Presenter: Chen Chih-Ming 96/12/27. Outline Background Problem Definition State of Art ...
-
Upload
jemimah-ward -
Category
Documents
-
view
212 -
download
0
Transcript of Presenter: Chen Chih-Ming 96/12/27. Outline Background Problem Definition State of Art ...
PORTCULLIS: PROTECTING CONNECTION SETUP
FROM DENIAL-OF-CAPABILITY ATTACKS
Presenter: Chen Chih-Ming
96/12/27
Outline
Background Problem Definition State of Art Portcullis Architecture Designs Potential Attacks Evaluation Discussion Conclusion
Background
DoSProtected by Capability-based System
Capability-based System DoC
Flood request channel!
Problem Definition
Guarantee successfully transmitting
State of Art
Identity-Based FairnessPer-Source FairnessPer-Path Fairness (TVA)Per-Destination Fairness
Proof-of-Work SchemesPer-Bandwidth Fairness (Speak up)Per-Computation Fairness
Portcullis Architecture
Authenticity Availability Freshness Efficiency Granularity
Design
Design – cont.
p = H(x||r||hi||dest IP||l)r : 64 bit random choosed by clienthi :seed from DNSDest IP: Destination IPl : puzzle level, find the last l bits of p are all
zero
Theoretical Result
Assume attack have bounded resources Equal computation power M = Number of malicious machines Result
Legitimate clients succeed in time O(M)For any routing policy, the time needed for
capability setup is O(M)
Potential Attacks
Sharing Puzzle SolutionsAttack different linkStill cannot flood bottleneck
Timing AmplificationHigh level puzzle need more time.Low level puzzle can pass through.
Evaluation
Internet Scale Simulation Portcullis Attacker Strategies Comparative Simulations Partial Deployment
Evaluation – cont. Internet Scale Simulation
DAIDA Skitter probe result○ Router-level topology
Victim uses single link connect InternetNo bandwidth measurement
○ Sender have 1/10 bw of receiver(200Mbps)○ Others are 10x bw of receiver
Request packet is 1000 bitsRequest channel occupies 5% bwRandomly place clientEqual computational resources
Evaluation – cont.
Portcullis Attacker Strategies
Evaluation – cont.
Comparative SimulationsIP to ASN map router to AS for TVA
Evaluation – cont.
Partial DeploymentVictim’s ISP upgrades router.
Discussion
Asymmetric computation Power
Memory bound function, 3x~5x Puzzle Inflation
Not exhaustedExhausted by high level packetExhausted by mixture packet
Platform SHA-1 hashes/min Normalized
Nokia 6620 25k 1
Nokia N70 36k 1.33
Sharp Zaurus PDA 56k 2.24
Xeon 3.2GHz PC 956k 38.24
Conclusion
Portcullis can make capability-based system more robust against DoC.
Comment
Partial Deployment is strong advantage. Computing power varies dramatically
from platform to platform.
Bye