1 SENSS Security Service for the Internet Jelena Mirkovic (USC/ISI), Minlan Yu (USC), Ying Zhang (HP Labs), Sivaram Ramanathan (USC)
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
SENSSSecurityServicefortheInternet
JelenaMirkovic(USC/ISI),Minlan Yu(USC),YingZhang(HPLabs),Sivaram Ramanathan (USC)
DDoS Attacks:LargeandPowerful
• DDoS attacksareincreasinginvolumeandfrequency(newrecord1.2Tbps)
• Disproportionatepowerinhandsofattacker– Attacksthatbringdownlarge,wellprovisionedvictimsoftenwieldedbyasinglepersonorsmallgroup(Spamhouse,Dyn,OVHandKrebs)
– Nospecialexperienceorcircumstance– Cheapforattacker,veryexpensiveforthevictim
• Enabledbylarge,distributedbotnets– Nosingleentity(centralizedordistributed)canwithstandthis,distributeddefensesamust
2
Oursolution:SENSS
3
• Fullysoftwaresolution– easytodeploy• EnablesanyISPtoofferautomated servicesfor
DDoS diagnosisandmitigation- Naturallydistributed,secure,robusttomisbehavior- WorkswithexistingISPinfrastructure(SDN,Flowspec,Netflow)
• VictimqueriesitsownISPorremoteISPs- Aboutitsinboundtraffic,routestoitsprefixes- Thishelpsdetectbestpointsformitigation
• VictimasksselectISPsto:- Filtersomeofitsinboundtraffic(victimspecifiesheadersignature)
- Demotearoutethatmaycontainabottleneck
SENSSModules
4
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
ST
client
clientserver
server
server
server
detector
detectorproxyblacklist aggregator
4
SENSSAPIsatISPs
• ExposedasWebservices– Leverageexistingfunctionalitiesforrobustness(replication),
security(HTTPS),charging(e-commerce)
• Messageauthentication:Proofofauthorityforaprefix– E.g.,RPKI,aDBofknowncustomers,prefixesandpublickeys
• TLSforcommunicationsecurity
5
Type Fields Action/ReplyTrafficquery Flow,dir,obs_time Listof<tag,dir,volume>
Trafficfilter/allow Flow,dir,tag,duration Deployfilter/allowactions
Routequery Prefix List ofbestpathstoprefix
Routedemote Prefix,segment,duration Demoterouteswithgivensegment
HowCanYouHelp?• Deployapassivemodule:
– Detector– learnhowoftenyouexperienceDDoS orparticipateinit
– Blacklistaggregator– getourfeedofsuspiciousprefixes• Deployanactivemodule:
– Server– automatefilterruledeploymentinmultipleswitches– Client+Detector– leverageyourISP’sDDoS solutionandtriggeritautomatically
• Lookingfor:– Experiencesfromtrenches,whatdoyoudonowforDoS?– One-timefeedbackonneeds,deployability,concerns– 1h/monthongoingfeedbackfromopsworld– Sitestopilotoursolutions
6
http://steel.isi.edu/Projects/SENSS/
Jelena Mirkovic Minlan Yu Ying Zhang SivaramRamanathan
Related Documents
![pages.shanti.virginia.edupages.shanti.virginia.edu/engagedlearning/files/2011/05/Types-of...êO!NêS le pe]êlunooue senss! uo peseq letlffiO( e svaepms .saouauadxa ê0!rues 01 'S6U!PUlJ](https://static.cupdf.com/doc/110x72/5e1f24ec90d708349f509ceb/pages-ons-le-pelunooue-senss-uo-peseq-letlffio-e-svaepms-saouauadxa-0rues.jpg)
