Max Robinson Jelena Mirkovic DR. Peter Reiher - PowerPoint PPT Presentation

1 / 1
About This Presentation
Title:

Max Robinson Jelena Mirkovic DR. Peter Reiher

Description:

to legitimate, then to monitored, and last to unstamped traffic. ... secure packet stamping each node defines its legitimate and monitored stamp. ... – PowerPoint PPT presentation

Number of Views:49
Avg rating:3.0/5.0
Slides: 2
Provided by: JelenaM1
Category:

less

Transcript and Presenter's Notes

Title: Max Robinson Jelena Mirkovic DR. Peter Reiher


1
DefCOM
Defensive Cooperative Overlay Mesh
Max Robinson Jelena Mirkovic
DR. Peter Reiher
  • Motivation
  • Distributed denial-of-service attacks require a
    distributed solution.
  • Detection is more effective closer to the victim
    network.
  • Response is more selective closer to the source.
  • Good coverage with a few deployment points in
    intermediate network.
  • Idea
  • Combine diverse defense systems for cooperative
    response.
  • Additional benefits
  • Wide deployment is achieved by accommodating
    legacy systems.
  • Defense nodes can specialize in those functions
    they can do best.
  • Through communication, the strengths of
    specialists can address challenges for other
    nodes.

attacker
client
client
attacker
client
victim
attacker
client
attacker
Distributed Peer-to-Peer Network for DDoS Defense
  • All nodes in the peer network cooperate to give
    preferential service to legitimate traffic and
    constrain the attack by
  • Deploying secure packet stamping each node
    defines its legitimate and monitored stamp.
    Classifier nodes mark legitimate packets with
    legitimate stamps, and the rest of traffic with
    monitored stamps. Core nodes rewrite these
    stamps. Any unmarked packets reaching core nodes
    will be stamped as monitored if they pass the
    rate-limit.
  • Serving packets in three service levels A core
    node apportions its bandwidth first to packets
    bearing legitimate stamps, then to packets
    bearing monitored stamps and any leftover to
    unstamped traffic.
  • DefCOM is a peer-to-peer network of defense nodes
    that exchange information and services to perform
    cooperative DDoS defense.
  • Three types of nodes
  • Alert generator nodes detect the attack and
    alert the rest of the peer network
  • Core nodes perform simple rate-limiting
  • Classifier nodes differentiate between
    legitimate traffic and attack traffic, forward
    legitimate packets and severely rate-limit attack
    packets

attacker
client
attacker
client
client
client
classifier
classifier
attacker
attacker
client
client
core
core
victim
victim
Attack detected!
alert generator
alert generator
attacker
attacker
classifier
classifier
client
client
attacker
attacker
Alert generators detect the attack, send alerts
to all peers in the network. Nodes forward
alerts to their neighbors, yet avoid cycles.
Nodes stamp packets that they forward to the
victim. When a node detects a packet with its
neighbors stamp, this neighbor becomes the
nodes child. The node sends a parent message
to its children.
attacker
client
attacker
client
client
client
classifier
classifier
attacker
attacker
client
client
core
core
victim
victim
Rate limit N/2 Bps
Rate limit N Bps
Rate limit N/2 Bps
attacker
alert generator
attacker
alert generator
classifier
classifier
client
client
attacker
attacker
Nodes with parents/children form a traffic tree.
Nodes on the tree cooperate to stop the attack.
Rate-limits are propagated from the root to the
leaves. Parents divide their rate-limits among
their children.
Classifiers block attack traffic and forward
traffic bearing legitimate stamps. Core nodes
overwrite these stamps, and mark any unstamped
traffic with monitored stamps. Each node
dedicates bandwidth first to legitimate, then to
monitored, and last to unstamped traffic.
Write a Comment
User Comments (0)
About PowerShow.com