cse cse 123123 computer computer...

39
CSE CSE 123 123 Computer Computer Networking Networking Fall 2009 Fall 2009 Network security Network security NAT, Firewalls, NAT, Firewalls, DDoS DDoS Geoff Voelker Geoff Voelker

Upload: others

Post on 27-Sep-2020

30 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

CSE CSE 123123Computer Computer NetworkingNetworking

Fall 2009Fall 2009Network securityNetwork security

NAT, Firewalls, NAT, Firewalls, DDoSDDoS

Geoff Voelker Geoff Voelker

Page 2: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Network securityNetwork securityNetwork securityNetwork security The Internet is not always a friendly place The Internet is not always a friendly place In fact, hosts on the Internet are under

constant attack How to deal with this is a large topic

Take CSE127 in the Spring!p g Today: a look at a few network layer issues

Address translation Firewalls Denial-of-service

Page 3: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

NATs and FirewallsNATs and FirewallsNATs and FirewallsNATs and Firewalls Problem: Protecting or isolating one part of the g g p

network from other parts In particular: protect your network from global Internet

Need to filter or otherwise limit network traffic How to configure this information? How to configure this information?

Questions: What information do you use to filter? Where do you do the filtering?

Page 4: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Kinds of FirewallsKinds of FirewallsKinds of FirewallsKinds of Firewalls Personal firewalls

Run at the end hosts e.g. Norton, Windows, etc. Benefit: has more application/user specific informationpp p

Network Address Translators Rewrites packet address information

Filter Based Operates by filtering based on packet headers

Proxy based Operates at the level of the application e.g. Web proxy e g eb p o y

Page 5: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Network Address TranslationNetwork Address TranslationNetwork Address TranslationNetwork Address Translation Idea: Break the invariant that IP addresses are Idea: Break the invariant that IP addresses are

globally unique10.0.1.15

Internet171.69.210.246

NAT10.0.1.13

10.0.1.1210 0 1 14

NAT Port

10.0.1.14 10.0.1.14

Page 6: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Typical NAT BehaviorTypical NAT BehaviorTypical NAT BehaviorTypical NAT Behavior NAT maintains a table of the form: NAT maintains a table of the form:

<client IP> <client port> <NAT ID> Outgoing packets (on non-NAT port):g g p ( p )

Look for client IP address, client port in the mapping table

If found, replace client port with previously allocated NAT ID (same size as PORT #)

If not found allocate a new unique NAT ID and If not found, allocate a new unique NAT ID and replace source port with NAT ID

Replace source address with NAT address

Page 7: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

NAT Behavior NAT Behavior NAT Behavior NAT Behavior Incoming Packets (on NAT port) Incoming Packets (on NAT port)

Look up destination port number as NAT ID in port mapping table

If found, replace destination address and port with client entries from the mapping table If not found the packet is not for us and should be If not found, the packet is not for us and should be rejected

Table entries expire after 2-3 minutes to allow them to be garbage collected

Page 8: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Benefits of NATBenefits of NATBenefits of NATBenefits of NAT Only allows connections to the outside that are y

established from inside. Hosts from outside can only contact internal hosts that appear

in the mapping table and they’re only added when theyin the mapping table, and they re only added when they establish the connection

Some NATs support firewall-like configurability

Don’t need as large an external address space (i.e. 10 machines can share 1 IP address) (i.e. 10 machines can share 1 IP address)

Page 9: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Drawbacks of NATDrawbacks of NATDrawbacks of NATDrawbacks of NAT Rewriting IP addresses isn’t always easy:g y y

Must also look for IP addresses in data stream and rewrite them (may have to be protocol-aware)Potentially changes sequence number information Potentially changes sequence number information

» E.g., Addresses listed as text in FTP sessionpublic address is 128.124.127.245 (16 bytes of text), private is 10 1 1 1 (9 bytes of text)private is 10.1.1.1 (9 bytes of text)

Must validate/recalculate protocol checksums May not work with all protocolsy p

E.g., streaming media protocols» Common for client to invoke server and server to open

new connection back to cliente co ect o bac to c e t Clients may have to be aware that NAT translation

is going on

Page 10: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

FirewallsFirewallsFirewallsFirewalls Break the invariant that all IP address/ports Break the invariant that all IP address/ports

are equally reachable from anywhere Idea: classify traffic and say “yes” or “no”y y y

Packet Filter BasedO t b filt i b d k t h d Operates by filtering based on packet headers

Network Proxy based Operates at the level of the application e.g. HTTP web proxy

Page 11: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Packet Filtering Packet Filtering FirewallsFirewallsPacket Filtering Packet Filtering FirewallsFirewalls Packet filtering firewalls can take advantage of the g g

following information from network and transport layer headers: Source, Destination, Source Port, Destination Port Flags (e.g. ACK)

Some firewalls keep state about open TCP Some firewalls keep state about open TCP connections Allows conditional filtering rules of the form “if internal

machine has established the TCP connection permit inboundmachine has established the TCP connection, permit inbound reply packets”

Best practice: default deny and only enable ports for necessary servicesnecessary services

Page 12: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Filter ExampleFilter ExampleFilter ExampleFilter ExampleAction ourhost port theirhost port commentbl k * * BAD * t t d h tblock * * BAD * untrusted hostallow mailhst 25 * * allow our SMTP portApply rules from top to bottom with assumed default entry:

Action ourhost port theirhost port commentblock * * * * default

Bad entry intended to allow connections to SMTP from inside:

Action ourhost port theirhost port commentallow * * * 25 connect to their SMTPThis allows all connections from port 25, but an outside machinecan run anything on its port 25!

Page 13: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

ProxyProxy--based Firewallsbased FirewallsProxyProxy--based Firewallsbased Firewalls

Fi llLocalWebExternal

Cli t

Firewall

Web Proxy

External TCP/HTTP connection

Internal TCP/HTTP connection

Proxy acts like both a client and a server.

ServerClient Proxyconnection connection

y Able to filter using application-level info

For example, permit some URLs to be visible outside and prevent others from being visibleprevent others from being visible.

Block sites based on site content

Page 14: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Benefits of FirewallsBenefits of FirewallsBenefits of FirewallsBenefits of Firewalls Increased security for internal hosts Increased security for internal hosts Reduced amount of effort required to counter

break ins (small number of devices to (configure)

Possible added convenience of operation pwithin firewall (with some risk)

Page 15: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Drawbacks of firewallsDrawbacks of firewallsDrawbacks of firewallsDrawbacks of firewalls Costs:

Hardware/software purchase and maintenance Administrative setup and training, and ongoing administrative

costs and trouble-shootingcosts and trouble shooting Single-point of failure on network, added management

complexity

F l f it False sense of security Limited language (IP addresses, ports) so doesn’t protect

against malware in Web pages, flash, e-mail, etc. Inside vs outside model is fragile (once an internal host is

compromised firewall does no good)» What about wireless laptops?

Page 16: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

DenialDenial--ofof--serviceserviceDenialDenial--ofof--serviceservice Attack against availability – shut down target siteg y g Two kinds of attacks:

Logic vulnerabilities: exploit bugs to cause crashPi f D th L d» e.g. Ping-of-Death, Land

» Fix via filtering and patching Resource consumption: overwhelm with spurious requests

» e.g. SYN flood, Smurf, bandwidth overflow» Much tougher to fix…

Distributed denial-of-service attacks (DDOS)( ) Lots of hosts attack a victim at once Typically many hosts under centralized control (botnet)

Page 17: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Consequent: Victim Consequent: Victim sufferssuffersConsequent: Victim Consequent: Victim sufferssuffers Server CPU/Memory resourcesy

Consumes connection state (e.g. SYN flood) Time to evaluate messages (interrupt livelock)

» Some messages take “slow path” (e g invalid ACK)» Some messages take slow path (e.g. invalid ACK) Can cause new connections to be dropped and existing

connections to time-out

Network resources Many routers packet-per-second limited FIFO queuing Many routers packet-per-second limited, FIFO queuing If attack is greater than forwarding capacity, good data will be

dropped

Page 18: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Aside: UCSD analysis of Aside: UCSD analysis of DoSDoSAside: UCSD analysis of Aside: UCSD analysis of DoSDoS

Simple question: how prevalent are denial-of-service attacks?denial-of-service attacks?

In 2001 lots of anecdotal answers/rumorsIn 2001, lots of anecdotal answers/rumors

Page 19: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Quantitative data?Quantitative data?Quantitative data?Quantitative data? Isn’t available (i.e. no one knows)( )

Inherently hard to acquire Few content or service providers collect such data If they do, its usually considered sensitive

Infeasible to collect at Internet scale How to monitor enough to the Internet to obtain a

representative sample?representative sample?

Page 20: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

A good estimate:A good estimate:[Moore Voelker Savage01][Moore Voelker Savage01][Moore, Voelker, Savage01][Moore, Voelker, Savage01]

Backscatter analysis New technique for estimating global denial-of-

service activityservice activity

First data describing Internet-wide DoS activity First data describing Internet-wide DoS activity ~4,000 attacks per week (> 12,000 over 3 weeks) Instantaneous loads above 600k pps (packets per

second) Characterization of attacks and victims

Page 21: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Key ideaKey ideaKey ideaKey idea

Flooding-style DoS attacks e.g. SYN flood – lots of TCP SYN packets; designed

to consume connection state at receiverto consume connection state at receiver Attackers spoof source address randomly

No requirement to have correct source address! No requirement to have correct source address! Hides identity of attacking host

Victims, in turn, respond to attack packets Unsolicited responses (backscatter) equally

distributed across IP address spaceR i d b k i id f Received backscatter is evidence of an attacker elsewhere

Page 22: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Random IP spoofing produces Random IP spoofing produces random backscatterrandom backscatterrandom backscatterrandom backscatter

SYN+ACK backscatter

BVB C VD V

SYN packets VB

AttackerVictimV

Attacker

AttackBackscatterBackscatter

CD

Page 23: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Backscatter analysisBackscatter analysisBackscatter analysisBackscatter analysis

Monitor block of n IP addresses Expected # of backscatter packets given an

attack of m packets:

nmE(X)

Extrapolated attack rate R’ is a function of

322E(X)

Extrapolated attack rate R is a function of measured backscatter rate R:

RR322'n

RR '

Page 24: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Attacks over timeAttacks over timeAttacks over timeAttacks over time

December 4, 2009 CSE 127 -- Lecture 14 – Network Security II 24

Page 25: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Example 1: Periodic attack Example 1: Periodic attack (1hr per 24hrs)(1hr per 24hrs)(1hr per 24hrs)(1hr per 24hrs)

December 4, 2009 CSE 127 -- Lecture 14 – Network Security II 25

Page 26: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Example 2: Punctuated Example 2: Punctuated attack (1min interval)attack (1min interval)attack (1min interval)attack (1min interval)

Page 27: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Attack duration distributionAttack duration distributionAttack duration distributionAttack duration distribution

Page 28: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Attack rate distributionAttack rate distributionAttack rate distributionAttack rate distribution

December 4, 2009 CSE 127 -- Lecture 14 – Network Security II 28

Page 29: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Victim characterization Victim characterization by DNS nameby DNS nameby DNS nameby DNS name

Entire spectrum of commercial businesses Entire spectrum of commercial businesses Yahoo, CNN, Amazon, etc and many smaller biz

Evidence that minor DoS attacks used for personal vendettas 10-20% of attacks to home machines A few very large attacks against broadband A few very large attacks against broadband Many reverse mappings clearly compromised

(e.g. is.on.the.net.illegal.ly and the feds cant secure their shellz ca)the.feds.cant.secure.their.shellz.ca)

5% of attack target infrastructure Routers (e.g. core2-core1-oc48.paol.above.net)( g p ) Name servers (e.g. ns4.reliablehosting.com)

Page 30: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Victim breakdown by Victim breakdown by TLDTLD(top level domain)(top level domain)(top level domain)(top level domain)

35

30

35

Week 1

20

25

f Atta

cks Week 2

Week 3

10

15

Perc

ent o

f

5

10

December 4, 2009 CSE 127 -- Lecture 14 – Network Security II 30

0unknown net com ro br org edu ca de uk

Top-Level Domain

Page 31: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

DenialDenial--ofof--Service Prevalence Service Prevalence SummarySummarySummarySummary

Lots of attacks – some very largey g >12,000 attacks against >5,000 targets in a week Most < 1,000 pps, but some over 600,000 pps

E i t ti l t t Everyone is a potential target Targets not dominated by any TLD or 2nd-level

domain» Targets include large e-commerce sites, mid-

sized business, ISPs, government, universities and end-usersand end users

Something weird is happening in Romania New attack “styles”

December 4, 2009 CSE 127 -- Lecture 14 – Network Security II31

Punctuated/periodic attacks Attacks against infrastructure targets & broadband

Page 32: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

What to do?What to do?What to do?What to do? Defenses against address spoofing Defenses against address spoofing Filtering based on attack features or IP

address Make attacker do work

Those marked with * are used in real products vs hypothetical academic ideass ypot et ca acade c deas

Page 33: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Address spoofingAddress spoofingAddress spoofingAddress spoofing Filter packets with incorrect source addresses [*]

Network egress: filter packets on a link whose source addresses are not reached using the link as the next hop

Network ingress: filter packets whose source address are not in the routing table at allin the routing table at all

SYN Cookies [*] Issue: allocating per TCP session state is expensive

(that’s why the SYN flood attack works)( y ) Delay allocation of state until remote host commits to three-

way handshake Send back SYN/ACK packet without allocating state on

server; server’s initial sequence number (ISN) encodes aserver; server s initial sequence number (ISN) encodes a secret “cookie” that is function of src,dst,srcport,dstport and time.

Allocate state only when client sends ACK to server’s SYN/ACK ( i ki t lid t )SYN/ACK (using cookie to validate)

Page 34: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Address spoofing(2)Address spoofing(2)Address spoofing(2)Address spoofing(2) Puzzles

Don’t commit state until client has don’t a bunch of “work” for you (i.e. solved computationally tough problem)

Server provides puzzle to client» Hardness can be determined by load

Client must solve puzzle (easy to verify by server) to allocate state

Tricky: if validation isn’t free, bad guy can sent lots of invalid puzzle solutions to server

CAPTCHAs (reverse turing test) Put graphical puzzle in response packet Make user solve graphical puzzle before committing state

Page 35: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Address spoofing(3)Address spoofing(3)Address spoofing(3)Address spoofing(3) TTL filtering [*] TTL filtering [ ]

From a given host the TTL is decremented by a certain number of hops (based on network topology)

Standard IP implementations set the initial packet TTL value to a small set of values (32 64 128TTL value to a small set of values (32, 64, 128, 255) [can normalize because Internet diameter is mostly < 32]

Thus, keep track of TTLs for each source network and if attack starts, filter packets whose TTLs are inconsistentinconsistent

Page 36: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Address spoofing(4)Address spoofing(4)Address spoofing(4)Address spoofing(4) Traceback

Router support for tracking packets back to their sourceProbabilistic packet marking [Savage00 etc] Probabilistic packet marking [Savage00, etc]

» With some probability p, a router encodes the identity of the link the packet will traverse. Victim uses these packet “marks” to reconstruct path back to victimmarks to reconstruct path back to victim

Packet logging [Snoeren01, etc]» Routers hash packet header and store in database

Vi ti i t b t h th th ’ i» Victim queries router about whether they’ve seen a given packet and if so, from where… repeat

Main issue: then what?

Page 37: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Packet filteringPacket filteringPacket filteringPacket filtering Idea, if there is a common feature to the packet (i.e. , p (

“Die, you loser” in the TCP data) then look for those packets and drop them [*]If f t i t th t t fi d t dd “ d” If no feature exists then try to find way to add a “good” feature E.g. ask user to solve CAPTCHAs and if they do re-direct

them to special port/IP; then filter packets not going to that special port/IP

Instead of dropping packets, can simply rate-limit s ead o d opp g pac e s, ca s p y a epackets that are suspicious [*]

Page 38: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

Buy more resourcesBuy more resourcesBuy more resourcesBuy more resources Buy more bandwidth, but more servers Buy more bandwidth, but more servers Large content distribution networks (e.g.

Akamai) can handle very large attacks [*]) y g [ ] Each attacker gets diverted to local Akamai

server Total bandwidth Akamai can handle is the product

of the bandwidth to all Akamai servers Akamai has weather attacks in excess of 10GB

I h f th t? $$$ Issue: who pays for that? $$$

Page 39: CSE CSE 123123 Computer Computer NetworkingNetworkingcseweb.ucsd.edu/classes/fa09/cse123/123f09_Lec15.pdf · CSE CSE 123123 Computer Computer NetworkingNetworking Fall 2009 Network

SummarySummarySummarySummary Network address translation hides internal Network address translation hides internal

structure of network from outside Firewall limits which packets will be delivered p

to a host DDoS, some of the toughest problems to solve, g p

Network service model allows unsolicited requests Bad guys can leverage large # of resources No simple fix