On Robustness and Countermeasures of Reliable Server Pooling Systems against Denial of Service Attacks

Abstract. The Reliable Server Pooling (RSerPool) architecture is the IETF's novel approach to standardize a light-weight protocol framework for server redundancy and session failover. It combines ideas from different research areas into a single, resource-efficient and unified architecture. While there have already been a number of contributions on the performance of RSerPool for its main tasks -pool management, load distribution and failover handling -the robustness of the protocol framework has not yet been evaluated against intentional attacks. The first goal of this paper is to provide a robustness analysis. In particular, we would like to outline the attack bandwidth necessary for a significant impact on the service. Furthermore, we present and evaluate our countermeasure approach to significantly reduce the impact of attacks

Reliable Server Pooling - Evaluierung, Optimierung und Erweiterung einer neuen IETF-Architektur

The Reliable Server Pooling (RSerPool) architecture currently under standardization by the IETF RSerPool Working Group is an overlay network framework to provide server replication and session failover capabilities to applications using it. These functionalities as such are not new, but their combination into one generic, application-independent framework is. Initial goal of this thesis is to gain insight into the complex RSerPool mechanisms by performing experimental and simulative proof-of-concept tests. The further goals are to systematically validate the RSerPool architecture and its protocols, provide improvements and optimizations where necessary and propose extensions if useful. Based on these evaluations, recommendations to implementers and users of RSerPool should be provided, giving guidelines for the tuning of system parameters and the appropriate configuration of application scenarios. In particular, it is also a goal to transfer insights, optimizations and extensions of the RSerPool protocols from simulation to reality and also to bring the achievements from research into application by supporting and contributing relevant results to the IETF's ongoing RSerPool standardization process. To achieve the described goals, a prototype implementation as well as a simulation model are designed and realized at first. Using a generic application model and appropriate performance metrics, the performance of RSerPool systems in failure-free and server failure scenarios is systematically evaluated in order to identify critical parameter ranges and problematic protocol behaviour. Improvements developed as result of these performance analyses are evaluated and finally contributed into the standardization process of RSerPool

A new security extension for SCTP

In 2000, the Signaling Transport (SIGTRAN) working group of the IETF defined the Stream Control Transmission Protocol (SCTP) as a new transport protocol. SCTP is a new multi-purpose reliable transport protocol. Due to its various features and easy extensibility it is a valid option not only for already standardised applications but also in many new application scenarios. SCTP has several advantages over TCP and UDP. The analysis of already standardised as well as potential SCTP application scenarios clearly indicates that secure end-to-end transport is one of the crucial requirements for SCTP in the future. Up to now there exist two standardised SCTP security solutions which are called TLS over SCTP [37] and SCTP over IPSec [12]. The goal of this thesis was to evaluate existing SCTP security solutions and find an optimised and efficient security solution. Several drawbacks of the standardised SCTP security solutions identified during the analysis are mainly related to features distinguishing SCTP from TCP and UDP. To avoid these drawbacks a new security solution for SCTP, called Secure SCTP (S-SCTP), is proposed which integrates the cryptographic functions into SCTP. One main requirement was that S-SCTP should be fully compatible with standard SCTP while additionally providing strong security i.e. data confidentiality, integrity and authentication. This also means that all features, options and extensions available for standard SCTP have to be supported. Furthermore, S-SCTP should have advantages with respect to performance over all parameter ranges of SCTP and be user-friendly. To specify the S-SCTP protocol extension several new control messages and new message parameters have been defined. Furthermore, procedures for initialisation, rekeying, and termination of secure sessions have been specified and modelled in SDL. Based on an SCTP implementation available in our group and an open source implementation of TLS, TLS over SCTP and S-SCTP have been implemented. These implementations as well as an SCTP over IPSec configuration were used to do comparative performance studies in a lab testbed. These experiments show that the S-SCTP concept achieves its design goals. It supports all features and current extensions of SCTP. Furthermore, it avoids the inefficiencies of the other solutions over a wide range of application scenarios and protocol parameter settings

Leistungsbewertung und Optimierung eines neuen Transportprotokolls

Das Stream Control Transmission Protocol (SCTP) wurde als Basis f¨ur den effizienten Transport von Signalisierungsnachrichten aus dem Zentralen Zeichengabesystem No.7 (SS7) über IP-basierte Netze entwickelt. SCTP ist ein generisches Vielzweck-Transportprotokoll, welches verbindungsorientiert operiert und eine zuverlässige, nachrichtenorientierte Datenübertragung bietet. So unterstützt es mehrere unabh¨angige Nachrichtenströme in einer Verbindung sowie flexible Zustellmechanismen. Im Gegensatz zu TCP unterst¨utzt SCTP mehrere Netzadressen pro Verbindung (Multihoming), und aus diesem Grund sind SCTP-Endpunkte ¨uber mehrere – möglicherweise redundante – Netzwerkpfade erreichbar. In der vorliegenden Dissertation wurde das Verhalten und die Leistungsfähigkeit des SCTP in verschiedenen Szenarien untersucht. Geeignete Werkzeuge wurden zu diesem Zweck entwickelt: in einer Testbett-Umgebung wurde eine Unixbasierte Protokollimplementation namens sctplib dazu benutzt, die Fairness von SCTP im Zusammenspiel mit TCP sowie die Eignung des SCTP f¨ur den SS7-basierten Signalisierungstransport zu untersuchen. Ein ereignisorientiertes Simulationsmodell des SCTP-Datenpfades und einiger Elemente des Kontrollpfades wurde erstellt und mit Hilfe der Ergebnisse aus den Untersuchungen im Testbett validiert. Mit einer Erweiterung dieses Modells wurden Lastverteilungsalgorithmen untersucht. Lastverteilung ist aus der Perspektive eines Netzbetreibers wünschenswert, um eine gleichm¨aßige Verteilung der Verkehrslast zu erreichen, und Spitzenlasten im Netz abzufangen. Ihre effiziente Unterstützung erfordert jedoch betr¨achtliche Protokollmodifikationen beim SCTP. Neben einer Bewertung der in der Literatur beschriebenen Lastverteilungsalgorithmen wurden eigene Modifikationen dieser Algorithmen vorgeschlagen und gleichfalls bewertet. Dabei konnte gezeigt werden, dass die beschriebenen Modifikationen zu einer Optimierung der existierenden Lastverteilungsalgorithmen führen, sowohl im Hinblick auf den Gesamtdurchsatz als auch auf die zu erwartende Nachrichtenverzögerung

Modeling and acceleration of content delivery in world wide web

Ph.DDOCTOR OF PHILOSOPH

Junos OS Security Configuration Guide

This preface provides the following guidelines for using the Junos OS Security Configuration Guide: • J Series and SRX Series Documentation and Release Notes on page xli • Objectives on page xlii • Audience on page xlii • Supported Routing Platforms on page xlii • Document Conventions on page xlii • Documentation Feedback on page xliv • Requesting Technical Support on page xliv Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world. These books go beyond the technical documentation to explore the nuances of network architecture, deployment, and administration using the Junos operating system (Junos OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library, published in conjunction with O'Reilly Media, explores improving network security, reliability, and availability using Junos OS configuration techniques. All the books are for sale at technical bookstores and book outlets around the world. The current list can be viewed at http://www.juniper.net/books .Junos OS for SRX Series Services Gateways integrates the world-class network security and routing capabilities of Juniper Networks. Junos OS includes a wide range of packet-based filtering, class-of-service (CoS) classifiers, and traffic-shaping features as well as a rich, extensive set of flow-based security features including policies, screens, network address translation (NAT), and other flow-based services. Traffic that enters and exits services gateway is processed according to features you configure, such as packet filters, security policies, and screens. For example, the software can determine: • Whether the packet is allowed into the device • Which firewall screens to apply to the packet • The route the packet takes to reach its destination • Which CoS to apply to the packet, if any • Whether to apply NAT to translate the packet’s IP address • Whether the packet requires an Application Layer Gateway (ALG