Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
Proactive Defenses Against Proactive Defenses Against DDoSDDoS and Worm Attacks and Worm AttacksHarnessing the Power of Power-Law Topology for Scalable Network SecurityHarnessing the Power of Power-Law Topology for Scalable Network Security
Kihong Park (PI), Hyojeong Kim, Ali Selcuk, Bhagya Bethala, Humayun Khan, Wonjun LeeNetwork Systems Lab, Department of Computer Sciences, Purdue University
Internet Power-Law Topology “A few are connected to many,many are connected to a few.”
→ facilitates strategic & economic filter deployment
Proactive protection: Prevent attacks from imparting harm in the first placeReactive protection: Respond, attribute, and contain new and non-preventable attacks
Objective
→ new approach: distributed packet filtering (DPF) → proactive & reactive filtering
Worm Attack ProtectionDDoS Attack Protection→ DPF: route-based filtering “unde venis?”
→ NLANR (1997-2002), CAIDA, RIPE, USC/ISI, UMich Internet AS measurement data
lowmedhigh
victim
attackers
lowmedhigh
filters
With DPFWithout DPF
→ 4% deployment achieves significant protection: containment & traceback
InfectionDynamics
Percolation Threshold
→ DPF: content-based filtering
Critical Filter Density
Tools: Large-Scale Simulation & Prototype System Building
{attackers, traffic generators, fault generators, …} CBR, Poisson, self-similar, MMPP, file transfer
Link Layer
DPF Lookup
IP
TCP UDP
Socket API
BGP DPF Update
Applications
DaSSF Kernel
MPI
DML
Protocol Stack
Meta-DMLTopology
Protocol Stack
AttackConfiguration
Network Partition
Dynamic DPF Simulator: Parallel Network Simulation
Intel IXP1200Intel IXP1200Network ProcessorNetwork Processor
→ workstation cluster
Network Processor Prototyping
_ 7-node IXP1200 NP testbed_ DPF implementation &evaluation_ Teja development environment
_ 12,500+ node networks_ Failure model_ Power-law partitioning_ System measurement_ Meta-DML configuration_ Trace-driven visualization