Mitigating BandwidthExhaustion Attacks using Congestion Puzzles - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

Mitigating BandwidthExhaustion Attacks using Congestion Puzzles

Description:

Very large number of zombies. Indistinguishable from flash crowd ... 1000 zombies and 500 http clients. Only 20Mbps of the congested link ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 22
Provided by: xiaofe
Category:

less

Transcript and Presenter's Notes

Title: Mitigating BandwidthExhaustion Attacks using Congestion Puzzles


1
Mitigating Bandwidth-Exhaustion Attacks using
Congestion Puzzles
  • XiaoFeng Wang (IUB) Mike Reiter (CMU)

2
(No Transcript)
3
(No Transcript)
4
Bandwidth-exhaustion attacks
zombie
attacker
zombie
zombie
zombie
zombie
victim
5
Puzzles
Good guy
Router
Bad guys
6
What puzzles cannot do
  • Very large number of zombies
  • Indistinguishable from flash crowd
  • However puzzle-based incentive engineering makes
    this more difficult to happen!

7
Congestion puzzles (CP)
  • Puzzles can mitigate bandwidth-exhaustion attacks
    on IP layer
  • Puzzles can be used to control congestion flows
  • Puzzles can be built into routers with affordable
    overheads

8
Attack model
  • Adversary cannot
  • temper with most users packets
  • eavesdrop on most users flows
  • Adversary can
  • forge information in their packets
  • coordinate their attacks perfectly
  • compromise some routers

9
What a puzzle looks like?
10
How CP works
11
Puzzle distribution
12
Puzzle-based rate limiter
  • Basic idea Using computation flow to control bit
    flow
  • Control , where rb is an average
    bit rate (bytes/s) and rc is an average
    computation rate (of hash/s), d is puzzle
    difficulty
  • Control function , where
    ? is a control ratio (bytes/hash)
  • IP caching keep a small set of ip buckets,
    update the set with LFU

13
Distributed puzzle mechanism
  • Idea asking upstream routers to help control
    congestion flows
  • Problem re-use puzzle solutions through
    different routing paths

3
1
4
Ns
s
5
2
6
14
Costs on routers
  • Computation
  • Idea PRL can estimate rc by sampling some puzzle
    solutions
  • Costs on a modern router could be very low about
    0.16 of CPU resources in our experiment
  • Memory
  • Idea Use Bloom filter to store client nonce
    sequences
  • The memory costs could be easily affordable by a
    modern router only 1.1MB for a router with 2.2M
    packets/s switching capability

15
Security analysis
  • Weighted Fairness in bandwidth allocation
  • allocate bandwidth according to the computation
    paid
  • Robustness against thwarted routers

16
Empirical study
  • Experiment settings
  • Use Network Simulator (NS-2)
  • Use real Internet topology (CAIDAs SKITTER Map)
  • 1000 zombies and 500 http clients
  • Only 20Mbps of the congested link
  • Realistic simulation of puzzle solving delay

17
Puzzle difficulty
18
Partial deployment II
19
Conclusions
  • Puzzle could be used to mitigate
    bandwidth-exhaustion attacks
  • Puzzle could be implemented in routers with
    affordable costs
  • Puzzle may encourage Internet users to cooperate
    with victims

20
Future work
  • Further empirical study of CP in Planetlab
  • Build CP into Network processor

21
Partial deployment I
  • Without IP caching
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Mitigating BandwidthExhaustion Attacks using Congestion Puzzles" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!