Panel: Current Research on Stopping Unwanted Traffic

1
Panel Current Research on Stopping Unwanted
Traffic

• Vern Paxson, Stefan Savage, Helen J. Wang
• IAB Workshop on Unwanted Traffic
• March 10, 2006

2
Unwanted Traffic

• From the end host perspective
• (D)DoS on a service
• Exploit traffic attacking on end host
  vulnerabilities
• Botnet traffic
• Undesirable application data, e.g., spam
• From the network perspective
• Unwanted traffic to end systems
• Attacks on the network service
• Flooding a link
• Attacks to the network operations
• E.g., BGP prefix spoofing/hijacking, router
  compromise

3
The Economy behind Unwanted Traffic

• Stefan to fill in
• Botnet/software-flaw economy

4
General Approaches

• Stop the known bad
• Uncover the new bad
• Filtering as close to the attack source as
  possible
• Increase the cost of unwanted
• The cost of solution should be less than the cost
  of DoS Simon et al 06

5
End-Host DDoS on a Service

• Challenge DDoS and flash crowd hard to
  distinguish
• Detect and eliminate zombie requests
• CAPCHA
• Pi
• Bolts-4-sale (NSDI 2005)
• BINDER (Usenix 2005)
• Same solution as flash crowd
• Akamai

6
End-Host Exploit Traffic

• Network intrusion detection systems
• Bro, Snort
• Fast attack signature generation
• EarlyBird (OSDI 04), AutoGraph (sUsenix Security
  04)
• Vulnerability-driven filtering
• Shield (SIGCOMM 04), BrowserShield (06 under
  submission)
• Detecting new vulnerabilities
• TaintCheck (NDSS 04), Minos, Vigilante (SOSP 05),
  HoneyMonkey (NDSS 06)
• Automatic response to fast-spreading worms
• TaintCheck, Vigilante
• Reduce the attack surface
• Off by default! (HotNets 05), separate
  client/server address space (Handley, et al FDNA
  04)
• Undermining the attacks on end hosts
• StackGuard, ASLR, ISR, program shepherding
  (Usenix Security 02), control flow integrity
• Attack traffic analysis
• Backscatter, Internet background radiation, Witty
  worm analysis
• Honeyfarm
• Roleplayer, Potemkin, vGround

7
End-Host Spam

• New e-mail client
• Spam filtering

8
EndHost Outgoing Attack Traffic

• BINDER
• Vern to fill out

9
Network Unwanted Traffic from End Systems

• Infer application-unwanted traffic
• Packet Symmetry (HotNets 05)
• Applications need to be DoS-aware

10
Network Bandwidth Attacks

• First goal defeat low cost DDoS attacks where a
  single compromised machine sends many DoS
  messages
• Deadlock (Greenhalgh, et al SRUTI 05)
• No source address spoofing because of no
  filtering mechanism
• Little deployment of ingress filtering because of
  no source address spoofing
• No automated filtering because attacks could
  source-address spoof to bypass it
• Greenhalgh et al SRUTI 05
• Server-net filtering mechanism using
  routing/tunneling assuming no source spoofing
• Internet Accountability (Simon et al 06 under
  submission)
• Ingress filtering among good ISPs, others
  traffic marked with evil bit with worse
  treatment during peak traffic
• Filtering infrastructure

11
Network Bandwidth Attacks

• IP traceback
• IP pushback
• New capability infrastructure to the Internet
• SIFF (Oakland 04), Yang et al SIGCOMM 05

12
Network Attacks on Operations

• Securing BGP
• SPV (Sigcomm 04)

13
Acknowledgement

• This slide deck benefited from discussions with
  Adam M. Costello, Sharad Agarwal, and Dan Simon.