lect01b_-_intro_to_network_devices_addressing
Uccn1003 -may10_-_lect01b_-_intro_to_network_devices_addressingUccn1003 -may10_-_lect01b_-_intro_to_network_devices_addressing
Uccn1003 -may10_-_lect01b_-_intro_to_network_devices_addressing
Shu Shin
 
Network Layer
Network LayerNetwork Layer
Network Layer
Lakshika Rasanjali
 
Chapter13
Chapter13Chapter13
Chapter13
Muhammad Ahad
 
Overview of IP traceback mechanism
Overview of IP traceback mechanismOverview of IP traceback mechanism
Overview of IP traceback mechanism
ibnu mubarok
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptx
Llobarro2
 
mobile_network_layer.pptx
mobile_network_layer.pptxmobile_network_layer.pptx
mobile_network_layer.pptx
singhram281982
 
C08-Network_Protocols (1).ppt
C08-Network_Protocols (1).pptC08-Network_Protocols (1).ppt
C08-Network_Protocols (1).ppt
Arul Jothi Yuvaraja
 
MLS An Efficient Location Service for Mobile Ad Hoc Networks
MLS An Efficient Location Service for Mobile Ad Hoc NetworksMLS An Efficient Location Service for Mobile Ad Hoc Networks
MLS An Efficient Location Service for Mobile Ad Hoc Networks
kga185
 
Why and How to use Onion Networking - #EMFCamp2018
Why and How to use Onion Networking - #EMFCamp2018Why and How to use Onion Networking - #EMFCamp2018
Why and How to use Onion Networking - #EMFCamp2018
Alec Muffett
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basics
tanawan44
 
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
Priyankaranawat4
 
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
heathfieldcps1
 

More Related Content

Similar to Presentation of "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets" by Jammy

26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
sumita02
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
jepoy808
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
anakorang28
 
Duan
DuanDuan
Duan
samuelrajueda
 
Network Layer Protocol.pptx
Network Layer Protocol.pptxNetwork Layer Protocol.pptx
Network Layer Protocol.pptx
SeekayAlaisKaruppaia
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapela
Hai Nguyen
 
Security attacks
Security attacksSecurity attacks
Security attacks
Tejaswi Potluri
 
ip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.ppt
ip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.pptip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.ppt
ip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.ppt
VINAYTANWAR18
 
Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasures
dkaya
 
Anonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsAnonymity in the web based on routing protocols
Anonymity in the web based on routing protocols
Biagio Botticelli
 
Uccn1003 -may10_-_lect01b_-_intro_to_network_devices_addressing
Uccn1003 -may10_-_lect01b_-_intro_to_network_devices_addressingUccn1003 -may10_-_lect01b_-_intro_to_network_devices_addressing
Uccn1003 -may10_-_lect01b_-_intro_to_network_devices_addressing
Shu Shin
 
Network Layer
Network LayerNetwork Layer
Network Layer
Lakshika Rasanjali
 
Chapter13
Chapter13Chapter13
Chapter13
Muhammad Ahad
 
Overview of IP traceback mechanism
Overview of IP traceback mechanismOverview of IP traceback mechanism
Overview of IP traceback mechanism
ibnu mubarok
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptx
Llobarro2
 
mobile_network_layer.pptx
mobile_network_layer.pptxmobile_network_layer.pptx
mobile_network_layer.pptx
singhram281982
 
C08-Network_Protocols (1).ppt
C08-Network_Protocols (1).pptC08-Network_Protocols (1).ppt
C08-Network_Protocols (1).ppt
Arul Jothi Yuvaraja
 
MLS An Efficient Location Service for Mobile Ad Hoc Networks
MLS An Efficient Location Service for Mobile Ad Hoc NetworksMLS An Efficient Location Service for Mobile Ad Hoc Networks
MLS An Efficient Location Service for Mobile Ad Hoc Networks
kga185
 
Why and How to use Onion Networking - #EMFCamp2018
Why and How to use Onion Networking - #EMFCamp2018Why and How to use Onion Networking - #EMFCamp2018
Why and How to use Onion Networking - #EMFCamp2018
Alec Muffett
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basics
tanawan44
 

Similar to Presentation of "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets" by Jammy (20)

26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
 
26-security2.ppt
26-security2.ppt26-security2.ppt
26-security2.ppt
 
Duan
DuanDuan
Duan
 
Network Layer Protocol.pptx
Network Layer Protocol.pptxNetwork Layer Protocol.pptx
Network Layer Protocol.pptx
 
Defcon 16-pilosov-kapela
Defcon 16-pilosov-kapelaDefcon 16-pilosov-kapela
Defcon 16-pilosov-kapela
 
Security attacks
Security attacksSecurity attacks
Security attacks
 
ip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.ppt
ip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.pptip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.ppt
ip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.ppt
 
Hacking Cisco Networks and Countermeasures
Hacking Cisco Networks and CountermeasuresHacking Cisco Networks and Countermeasures
Hacking Cisco Networks and Countermeasures
 
Anonymity in the web based on routing protocols
Anonymity in the web based on routing protocolsAnonymity in the web based on routing protocols
Anonymity in the web based on routing protocols
 
Uccn1003 -may10_-_lect01b_-_intro_to_network_devices_addressing
Uccn1003 -may10_-_lect01b_-_intro_to_network_devices_addressingUccn1003 -may10_-_lect01b_-_intro_to_network_devices_addressing
Uccn1003 -may10_-_lect01b_-_intro_to_network_devices_addressing
 
Network Layer
Network LayerNetwork Layer
Network Layer
 
Chapter13
Chapter13Chapter13
Chapter13
 
Overview of IP traceback mechanism
Overview of IP traceback mechanismOverview of IP traceback mechanism
Overview of IP traceback mechanism
 
lecture5.pptx
lecture5.pptxlecture5.pptx
lecture5.pptx
 
mobile_network_layer.pptx
mobile_network_layer.pptxmobile_network_layer.pptx
mobile_network_layer.pptx
 
C08-Network_Protocols (1).ppt
C08-Network_Protocols (1).pptC08-Network_Protocols (1).ppt
C08-Network_Protocols (1).ppt
 
MLS An Efficient Location Service for Mobile Ad Hoc Networks
MLS An Efficient Location Service for Mobile Ad Hoc NetworksMLS An Efficient Location Service for Mobile Ad Hoc Networks
MLS An Efficient Location Service for Mobile Ad Hoc Networks
 
Why and How to use Onion Networking - #EMFCamp2018
Why and How to use Onion Networking - #EMFCamp2018Why and How to use Onion Networking - #EMFCamp2018
Why and How to use Onion Networking - #EMFCamp2018
 
E rou01 routing_basics
E rou01 routing_basicsE rou01 routing_basics
E rou01 routing_basics
 

Recently uploaded

ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
Priyankaranawat4
 
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
heathfieldcps1
 
Advanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docxAdvanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docx
adhitya5119
 
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
NelTorrente
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
Jean Carlos Nunes Paixão
 
Liberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdfLiberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdf
WaniBasim
 
How to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP ModuleHow to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP Module
Celine George
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
ArianaBusciglio
 
The Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collectionThe Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collection
Israel Genealogy Research Association
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
camakaiclarkmusic
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
Colégio Santa Teresinha
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
thanhdowork
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
Nicholas Montgomery
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
David Douglas School District
 
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptxChapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Mohd Adib Abd Muin, Senior Lecturer at Universiti Utara Malaysia
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
eBook.com.bd (প্রয়োজনীয় বাংলা বই)
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
heathfieldcps1
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
Academy of Science of South Africa
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
EverAndrsGuerraGuerr
 

Recently uploaded (20)

ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdfANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
ANATOMY AND BIOMECHANICS OF HIP JOINT.pdf
 
The basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptxThe basics of sentences session 6pptx.pptx
The basics of sentences session 6pptx.pptx
 
Advanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docxAdvanced Java[Extra Concepts, Not Difficult].docx
Advanced Java[Extra Concepts, Not Difficult].docx
 
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...
 
Lapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdfLapbook sobre os Regimes Totalitários.pdf
Lapbook sobre os Regimes Totalitários.pdf
 
Liberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdfLiberal Approach to the Study of Indian Politics.pdf
Liberal Approach to the Study of Indian Politics.pdf
 
How to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP ModuleHow to Add Chatter in the odoo 17 ERP Module
How to Add Chatter in the odoo 17 ERP Module
 
Group Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana BuscigliopptxGroup Presentation 2 Economics.Ariana Buscigliopptx
Group Presentation 2 Economics.Ariana Buscigliopptx
 
The Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collectionThe Diamonds of 2023-2024 in the IGRA collection
The Diamonds of 2023-2024 in the IGRA collection
 
CACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdfCACJapan - GROUP Presentation 1- Wk 4.pdf
CACJapan - GROUP Presentation 1- Wk 4.pdf
 
MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .MARY JANE WILSON, A “BOA MÃE” .
MARY JANE WILSON, A “BOA MÃE” .
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
 
Film vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movieFilm vocab for eal 3 students: Australia the movie
Film vocab for eal 3 students: Australia the movie
 
Pride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School DistrictPride Month Slides 2024 David Douglas School District
Pride Month Slides 2024 David Douglas School District
 
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptxChapter 4 - Islamic Financial Institutions in Malaysia.pptx
Chapter 4 - Islamic Financial Institutions in Malaysia.pptx
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdfবাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
বাংলাদেশ অর্থনৈতিক সমীক্ষা (Economic Review) ২০২৪ UJS App.pdf
 
The basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptxThe basics of sentences session 5pptx.pptx
The basics of sentences session 5pptx.pptx
 
South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)South African Journal of Science: Writing with integrity workshop (2024)
South African Journal of Science: Writing with integrity workshop (2024)
 
Thesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.pptThesis Statement for students diagnonsed withADHD.ppt
Thesis Statement for students diagnonsed withADHD.ppt
 

Presentation of "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets" by Jammy

  • 1. On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets WANG Jiamian kfc315@gmail.com May 17, 2013
  • 2. About the paper On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets metric and evaluation approach problem solved 1 2 3
  • 3. • SIGCOMM ’01, typical SIGCOMM-style • The formalizing steps are, to some degree, subtle and hard to fully understand • So, patience and deeper thinking are preferred First of all...
  • 4. On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internetsproblem solved 1
  • 5. • DoS is a pressing problem on the Internet • When the attack is distributed, the impact can be proportionally severe • Susceptibility to DoS is an intrinsic problem of any service provisioning system Background DoS attack
  • 6. • Preventing DoS • identification of the attackers / traffic • if compromised, track back the attackers’ ids • Proactive prevention of spoofed IP packets from reaching their destination • Reactive source identification of spoofed IP flows Background Two complementary problems
  • 7. On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets approach 2
  • 8. • Uses routing information to determine if a packet arriving at a router is valid with respect to its inscribed source/destination addresses • If a single router... • If all AS’s perform filtering... • Like setting up road blocks to apprehend bank robbers Route-based detection and discarding of spoofed IP packet Simple idea
  • 9. • Host of attempting a DoS attack targeted at a server residing in • by using a forged source IP belonging to Route-based detection and discarding of spoofed IP packet Simple idea illustrated
  • 10. • If knows the route topology, then it will recognize that a packet from to would not enter through link ( , ) • So the source address must be spoofed • Spoofed packets are discarded at , protect Route-based detection and discarding of spoofed IP packet Simple idea illustrated
  • 11. • only need to inspect the source IP address to determine no packet “from ” can arrive link ( , ) • The model is somehow imprecise: • There are multiple edges between ASes • Different paths • Ignoring in-domain routing Route-based detection and discarding of spoofed IP packet Advantages and imprecisions
  • 12. • However, if host of attempting a DoS attack targeted at a server residing in • by using a forged source IP belonging to • Then can do nothing Route-based detection and discarding of spoofed IP packet Single deployment achieves little
  • 13. i) Maximize proactive filtering of spoofed IP packets ii) If some bogus packets do get through, minimize the number of sites that could have sent the packets (for IP trackback) iii) Achieve i) and ii) while minimizing # of sites at which route-based filtering is carried out iv) in tandem with iii), find the optimum sites where filtering is to be performed Route-based detection and discarding of spoofed IP packet Objectives
  • 14. Maximal and semi-maximal filters Formalization • Undirected graph : Internet AS topology • : all loop-free paths from to • : computed routes, • : an IP packet • If : multiple paths G = (V, E) L(u, v) R(u, v) L(u, v)R(u, v) u v M(u, v) s t |R(s, t)| > 1
  • 15. Maximal and semi-maximal filters Formalization • , map function, for linkFe : V 2 {0, 1} e = (u, v) E Fe(s, t) = 0 Fe(s, t) = 1 • Call a route-based packet filter with respect to if • here denotes that link is on some path belonging to Fe R Fe(s, t) = 0, e R(s, t) e R(s, t) e R(s, t)
  • 16. Maximal and semi-maximal filters Maximal filters • A route-based filter is maximal, • if it satisfies • if and only if • Thus a maximal route-based filter can filter all spoofed IP traffic, without affecting routing of non-spoofed IP packets determined by Fe(s, t) = 0 f R(s, t), e f R
  • 17. Maximal and semi-maximal filters Maximal filters • But computing a maximal route-based filter requires in general space, which is unacceptableO(n2 ), n = |V |
  • 18. Maximal and semi-maximal filters Semi-maximal filters • A semi-maximal filter is a maximal filter which uses only the source IP address to perform filtering • i.e. and is a projection of :Fe : V 2 {0, 1} Fe Fe • A semi-maximal filter requires linear space Fe(s, t) = 0, if e R(s, v) for some v V 1, otherwise
  • 19. Performance Measures for DPF Notations • Notations: • : nodes where filtering is performed • : coverage ratio • Two key performance metrics • proactive: the fraction of AS’s from which no spoofed IP packet can reach its target wherever it may be, denoted by • reactive: the fraction of AS’s which upon receiving a spoofed IP packet can localize its true source within T V = |T|/|V |
  • 20. Performance Measures for DPF Two key performance metrics • proactive • the fraction of AS’s from which no spoofed IP packet can reach its target wherever it may be • denoted by • reactive • the fraction of AS’s which upon receiving a spoofed IP packet can localize its true source within sites • denoted by 1( ) 2(1)
  • 21. • : the set of nodes that an attacker at AS can use as spoofed source IP addresses to reach without being discarded by filters in • i.e. defined from the attacker’s perspective • : the set of nodes that could have sent an packet with spoofed source IP address and destination address which didn’t get filtered on its way • i.e. defined from the victim’s perspective Sa,t T a t Cs,t M(s, t) s t Performance Measures for DPF Two more high-level performance measures
  • 22. Performance Measures for DPF Illustration • Without route-based filtering, an attacker residing can disguise himself with IP addresses belonging to ~ • i.e. S1,9 = {0, 1, · · · , 8}
  • 23. Performance Measures for DPF Illustration • With route-based filtering at , are no more spoofable • i.e. S1,9 = {0, 1, · · · , 5} F
  • 24. Performance Measures for DPF Illustration • With route-based filtering at , are no more spoofable • i.e. S1,9 = {1, 2} F F
  • 25. • • then measures the fraction of attack sites from which sending spoofed IP packets targeted at other AS’s is futile Performance Measures for DPF Proactive filtering measures 2( ) = |{a : t V, |Sa,t| }| n 2(1) 1( ) = |{t : a V, |Sa,t }| n
  • 26. • • e.g. represents the fraction of AS’s which when attacked with an arbitrary spoofed IP packet, can resolve the attack location to within 5 possible attack sites Performance Measures for DPF Reactive filtering measure 1( ) = |{t : s V, |Cs,t| }| n 1(5)
  • 27. metric and evaluation 3On the Effectiveness of Route-Based Packet Filtering for Distributed DoS Attack Prevention in Power-Law Internets
  • 28. • Formally, a route-based (semi)maximal distributed filter is a triple • is the AS graph • where the route-based filter is performed • is the routing algorithm • Evaluating the effectiveness of with respect to the proactive and reactive performance measures • i.e. the dependence on Performance evaluation Overview F F = < G, T, R > G = (V, E) T V R F G, T, R
  • 29. • Tools set • Dataset • 1997–1999 Internet AS topologies taken from NLANR • i.e. power-law network topology • Artificial Internet topologies Performance evaluation Set-up
  • 30. • How to choose nodes? • How about sample from uniformly randomly until the target coverage size is reached? • Power-law graphs have “centers”, so, finding vertex cover (VC) may achieve a small coverage ratio Performance evaluation Set-up |T| V
  • 31. • Finding a minimalVC in a graph is an NP-C problem • Use two approximation algorithms to find smallVCs, and the minimumVC found by the two algorithms is Performance evaluation determining T T
  • 32. • measures the fraction of attack sites from which sending spoofed IP packets targeted at other AS’s is futile • Thus it is an upper bound on the distributedness of DDoS attacks Proactive filtering and DDoS 2(1)
  • 33. • represents the fraction of AS’s which when attacked with an arbitrary spoofed IP packet, can resolve the attack location to within possible attack sites Reactive filtering effect 1( )
  • 34. Maximal vs. semi-maximal filters 1( ) 2(1)
  • 35. • This paper: Park, K., & Lee, H. (2001). On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets. Presented at the SIGCOMM '01: Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications,  ACM Request Permissions. doi: 10.1145/383059.383061 • Wikipedia,“vertex cover”, http://en.wikipedia.org/wiki/Vertex_cover References