Capturing DDoS Traffic Footprints on the Internet

Capturing DDoS Traffic Footprints on the Internet
Slide Note
Embed
Share

Research on pathfinding techniques for detecting and mitigating Distributed Denial of Service (DDoS) attacks. The study involves analyzing traffic footprints, identifying attack sources, and exploring filtering capabilities to enhance network security against DDoS threats.

  • DDoS attacks
  • Internet security
  • Traffic analysis
  • Network defense
  • Pathfinding
mele_lan
mele_lan Follow

Uploaded on Feb 18, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. PathFinder: Capturing DDoS Traffic Footprints on the Internet Lumin Shi, Mingwei Zhang, Jun Li, and Peter Reiher IFIP Networking 2018 May 14, 2018

  2. Many defenses depend on filtering traffic DDoS Attacks But where? AS AS AS AS AS AS AS AS AS AS AS AS AS AS

  3. One Obvious Constraint Filtering big attacks must be more distributed AS AS AS AS AS AS AS AS AS AS Here it s too late AS AS AS AS

  4. Another Obvious Constraint You can t filter traffic if it isn t there! But where is it? AS AS AS AS AS AS AS AS AS AS AS AS AS AS AS Now you have choices AS AS AS AS AS

  5. PathFinder PathFinder points out these choices ASes that sending traffic towards you Telling you where filtering might work Using existing router capabilities Effective in partial deployment With options for costs and levels of detailed information

  6. 1. Client asks PathFinder to locate traffic paths 2. PathFinder queries participating ASes 3. They report to Pathfinder on traffic to the target they observe 4. Pathfinder sends aggregate report to the client The Basic Approach

  7. Building AS Reports 1. The AS gets reports from its egress routers about traffic to victim 2. It uses those reports to build a summary report to send to PathFinder Here s where a lot of careful design was required

  8. PathFinder Operation Modes Source-agnostic: I only care about whether you re carrying traffic going to me Source-aware: I also need to know where it s coming from (and maybe how much)

  9. Why Does Mode Matter? Source-agnostic mode is easy We just need to mark if we see traffic to a victim Source-aware is harder We need to keep track of source addresses (at least prefixes) And maybe volume per address/prefix

  10. Considering Our Case I see traffic from this source 1.2.3.4 Source-agnostic:Yes, I see traffic to you DONE! Source-aware: What if there aren t two source addresses? What if there are two million? And I see traffic from this other source 5.6.7.8 1.2.3.4 5.6.7.8 We need a scalable method to record and report that information

  11. The PFTrie Structure A form of prefix tree To store source IP addresses that a participating PathFinder node has seen Compactly, without wasting space for what you haven t While being able to extract the full set you ve seen The position on the tree is the address

  12. A PFTrie in Action We ve already stored address X.111 Now we see address X.101, so we have to store that We don t have a node for the 0 yet, so put it in We also don t have a node for the final 1 yet, so put that in, as well X 1 Now we have a record that we saw X.101 1 0 1 1

  13. Optimizing the PFTrie We ve seen both X.100 and X.101 X So the PFTrie has a node for both Replace them with a single node marked as representing both 1 1 0 Another optimization: only store prefixes, not entire addresses 1 1 0

  14. Why Not Bloom Filters? They would be smaller than PFTries But they re harder to traverse The client needs to know what addresses were seen Bloom filters would need to be queried for each address Or we could infer filtering locations Not helpful with spoofing or asymmetric routing

  15. PathFinder: 90% effective with 500 filters No PathFinder: 90% effective with 3500 filters Some Performance Results Spoofed packets 50% likely to be filtered Asymmetric routing 30% likely Simulated 100,000 bot attack, 25 Mbps per bot Without PathFinder, filters placed by inference PathFinder in source- agnostic mode PathFinder in source- aware mode

  16. Conclusions PathFinder assists DDoS defenses in choosing the most effective locations PathFinder uses existing router features PathFinder is more effective and cheap than previous approaches PathFinder might be useful for other purposes

Related


Water Footprints: Impact and Awareness

Water Footprints: Impact and Awareness

hosanna
Prioritizing Effective Traffic Management at the Workplace

Prioritizing Effective Traffic Management at the Workplace

indi
Traffic Flow Improvement at Gate 1 Pilot Project Overview

Traffic Flow Improvement at Gate 1 Pilot Project Overview

alix
Evolution of Internet Technology in Tourism: A Comprehensive Study

Evolution of Internet Technology in Tourism: A Comprehensive Study

iolanthe
Information Security Tabletop Exercise: Malware & DDOS Attack

Information Security Tabletop Exercise: Malware & DDOS Attack

jay
Programmable Traffic Management for Network Optimization

Programmable Traffic Management for Network Optimization

humphrey
Luxury Big Island SEO Report - February 2017 Summary

Luxury Big Island SEO Report - February 2017 Summary

hafsah
Internet Basics and Web Browsers

Internet Basics and Web Browsers

riur595
Guidelines for DDOs on Accounts Management

Guidelines for DDOs on Accounts Management

mmeld
Engaging Traffic Education Lesson for Students at Shaistagonj Kamil Madrasah

Engaging Traffic Education Lesson for Students at Shaistagonj Kamil Madrasah

dkay
Automated Signature Extraction for High Volume Attacks in Cybersecurity

Automated Signature Extraction for High Volume Attacks in Cybersecurity

klos_k
Traffic Engineering Studies in Civil Engineering

Traffic Engineering Studies in Civil Engineering

porreca_a
PhD in Telematics Engineering: Traffic Prediction with Big Data Technologies

PhD in Telematics Engineering: Traffic Prediction with Big Data Technologies

gunn_l
Challenges of Cloud Auto-Scaling Mechanisms in DDoS Attacks

Challenges of Cloud Auto-Scaling Mechanisms in DDoS Attacks

land_an
Traffic Education: A Lesson on Traffic Jams and Solutions

Traffic Education: A Lesson on Traffic Jams and Solutions

dcoll
DDoS Attacks and Defense Strategies

DDoS Attacks and Defense Strategies

min_nog
Exploring Traffic Anomalies with Traffic Taffy: Network Operators' Challenges

Exploring Traffic Anomalies with Traffic Taffy: Network Operators' Challenges

vilchez_m
Regional Internet Registries (RIRs) and NRO in Internet Governance

Regional Internet Registries (RIRs) and NRO in Internet Governance

stephanos
DDoS Attacks: Simulation, Analysis & Defense

DDoS Attacks: Simulation, Analysis & Defense

okey
Overview of DoS and DDoS Attacks in Cybersecurity

Overview of DoS and DDoS Attacks in Cybersecurity

annaliyah
Ultra-Fast DDoS Detection with FastNetMon at Coloclue

Ultra-Fast DDoS Detection with FastNetMon at Coloclue

mat_hau
Traffic Flow Variations in Urban Areas: A Comparative Study Between 1980 and 2015

Traffic Flow Variations in Urban Areas: A Comparative Study Between 1980 and 2015

abdim

More Related Content