Preventing Internet Denial-ofService with Capabilities
Tom Anderson, David Wetherall
Univ. of Washington
Timothy Roscoe
Intel Research at Berkeley
6/20/2016
Anupam Chanda, Khaled Elmeleegy. Comp 629
1
Paper Summary


An approach to prevent DoS attacks
Nodes obtain “permission to send” from
destination



6/20/2016
Capabilities
Verification points enforce capabilities
Suitable for incremental deployment
Anupam Chanda, Khaled Elmeleegy. Comp 629
2
Overview




6/20/2016
Motivation
Related work
Proposed solution
Conclusion
Anupam Chanda, Khaled Elmeleegy. Comp 629
3
Motivation

DoS – flooding limited resource


Anomaly detection



Automated response – often shutdown
New applications likely to be anomalous
“Normal” traffic could be an attack

6/20/2016
CPU/Memory on hosts, routers, firewalls
CodeRed virus
Anupam Chanda, Khaled Elmeleegy. Comp 629
4
Related Work
6/20/2016
Anupam Chanda, Khaled Elmeleegy. Comp 629
5
Source Address Filtering



At network ingress and egress points
Prevents spoofing attacks
However…


6/20/2016
Addresses with same n/w prefix can be
spoofed
Attacks often consist of legitimate packets
– hosts under a virus attack
Anupam Chanda, Khaled Elmeleegy. Comp 629
6
IP Traceback




6/20/2016
Traces the source of the attack
Detection rather than prevention
Can do post-mortem traceback
Marking of IP packets
Anupam Chanda, Khaled Elmeleegy. Comp 629
7
IP Traceback (contd.)
A1
R4
A2
A3
R5
R6
R2
R3
R1
V
6/20/2016
Anupam Chanda, Khaled Elmeleegy. Comp 629
8
Pushback

Pushback daemon




6/20/2016
Monitors traffic pattern
Rules to indicate DoS attack
Communicates with upstream routers
(pushback)
Upstream routers drop packets
Anupam Chanda, Khaled Elmeleegy. Comp 629
9
Anomaly Detection

Rule-based or statistical techniques


Malicious traffic detection



Install network filters
Emails to network administrators
Legitimate applications may trigger alerts

6/20/2016
Classify traffic as friendly/malicious
Application level end-to-end decision making is
required
Anupam Chanda, Khaled Elmeleegy. Comp 629
10
Overlay Filtering

Traffic rerouted through special nodes


Traffic passed through overlay



6/20/2016
Sophisticated analysis and filtering
Adds a secret to the packets
Downstream routers check for the secret
Similar to capability-based filtering which
adds nonce tokens in the capabilities
Anupam Chanda, Khaled Elmeleegy. Comp 629
11
Proposed Solution
6/20/2016
Anupam Chanda, Khaled Elmeleegy. Comp 629
12
System’s components

Request To Send (RTS) server


Verification Points (VP)


6/20/2016
Used by sources to get tokens to send
(capabilities)
Perform access control by verifying the
existence of a token in the packet
VPs are coupled with RTS servers, both
co-located with BGP speakers
Anupam Chanda, Khaled Elmeleegy. Comp 629
13
Obtaining permission to send

Autonomous Systems (AS) advertise they
want their inbound traffic filtered




6/20/2016
Augment BGP advertisement
Give the address of their RTS server
Any AS along the way may add its RTS to the
BGP advertisement
Source can discover a chain of RTS servers
through which it can send its request
Anupam Chanda, Khaled Elmeleegy. Comp 629
14
Token Generation and passing

Destination generates a hash chain



6/20/2016
64-bit one way hash values h1,h2…hk
Destination sends hk back to the source
through RTS servers
RTS servers and VPs remember the
token and associates it with the flow
Anupam Chanda, Khaled Elmeleegy. Comp 629
15
Sending with capabilities



Token (capability) allows source to send
n packets in t seconds
Source includes token in packets
VPs along the path validates the token


6/20/2016
If token found and is valid, increment
usage count
Else drop packet
Anupam Chanda, Khaled Elmeleegy. Comp 629
16
Acquiring new capabilities
(in band)

Could explicitly request new token




Destination sends hk-1 ( new capability) after
receiving nearly n packets
Source switches to use hk-1 for the next n
packets
VPs switch to hk-1.

6/20/2016
Bad performance (overhead)
They figure hk-1 as hk = hash(hk-1) (hash chain)
Anupam Chanda, Khaled Elmeleegy. Comp 629
17
Security issues


RTS servers control RTS pkt rates to
destinations
RTS servers are protected against flood


Tokens are difficult to guess

6/20/2016
Only accessed by nodes on the same AS or
another RTS servers
If you can sniff then you can disrupt the
communication anyway
Anupam Chanda, Khaled Elmeleegy. Comp 629
18
Conclusions


Explicit authorization scheme to address
DoS
Paper argued that the scheme other
than it solves the DoS problem, it is:



6/20/2016
Feasible
Incrementally deployable
No experiments, so no sense of added
overhead
Anupam Chanda, Khaled Elmeleegy. Comp 629
19
Questions ?
6/20/2016
Anupam Chanda, Khaled Elmeleegy. Comp 629
20