Presentation of "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets" by Jammy
for Next-Generation Internet Class
- Paper discusses protecting web services from DDOS attacks through various methods like SOAP message validation, client puzzles, and SNMP monitoring.
- SOAP message validation uses a CheckWay Gateway to validate messages against schemas to reject unlimited elements.
- Client puzzles require clients to solve computational puzzles before servers perform expensive operations, mitigating flooding attacks.
- SNMP monitoring measures server performance under DDOS attacks using two network interfaces - one for attacks and one for monitoring.
This document discusses denial of service (DoS) and distributed denial of service (DDoS) attacks. It defines DoS as making a machine or network unavailable to its intended users. DDoS uses other computers to launch the attack. Methods of attack mentioned include ICMP floods, teardrop attacks, and reflected/spoofed attacks. Signs of an attack include slow network performance. The document provides tips for system administrators and users, such as contacting providers and following security best practices, to mitigate attacks.
This document summarizes vulnerabilities in several common network protocols including ARP, IP, TCP, FTP, SMTP, and DNS. It discusses issues like ARP spoofing, TCP SYN flooding attacks, lack of encryption in FTP and SMTP allowing eavesdropping, and DNS spoofing techniques. The document provides high-level overviews of how these protocols work and specific security risks, such as IP spoofing, traffic analysis from unencrypted headers, and filling connection queues in DoS attacks.
This document discusses network security concepts including vulnerabilities in TCP/IP protocols, denial of service attacks, firewalls, and intrusion detection systems. It outlines common attacks like spoofing, flooding, and session hijacking. It then describes how firewalls use packet filtering and proxies to limit access and detect intrusions. Finally, it covers intrusion detection systems using signature-based and anomaly-based approaches to monitor network traffic and host activity for attacks.
Network security vulnerabilities exist at various layers of the TCP/IP protocol suite. Firewalls and intrusion detection systems help mitigate these issues. Firewalls use packet filtering or proxies to restrict traffic according to security policies. Intrusion detection systems monitor network traffic or host activity for signs of attacks using signature-based or anomaly-based detection methods.
This document summarizes vulnerabilities in network protocols like TCP/IP, ARP, IP, TCP, FTP, Telnet, and SMTP. It outlines issues like spoofing, flooding attacks, lack of authentication and encryption. It discusses how protocols work at different layers and security problems associated with each, such as spoofing of addresses, hijacking connections, sniffing cleartext data, and denial of service attacks. Prevention methods are also briefly covered.
- Paper discusses protecting web services from DDOS attacks through various methods like SOAP message validation, client puzzles, and SNMP monitoring.
- SOAP message validation uses a CheckWay Gateway to validate messages against schemas to reject unlimited elements.
- Client puzzles require clients to solve computational puzzles before servers perform expensive operations, mitigating flooding attacks.
- SNMP monitoring measures server performance under DDOS attacks using two network interfaces - one for attacks and one for monitoring.
This document discusses denial of service (DoS) and distributed denial of service (DDoS) attacks. It defines DoS as making a machine or network unavailable to its intended users. DDoS uses other computers to launch the attack. Methods of attack mentioned include ICMP floods, teardrop attacks, and reflected/spoofed attacks. Signs of an attack include slow network performance. The document provides tips for system administrators and users, such as contacting providers and following security best practices, to mitigate attacks.
This document summarizes vulnerabilities in several common network protocols including ARP, IP, TCP, FTP, SMTP, and DNS. It discusses issues like ARP spoofing, TCP SYN flooding attacks, lack of encryption in FTP and SMTP allowing eavesdropping, and DNS spoofing techniques. The document provides high-level overviews of how these protocols work and specific security risks, such as IP spoofing, traffic analysis from unencrypted headers, and filling connection queues in DoS attacks.
This document discusses network security concepts including vulnerabilities in TCP/IP protocols, denial of service attacks, firewalls, and intrusion detection systems. It outlines common attacks like spoofing, flooding, and session hijacking. It then describes how firewalls use packet filtering and proxies to limit access and detect intrusions. Finally, it covers intrusion detection systems using signature-based and anomaly-based approaches to monitor network traffic and host activity for attacks.
Network security vulnerabilities exist at various layers of the TCP/IP protocol suite. Firewalls and intrusion detection systems help mitigate these issues. Firewalls use packet filtering or proxies to restrict traffic according to security policies. Intrusion detection systems monitor network traffic or host activity for signs of attacks using signature-based or anomaly-based detection methods.
This document summarizes vulnerabilities in network protocols like TCP/IP, ARP, IP, TCP, FTP, Telnet, and SMTP. It outlines issues like spoofing, flooding attacks, lack of authentication and encryption. It discusses how protocols work at different layers and security problems associated with each, such as spoofing of addresses, hijacking connections, sniffing cleartext data, and denial of service attacks. Prevention methods are also briefly covered.
This document discusses network security concepts like vulnerabilities in TCP/IP protocols, denial of service attacks, firewalls, and intrusion detection systems. It outlines common attacks like spoofing, flooding, and session hijacking. It also describes the functions of packet filtering firewalls and proxy firewalls, as well as signature-based and anomaly-based intrusion detection systems that can monitor networks or individual hosts.
This document provides an overview of network security concepts including vulnerabilities, denial of service attacks, firewalls, and intrusion detection systems. It discusses how TCP/IP was not initially designed with security in mind and is vulnerable to spoofing and man-in-the-middle attacks. Denial of service attacks like SYN flooding aim to overwhelm servers or networks. Firewalls can limit access and traffic between internal and external networks but have limitations. Intrusion detection systems monitor traffic to identify attacks that bypass firewalls.
This document provides an overview of network security concepts including vulnerabilities, denial of service attacks, firewalls, and intrusion detection systems. It discusses how TCP/IP was not initially designed with security in mind and is vulnerable to spoofing and man-in-the-middle attacks. Denial of service attacks like SYN flooding aim to overwhelm servers through excessive connection requests. Firewalls use packet filtering and proxies to restrict network access and traffic based on security rules. Intrusion detection systems monitor network traffic to identify attacks and anomalies beyond what is allowed by firewall rules.
This document proposes and evaluates Inter-Domain Packet Filters (IDPF) to limit IP spoofing by filtering packets based on feasible inter-domain routes inferred from BGP updates. IDPFs were found to effectively limit spoofing capability even with partial deployment, and improve accuracy of tracing spoofed traffic to its origin. The performance of IDPFs was studied through metrics like limiting the number of address prefixes that can be spoofed and localizing the source of attacks. Complications from non-standard routing policies and dynamic routing were also discussed.
This document summarizes several network layer protocols and concepts:
- It describes protocols like IPv4, IPv6, DHCP, ICMP, Mobile IP, NAT, routing, multicast routing, AS, DVR, RIP, LSR, OSPF, DVMRP, PIM, BGP and their functions and characteristics.
- It also explains related concepts such as unicast and multicast routing, autonomous systems, and BGP autonomous system relationships.
This document summarizes a presentation given at Defcon 16 about performing an Internet-scale man-in-the-middle attack by hijacking BGP routes. The attack works by originating a route for the target's IP space and setting the AS path to include the ASes along the normal route to the target. Return traffic is then sent back along this engineered path, allowing the attacker to intercept and manipulate traffic without detection. Proper adjustment of TTL values is also described to anonymize the hijacking router and outbound networks. A live demo is said to be part of the presentation agenda.
The document discusses network security vulnerabilities like spoofing and flooding attacks. It covers denial of service (DoS) and distributed denial of service (DDoS) attacks. Firewalls like packet filters and proxies are introduced as a way to limit network access and inspect traffic according to security policies. Intrusion detection systems (IDS) are also mentioned for detecting intrusions through signatures or anomalies.
ip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.pptVINAYTANWAR18
The Internet Protocol (IP) provides an unreliable, best-effort, connectionless packet delivery service. It defines the basic unit of data transfer called a datagram and performs routing functions according to rules for unreliable packet delivery. IP datagrams can be fragmented into smaller pieces to fit into frames when the datagram is larger than the maximum transmission unit of a network. Routers replicate some IP options in all fragments while others are replicated in a single fragment only.
The document discusses various hacking techniques for Cisco networks, including reconnaissance attacks like port scanning and sniffing, active attacks like password cracking and trust exploitation, and external attacks like IP spoofing and denial of service. It then covers defenses like authentication, encryption, access control lists, rate limiting, DHCP snooping, and storm control to mitigate risks from these hacking methods.
Presentation of "Anonymity in the web based on routing protocols" technical report developed for the Web Security course of the Master Degree in Engineering in Computer Science curriculum in Cyber Security at University of Rome "La Sapienza".
Link: https://www.slideshare.net/BiagioBotticelli/anonymity-in-the-web-based-on-routing-protocols
IP addresses identify devices on the network and have a standard dotted decimal format. MAC addresses uniquely identify a device's network interface and are burned into the hardware. Port numbers further specify applications/services within devices, with well-known ports below 1024.
This document provides an overview of the network layer, including:
1. It describes the network layer functions of forwarding, routing, encapsulation, and de-encapsulation.
2. It explains the basic components and functions inside a router, including input/output ports, switching, queuing, and packet scheduling.
3. It covers the Internet Protocol (IP) including IPv4 and IPv6 formats, addressing, fragmentation, and network address translation (NAT).
This document discusses various methods for optimizing network design and performance, including using IP multicast to efficiently deliver multimedia streams, reducing serialization delay through link fragmentation and compressed RTP, and supporting quality of service through techniques like IP precedence, differentiated services, 802.1p prioritization, advanced switching and queuing methods, RED, CAR, and traffic shaping.
The document provides an overview of existing IP traceback mechanisms, including controlled flooding, input debugging, overlay networks, probabilistic packet marking, deterministic packet marking, packet messaging, packet logging, and hybrid approaches. It discusses taxonomy, capabilities, evaluation criteria, comparisons of mechanisms, and applications of traceback. The conclusion questions whether traceback is truly needed given current intrusion detection and prevention capabilities.
The document discusses various phases of intrusion and techniques used by attackers:
1. Reconnaissance involves gathering information about the target through techniques like searching public databases, domain name records, and social engineering to map the network and discover vulnerabilities.
2. Scanning detects live machines, network topology, firewall configurations, applications, and vulnerabilities using tools like ping sweeps, traceroute, port scanning, and vulnerability scanners.
3. Gaining access exploits known vulnerabilities through buffer overflow attacks or by downloading exploits from hacker sites to compromise systems.
Mobile IP allows mobile nodes to change their point of connection to the Internet without changing their IP address. It uses home agents and foreign agents to tunnel packets to the mobile node's current location. When a mobile node roams to a foreign network, it registers its care-of address with its home agent. The home agent intercepts packets destined for the mobile node and tunnels them to the care-of address, allowing communication to continue. However, mobile IP has problems with security, firewall traversal, and inefficient triangular routing. IPv6 simplifies some aspects of mobile IP.
Mobile IP allows mobile nodes to change their point of attachment to the network without changing their IP address. It uses home and foreign agents and care-of addresses. When a mobile node roams to a foreign network, it registers its care-of address with its home agent, which then tunnels packets to the mobile node's current location. This allows nodes to move between networks while maintaining existing connections and their home IP address.
MLS An Efficient Location Service for Mobile Ad Hoc Networkskga185
MLS is an efficient location service for mobile ad hoc networks that allows nodes to efficiently lookup the location of other nodes despite concurrent node mobility. MLS uses a hierarchy of location servers where each node maintains location pointers to servers in exponentially increasing areas. Lookup routing overhead is close to optimal at O(d) where d is the distance between nodes, and amortized publish cost due to mobility is O(d log d). Temporary forwarding pointers are used to support concurrency and repair lookup paths when nodes move between server areas. Simulation results show MLS can support maximum node speeds of up to 1/15 of the underlying routing message speed.
Why and How to use Onion Networking - #EMFCamp2018Alec Muffett
Outlining the hows and whys of using Onion Networking to connect apps, devices and tools securely over the Internet, without suffering blocks, NAT issues, or many forms of security woe.
The document provides an overview of routing basics, including: what routers do in finding paths and forwarding packets; the difference between routing and forwarding; how IP route lookup works using longest prefix matching; how routing information databases (RIBs) and forwarding information bases (FIBs) are used; explicit versus default routing; and an introduction to autonomous systems, routing policies, interior gateway protocols (IGPs), exterior gateway protocols (EGPs) like BGP, and how routing and traffic flows work within and between autonomous systems.
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
The basics of sentences session 6pptx.pptxheathfieldcps1
Pie
More Related Content
Similar to Presentation of "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets" by Jammy
This document discusses network security concepts like vulnerabilities in TCP/IP protocols, denial of service attacks, firewalls, and intrusion detection systems. It outlines common attacks like spoofing, flooding, and session hijacking. It also describes the functions of packet filtering firewalls and proxy firewalls, as well as signature-based and anomaly-based intrusion detection systems that can monitor networks or individual hosts.
This document provides an overview of network security concepts including vulnerabilities, denial of service attacks, firewalls, and intrusion detection systems. It discusses how TCP/IP was not initially designed with security in mind and is vulnerable to spoofing and man-in-the-middle attacks. Denial of service attacks like SYN flooding aim to overwhelm servers or networks. Firewalls can limit access and traffic between internal and external networks but have limitations. Intrusion detection systems monitor traffic to identify attacks that bypass firewalls.
This document provides an overview of network security concepts including vulnerabilities, denial of service attacks, firewalls, and intrusion detection systems. It discusses how TCP/IP was not initially designed with security in mind and is vulnerable to spoofing and man-in-the-middle attacks. Denial of service attacks like SYN flooding aim to overwhelm servers through excessive connection requests. Firewalls use packet filtering and proxies to restrict network access and traffic based on security rules. Intrusion detection systems monitor network traffic to identify attacks and anomalies beyond what is allowed by firewall rules.
This document proposes and evaluates Inter-Domain Packet Filters (IDPF) to limit IP spoofing by filtering packets based on feasible inter-domain routes inferred from BGP updates. IDPFs were found to effectively limit spoofing capability even with partial deployment, and improve accuracy of tracing spoofed traffic to its origin. The performance of IDPFs was studied through metrics like limiting the number of address prefixes that can be spoofed and localizing the source of attacks. Complications from non-standard routing policies and dynamic routing were also discussed.
This document summarizes several network layer protocols and concepts:
- It describes protocols like IPv4, IPv6, DHCP, ICMP, Mobile IP, NAT, routing, multicast routing, AS, DVR, RIP, LSR, OSPF, DVMRP, PIM, BGP and their functions and characteristics.
- It also explains related concepts such as unicast and multicast routing, autonomous systems, and BGP autonomous system relationships.
This document summarizes a presentation given at Defcon 16 about performing an Internet-scale man-in-the-middle attack by hijacking BGP routes. The attack works by originating a route for the target's IP space and setting the AS path to include the ASes along the normal route to the target. Return traffic is then sent back along this engineered path, allowing the attacker to intercept and manipulate traffic without detection. Proper adjustment of TTL values is also described to anonymize the hijacking router and outbound networks. A live demo is said to be part of the presentation agenda.
The document discusses network security vulnerabilities like spoofing and flooding attacks. It covers denial of service (DoS) and distributed denial of service (DDoS) attacks. Firewalls like packet filters and proxies are introduced as a way to limit network access and inspect traffic according to security policies. Intrusion detection systems (IDS) are also mentioned for detecting intrusions through signatures or anomalies.
ip nnnnnnnnnnnnnnnnnnbbbbbbblecture06.pptVINAYTANWAR18
The Internet Protocol (IP) provides an unreliable, best-effort, connectionless packet delivery service. It defines the basic unit of data transfer called a datagram and performs routing functions according to rules for unreliable packet delivery. IP datagrams can be fragmented into smaller pieces to fit into frames when the datagram is larger than the maximum transmission unit of a network. Routers replicate some IP options in all fragments while others are replicated in a single fragment only.
The document discusses various hacking techniques for Cisco networks, including reconnaissance attacks like port scanning and sniffing, active attacks like password cracking and trust exploitation, and external attacks like IP spoofing and denial of service. It then covers defenses like authentication, encryption, access control lists, rate limiting, DHCP snooping, and storm control to mitigate risks from these hacking methods.
Presentation of "Anonymity in the web based on routing protocols" technical report developed for the Web Security course of the Master Degree in Engineering in Computer Science curriculum in Cyber Security at University of Rome "La Sapienza".
Link: https://www.slideshare.net/BiagioBotticelli/anonymity-in-the-web-based-on-routing-protocols
IP addresses identify devices on the network and have a standard dotted decimal format. MAC addresses uniquely identify a device's network interface and are burned into the hardware. Port numbers further specify applications/services within devices, with well-known ports below 1024.
This document provides an overview of the network layer, including:
1. It describes the network layer functions of forwarding, routing, encapsulation, and de-encapsulation.
2. It explains the basic components and functions inside a router, including input/output ports, switching, queuing, and packet scheduling.
3. It covers the Internet Protocol (IP) including IPv4 and IPv6 formats, addressing, fragmentation, and network address translation (NAT).
This document discusses various methods for optimizing network design and performance, including using IP multicast to efficiently deliver multimedia streams, reducing serialization delay through link fragmentation and compressed RTP, and supporting quality of service through techniques like IP precedence, differentiated services, 802.1p prioritization, advanced switching and queuing methods, RED, CAR, and traffic shaping.
The document provides an overview of existing IP traceback mechanisms, including controlled flooding, input debugging, overlay networks, probabilistic packet marking, deterministic packet marking, packet messaging, packet logging, and hybrid approaches. It discusses taxonomy, capabilities, evaluation criteria, comparisons of mechanisms, and applications of traceback. The conclusion questions whether traceback is truly needed given current intrusion detection and prevention capabilities.
The document discusses various phases of intrusion and techniques used by attackers:
1. Reconnaissance involves gathering information about the target through techniques like searching public databases, domain name records, and social engineering to map the network and discover vulnerabilities.
2. Scanning detects live machines, network topology, firewall configurations, applications, and vulnerabilities using tools like ping sweeps, traceroute, port scanning, and vulnerability scanners.
3. Gaining access exploits known vulnerabilities through buffer overflow attacks or by downloading exploits from hacker sites to compromise systems.
Mobile IP allows mobile nodes to change their point of connection to the Internet without changing their IP address. It uses home agents and foreign agents to tunnel packets to the mobile node's current location. When a mobile node roams to a foreign network, it registers its care-of address with its home agent. The home agent intercepts packets destined for the mobile node and tunnels them to the care-of address, allowing communication to continue. However, mobile IP has problems with security, firewall traversal, and inefficient triangular routing. IPv6 simplifies some aspects of mobile IP.
Mobile IP allows mobile nodes to change their point of attachment to the network without changing their IP address. It uses home and foreign agents and care-of addresses. When a mobile node roams to a foreign network, it registers its care-of address with its home agent, which then tunnels packets to the mobile node's current location. This allows nodes to move between networks while maintaining existing connections and their home IP address.
MLS An Efficient Location Service for Mobile Ad Hoc Networkskga185
MLS is an efficient location service for mobile ad hoc networks that allows nodes to efficiently lookup the location of other nodes despite concurrent node mobility. MLS uses a hierarchy of location servers where each node maintains location pointers to servers in exponentially increasing areas. Lookup routing overhead is close to optimal at O(d) where d is the distance between nodes, and amortized publish cost due to mobility is O(d log d). Temporary forwarding pointers are used to support concurrency and repair lookup paths when nodes move between server areas. Simulation results show MLS can support maximum node speeds of up to 1/15 of the underlying routing message speed.
Why and How to use Onion Networking - #EMFCamp2018Alec Muffett
Outlining the hows and whys of using Onion Networking to connect apps, devices and tools securely over the Internet, without suffering blocks, NAT issues, or many forms of security woe.
The document provides an overview of routing basics, including: what routers do in finding paths and forwarding packets; the difference between routing and forwarding; how IP route lookup works using longest prefix matching; how routing information databases (RIBs) and forwarding information bases (FIBs) are used; explicit versus default routing; and an introduction to autonomous systems, routing policies, interior gateway protocols (IGPs), exterior gateway protocols (EGPs) like BGP, and how routing and traffic flows work within and between autonomous systems.
Similar to Presentation of "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets" by Jammy (20)
it describes the bony anatomy including the femoral head , acetabulum, labrum . also discusses the capsule , ligaments . muscle that act on the hip joint and the range of motion are outlined. factors affecting hip joint stability and weight transmission through the joint are summarized.
MATATAG CURRICULUM: ASSESSING THE READINESS OF ELEM. PUBLIC SCHOOL TEACHERS I...NelTorrente
In this research, it concludes that while the readiness of teachers in Caloocan City to implement the MATATAG Curriculum is generally positive, targeted efforts in professional development, resource distribution, support networks, and comprehensive preparation can address the existing gaps and ensure successful curriculum implementation.
How to Add Chatter in the odoo 17 ERP ModuleCeline George
In Odoo, the chatter is like a chat tool that helps you work together on records. You can leave notes and track things, making it easier to talk with your team and partners. Inside chatter, all communication history, activity, and changes will be displayed.
A review of the growth of the Israel Genealogy Research Association Database Collection for the last 12 months. Our collection is now passed the 3 million mark and still growing. See which archives have contributed the most. See the different types of records we have, and which years have had records added. You can also see what we have for the future.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
This slide is special for master students (MIBS & MIFB) in UUM. Also useful for readers who are interested in the topic of contemporary Islamic banking.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
বাংলাদেশের অর্থনৈতিক সমীক্ষা ২০২৪ [Bangladesh Economic Review 2024 Bangla.pdf] কম্পিউটার , ট্যাব ও স্মার্ট ফোন ভার্সন সহ সম্পূর্ণ বাংলা ই-বুক বা pdf বই " সুচিপত্র ...বুকমার্ক মেনু 🔖 ও হাইপার লিংক মেনু 📝👆 যুক্ত ..
আমাদের সবার জন্য খুব খুব গুরুত্বপূর্ণ একটি বই ..বিসিএস, ব্যাংক, ইউনিভার্সিটি ভর্তি ও যে কোন প্রতিযোগিতা মূলক পরীক্ষার জন্য এর খুব ইম্পরট্যান্ট একটি বিষয় ...তাছাড়া বাংলাদেশের সাম্প্রতিক যে কোন ডাটা বা তথ্য এই বইতে পাবেন ...
তাই একজন নাগরিক হিসাবে এই তথ্য গুলো আপনার জানা প্রয়োজন ...।
বিসিএস ও ব্যাংক এর লিখিত পরীক্ষা ...+এছাড়া মাধ্যমিক ও উচ্চমাধ্যমিকের স্টুডেন্টদের জন্য অনেক কাজে আসবে ...
A workshop hosted by the South African Journal of Science aimed at postgraduate students and early career researchers with little or no experience in writing and publishing journal articles.
Thesis Statement for students diagnonsed withADHD.ppt
Presentation of "On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets" by Jammy
1. On the Effectiveness of
Route-Based Packet Filtering for
Distributed DoS Attack Prevention
in Power-Law Internets
WANG Jiamian
kfc315@gmail.com
May 17, 2013
2. About the paper
On the Effectiveness of
Route-Based Packet Filtering for
Distributed DoS Attack Prevention
in Power-Law Internets
metric and
evaluation
approach
problem solved
1
2
3
3. • SIGCOMM ’01, typical SIGCOMM-style
• The formalizing steps are, to some degree,
subtle and hard to fully understand
• So, patience and deeper thinking are
preferred
First of all...
4. On the Effectiveness of
Route-Based Packet Filtering for
Distributed DoS Attack Prevention
in Power-Law Internetsproblem solved
1
5. • DoS is a pressing problem on the Internet
• When the attack is distributed, the impact can be
proportionally severe
• Susceptibility to DoS is an intrinsic problem of any
service provisioning system
Background
DoS attack
6. • Preventing DoS
• identification of the attackers / traffic
• if compromised, track back the attackers’ ids
• Proactive prevention of spoofed IP packets from reaching
their destination
• Reactive source identification of spoofed IP flows
Background
Two complementary problems
7. On the Effectiveness of
Route-Based Packet Filtering for
Distributed DoS Attack Prevention
in Power-Law Internets
approach 2
8. • Uses routing information to determine if a packet
arriving at a router is valid with respect to its inscribed
source/destination addresses
• If a single router...
• If all AS’s perform filtering...
• Like setting up road blocks to apprehend bank robbers
Route-based detection and
discarding of spoofed IP packet
Simple idea
9. • Host of attempting a DoS attack targeted at a server
residing in
• by using a forged source IP belonging to
Route-based detection and
discarding of spoofed IP packet
Simple idea illustrated
10. • If knows the route topology, then it will recognize
that a packet from to would not enter through
link ( , )
• So the source address must be spoofed
• Spoofed packets are discarded at , protect
Route-based detection and
discarding of spoofed IP packet
Simple idea illustrated
11. • only need to inspect the source IP address to
determine no packet “from ” can arrive link ( , )
• The model is somehow imprecise:
• There are multiple edges between ASes
• Different paths
• Ignoring in-domain routing
Route-based detection and
discarding of spoofed IP packet
Advantages and imprecisions
12. • However, if host of attempting a DoS attack targeted
at a server residing in
• by using a forged source IP belonging to
• Then can do nothing
Route-based detection and
discarding of spoofed IP packet
Single deployment achieves little
13. i) Maximize proactive filtering of spoofed IP packets
ii) If some bogus packets do get through, minimize the number of
sites that could have sent the packets (for IP trackback)
iii) Achieve i) and ii) while minimizing # of sites at which route-based
filtering is carried out
iv) in tandem with iii), find the optimum sites where filtering is to be
performed
Route-based detection and
discarding of spoofed IP packet
Objectives
14. Maximal and semi-maximal filters
Formalization
• Undirected graph : Internet AS topology
• : all loop-free paths from to
• : computed routes,
• : an IP packet
• If : multiple paths
G = (V, E)
L(u, v)
R(u, v) L(u, v)R(u, v)
u v
M(u, v) s t
|R(s, t)| > 1
15. Maximal and semi-maximal filters
Formalization
• , map function, for linkFe : V 2
{0, 1} e = (u, v) E
Fe(s, t) = 0
Fe(s, t) = 1
• Call a route-based packet filter with respect to if
• here denotes that link is on some path
belonging to
Fe R
Fe(s, t) = 0, e R(s, t)
e R(s, t) e
R(s, t)
16. Maximal and semi-maximal filters
Maximal filters
• A route-based filter is maximal,
• if it satisfies
• if and only if
• Thus a maximal route-based filter can filter all spoofed IP
traffic, without affecting routing of non-spoofed IP
packets determined by
Fe(s, t) = 0
f R(s, t), e f
R
17. Maximal and semi-maximal filters
Maximal filters
• But computing a maximal route-based filter requires in
general space, which is unacceptableO(n2
), n = |V |
18. Maximal and semi-maximal filters
Semi-maximal filters
• A semi-maximal filter is a maximal filter which uses only
the source IP address to perform filtering
• i.e. and is a projection of :Fe : V 2
{0, 1} Fe Fe
• A semi-maximal filter requires linear space
Fe(s, t) =
0, if e R(s, v) for some v V
1, otherwise
19. Performance Measures for DPF
Notations
• Notations:
• : nodes where filtering is performed
• : coverage ratio
• Two key performance metrics
• proactive: the fraction of AS’s from which no spoofed IP
packet can reach its target wherever it may be, denoted
by
• reactive: the fraction of AS’s which upon receiving a
spoofed IP packet can localize its true source within
T V
= |T|/|V |
20. Performance Measures for DPF
Two key performance metrics
• proactive
• the fraction of AS’s from which no spoofed IP packet
can reach its target wherever it may be
• denoted by
• reactive
• the fraction of AS’s which upon receiving a spoofed IP
packet can localize its true source within sites
• denoted by 1( )
2(1)
21. • : the set of nodes that an attacker at AS can use as
spoofed source IP addresses to reach without being
discarded by filters in
• i.e. defined from the attacker’s perspective
• : the set of nodes that could have sent an packet
with spoofed source IP address and destination address
which didn’t get filtered on its way
• i.e. defined from the victim’s perspective
Sa,t
T
a
t
Cs,t M(s, t)
s t
Performance Measures for DPF
Two more high-level performance measures
22. Performance Measures for DPF
Illustration
• Without route-based filtering, an attacker residing can
disguise himself with IP addresses belonging to ~
• i.e. S1,9 = {0, 1, · · · , 8}
23. Performance Measures for DPF
Illustration
• With route-based filtering at , are no
more spoofable
• i.e. S1,9 = {0, 1, · · · , 5}
F
24. Performance Measures for DPF
Illustration
• With route-based filtering at ,
are no more spoofable
• i.e. S1,9 = {1, 2}
F F
25. •
• then measures the fraction of attack sites from
which sending spoofed IP packets targeted at other AS’s
is futile
Performance Measures for DPF
Proactive filtering measures
2( ) =
|{a : t V, |Sa,t| }|
n
2(1)
1( ) =
|{t : a V, |Sa,t }|
n
26. •
• e.g. represents the fraction of AS’s which when
attacked with an arbitrary spoofed IP packet, can resolve
the attack location to within 5 possible attack sites
Performance Measures for DPF
Reactive filtering measure
1( ) =
|{t : s V, |Cs,t| }|
n
1(5)
27. metric and
evaluation 3On the Effectiveness of
Route-Based Packet Filtering for
Distributed DoS Attack Prevention
in Power-Law Internets
28. • Formally, a route-based (semi)maximal distributed filter
is a triple
• is the AS graph
• where the route-based filter is performed
• is the routing algorithm
• Evaluating the effectiveness of with respect to the
proactive and reactive performance measures
• i.e. the dependence on
Performance evaluation
Overview
F
F = < G, T, R >
G = (V, E)
T V
R
F
G, T, R
29. • Tools set
• Dataset
• 1997–1999 Internet AS topologies taken from NLANR
• i.e. power-law network topology
• Artificial Internet topologies
Performance evaluation
Set-up
30. • How to choose nodes?
• How about sample from uniformly randomly until the
target coverage size is reached?
• Power-law graphs have “centers”, so, finding vertex cover
(VC) may achieve a small coverage ratio
Performance evaluation
Set-up
|T|
V
31. • Finding a minimalVC in a graph is an NP-C problem
• Use two approximation algorithms to find smallVCs, and
the minimumVC found by the two algorithms is
Performance evaluation
determining
T
T
32. • measures the fraction of attack sites from which
sending spoofed IP packets targeted at other AS’s is futile
• Thus it is an upper bound on the distributedness of
DDoS attacks
Proactive filtering and DDoS
2(1)
33. • represents the fraction of AS’s which when
attacked with an arbitrary spoofed IP packet, can resolve
the attack location to within possible attack sites
Reactive filtering effect
1( )
35. • This paper: Park, K., & Lee, H. (2001). On the effectiveness of route-based
packet filtering for distributed DoS attack prevention in power-law internets.
Presented at the SIGCOMM '01: Proceedings of the 2001 conference on
Applications, technologies, architectures, and protocols for computer
communications, ACM Request Permissions. doi:
10.1145/383059.383061
• Wikipedia,“vertex cover”, http://en.wikipedia.org/wiki/Vertex_cover
References