1 Cybersecurity Symposium 9/19/2003 chow C. Edward Chow Yu Cai Dave Wilkinson Department of Computer...

1Cybersecurity Symposium 9/19/2003 chow

C. Edward ChowYu Cai

Dave Wilkinson

Department of Computer ScienceUniversity of Colorado at Colorado Springs

C. Edward ChowYu Cai

Dave Wilkinson

Department of Computer ScienceUniversity of Colorado at Colorado Springs

SCOLD: Secure Collective Internet Defense

http://cs.uccs.edu/~scold/A NISSC Sponsored Project

SCOLD: Secure Collective Internet Defense

http://cs.uccs.edu/~scold/A NISSC Sponsored Project

Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreement number F49620-03-1-0207. It was sponsored by a NISSC Summer 2002

grant.


Outline of the TalkOutline of the Talk

Network security related research projects at UCCS Network/Protocol Research Lab

Secure Collective Internet Defense, the idea. How should we pursue it?

Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm

SCOLDv0.1 implementation and testbed

Secure DNS update with indirect routing entries

Indirect routing protocol based on IP tunnel

Performance Evaluation of SCOLDv0.1

Conclusion and Future Directions

Network security related research projects at UCCS Network/Protocol Research Lab

Secure Collective Internet Defense, the idea. How should we pursue it?

Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm

SCOLDv0.1 implementation and testbed

Secure DNS update with indirect routing entries

Indirect routing protocol based on IP tunnel

Performance Evaluation of SCOLDv0.1

Conclusion and Future Directions


New UCCS IA Degree/CertificateNew UCCS IA Degree/Certificate

Master of Engineering Degree in Information Assurance Certificate in Information Assurance (First program

offered to officers of SPACECOM at Peterson AFB through NISSC and UCCS Continue Education, 2002-3) It includes four courses: Computer Networks;

Fundamental of Security; Cryptography; Advanced System Security Design


UCCS Network/System Research LabUCCS Network/System Research Lab Director: Dr. C. Edward Chow Network System Research Seminar: Every Tuesday EAS177 5-6pm, open to public New CS Faculty: Dr. Xiaobo Zhou (Differential Service; QoS; Degraded DDoS Defense) Graduate students:

John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability (Two US Patents)

Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari (Ph.D.): Linux based Secure Web Switch; Secure Groupware; Wireless Sensor

Network Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch Yu Cai (Ph.D.): SCOLD: Indirect Routing, Multipath Routing Jianhua Xie (Ph.D.): Secure Storage Networks Frank Watson: Content Switch for Email Security Paul Fong: Wireless AODV Routing for sensor networks Nirmala Belusu: Wireless Network Security PEAP vs. TTLS apply to ad hoc network access control David Wikinson: SCOLD: Secure DNS Update. Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN; Disaster Recovery based on iSCSI.


UCCS Network Lab SetupUCCS Network Lab Setup

Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP:

8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8 Linksys/Dlink Switches.

Sonicwall Pro 300 Firewall*, 8VPN gateway*, 8 Intel 7112 SSL accelerators*; 4 7820 XML directors*. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI

cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board

Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*. Workstations/PCs:

8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 9.0; Window XP/2000

* Equipment donated by Intel

Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP:

8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8 Linksys/Dlink Switches.

Sonicwall Pro 300 Firewall*, 8VPN gateway*, 8 Intel 7112 SSL accelerators*; 4 7820 XML directors*. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI

cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board

Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*. Workstations/PCs:

8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 9.0; Window XP/2000

* Equipment donated by Intel


DDoS: Distributed Denial of Service AttackDDoS: Distributed Denial of Service Attack

DDoS Victims:Yahoo/Amazon

2000CERT

5/2001DNS Root Servers

10/2002

DDoS Tools:Stacheldraht

TrinooTribal Flood Network (TFN)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Handler(Middleman)

Agent(Attacker)

Handler(Middleman)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Client(Attack Commander)

MastermindIntruder

Research by Moore et al of University of California at San Diego, 2001.

12,805 DoS in 3-week periodMost of them are Home, small to medium sized organizations


Secure Collective Internet DefenseSecure Collective Internet Defense

Internet “attacks” community seems to be better organized. How about Internet Secure Collective Defense?

Report/exchange virus info and distribute anti-virus not bad (need to pay Norton or Network Associate)

Report/exchange spam infonot good (spambayes, spamassasin, email firewall, remove.org)

Report attack (to your admin or FBI?)not good

IP Traceback difficult to negotiate even the use of one bit in IP header

Push back attackslow call to upstream ISP hard to find IDIP spec!

Form consortium and help each other during attacksalmost non-existent

Internet “attacks” community seems to be better organized. How about Internet Secure Collective Defense?

Report/exchange virus info and distribute anti-virus not bad (need to pay Norton or Network Associate)

Report/exchange spam infonot good (spambayes, spamassasin, email firewall, remove.org)

Report attack (to your admin or FBI?)not good

IP Traceback difficult to negotiate even the use of one bit in IP header

Push back attackslow call to upstream ISP hard to find IDIP spec!

Form consortium and help each other during attacksalmost non-existent


Intrusion Related Research AreasIntrusion Related Research Areas

Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering

Intrusion DetectionHoney potHost-based IDS Tripwire; Anomaly DetectionMisuse Detection

Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance

Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering

Intrusion DetectionHoney potHost-based IDS Tripwire; Anomaly DetectionMisuse Detection

Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance


Wouldn’t it be Nice to Have Alternate Routes?Wouldn’t it be Nice to Have Alternate Routes?

DNS1

...

Victim

AA A A A A A A

net-a.com net-b.com net-c.com

DNS2 DNS3

... ......

R R R

R

R2 R1R3

Alternate Gateways

DNS

DDoS Attack Traffic

Client Traffic

How to reroute clients traffic through R1-R3?

Multi-homing


Secure Collective DefenseSecure Collective Defense Main IdeaExplore secure alternate paths for clients to come in; Utilize

geographically separated proxy servers. Goal:

Provide secure alternate routes Hide IP addresses of alternate gateways

Techniques: Multiple Path (Indirect) Routing Secure DNS extension: how to inform client DNS servers to add alternate

new entries (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of

alternate gateways. How to partition clients to come at different proxy servers?

may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?

Use Sock protocol, modify resolver library


Implement Alternate RoutesImplement Alternate Routes

DNS1

...

Victim

AA A A A A A A


DNS2 DNS3

... ......

R R R

R

R2 R1R3

Alternate Gateways

DNS

DDoS Attack Traffic

Client Traffic

Need to Inform Clients or Client DNS servers!

But how to tell which Clients are not compromised?

How to hide IP addresses of

Alternate Gateways?


SCOLDSCOLD

DNS1

...

Victim

AA A A A A A A


DNS2 DNS3

... ......

R R R

R

Proxy1

Proxy2Proxy3

R2

R1 R3

block

RerouteCoordinato

rAttack TrafficClient Traffic

1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator

block


SCOLDSCOLD

DNS1

...

Victim

AA A A A A A A


DNS2 DNS3

... ......

R R R

R

Proxy1

Proxy2Proxy3

R2

R1 R3

block

Attack TrafficClient Traffic

1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator

RerouteCoordinato

r

2. Sends Reroute Command with (DNS Name, IP Addr. Of victim,

Proxy Server(s)) to DNS


SCOLDSCOLD

DNS1

...

Victim

AA A A A A A A


DNS2 DNS3

... ......

R R

R

Proxy1

Proxy2Proxy3

R2

R1 R3


RerouteCoordinato

r

2. Sends Reroute Command with (DNS Name, IP Addr. Of victim,

Proxy Server(s)) to DNS

3. New route via Proxy3 to R3



R

block


SCOLDSCOLD

DNS1

...

Victim

AA A A A A A A


DNS2 DNS3

... ......

R

Proxy1

Proxy2Proxy3

R1


RerouteCoordinato

r




R

block4a. Attack traffic detected by IDSblock by Firewall

4. Attack traffic detected by IDSblock by Firewall

R R

R3R2


SCOLDSCOLD

DNS1

...

Victim

AA A A A A A A


DNS2 DNS3

... ......

R R R

R

1.distress call

Proxy1Proxy2 Proxy3

4a. Attack traffic detected by IDSblock by Firewall

R2

R1 R3

block


RerouteCoordinato

rAttack TrafficClient Traffic


4. Attack traffic detected by IDSblock by Firewall

4b. Client traffic comes in via alternate route 2. Sends Reroute Command with

(DNS Name, IP Addr. Of victim, Proxy Server(s))



SCOLD Secure DNS Updatewith New Indirect DNS EntriesSCOLD Secure DNS Update

with New Indirect DNS Entries

(target.targetnet.com, 133.41.96.71, ALT 203.55.57.102 203.55.57.103 185.11.16.49 221.46.56.38

A set of alternate proxy servers for indirect routes

New Indirect DNS Entries:

Modified

Bind9

Modified

Bind9

Modified

ClientResolveLibrary


SCOLD Indirect RoutingSCOLD Indirect Routing

IP tunnelIP tunnel


SCOLD Indirect Routing with Client running SCOLD client daemon

SCOLD Indirect Routing with Client running SCOLD client daemon

IP tunnelIP tunnel


Performance of SCOLD v0.1Performance of SCOLD v0.1

Table 1: Ping Response Time (on 3 hop route)

Table 2: SCOLD FTP/HTTP download Test (from client to target)

Table 1: Ping Response Time (on 3 hop route)

Table 2: SCOLD FTP/HTTP download Test (from client to target)

No DDoS attack, direct route

DDoS attack, direct route

No DDoS attack, indirect route

with DDoS attack indirect route Doc

Size

FTP HTTP FTP HTTP FTP HTTP FTP HTTP 100k 0.11 s 3.8 s 8.6 s 9.1 s 0.14 s 4.6 s 0.14 s 4.6 s 250k 0.28 s 11.3 s 19.5 s 13.3 s 0.31 s 11.6 s 0.31 s 11.6 s 500k 0.65 s 30.8 s 39 s 59 s 0.66 s 31.1 s 0.67 s 31.1 s 1000k 1.16 s 62.5 s 86 s 106 s 1.15 s 59 s 1.15 s 59 s 2000k 2.34 s 121 s 167 s 232 s 2.34 s 122 s 2.34 s 123 s

No DDoS attack direct route

DDoS attackdirect route

No DDoS attack indirect route

DDoS attack indirect route

0.49 ms 225 ms 0.65 ms 0.65 ms


A2D2 Multi-Level Adaptive Rate Limiting For

Anti-DDos Defense

A2D2 Multi-Level Adaptive Rate Limiting For

Anti-DDos Defense

IP: 128.198.61.12NM: 255.255.255.128

GW: 128.198.61.1

eth0

Firewall Gateway

Multi-LevelRate Limiting

as Linux Router

IP: 192.168.0.1NM: 255.255.0.0

GW: 128.198.61.12

eth1

IDS

snort.confFloodPreprocessor

Threshold

snort.confFloodRateLimiter

PreprocessorThresholds

rateif.conflevels, rate,expiration,port # etc.

./snort -A UNSOCK

report.c./alert

rateif.pl

Level 4

Open(5 days)

Level 3

100 p/s

Level 2

50 p/s

Level 1

Block(2 hrs)

Level 0

Block(2 days)

Level 1Expires


Future DirectionsFuture Directions

Modify TCP to utilize the multiple geographically diverse routes set up with IP tunnels.

Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. Email me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium.

We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool.

The network status information collected and analyzed by the MIND can be used for selecting proxy server sites.

Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem.

SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND.

Modify TCP to utilize the multiple geographically diverse routes set up with IP tunnels.

Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. Email me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium.

We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool.

The network status information collected and analyzed by the MIND can be used for selecting proxy server sites.

Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem.

SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND.


ConclusionConclusion

Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities.

SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate

clients come in through a set of proxy servers and alternate gateways.

Multiple indirect routes can also be used for improving the performance of Internet connections by using the proxy servers of an organization as connection relay servers.

Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities.

SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate

clients come in through a set of proxy servers and alternate gateways.

Multiple indirect routes can also be used for improving the performance of Internet connections by using the proxy servers of an organization as connection relay servers.

Date post:	22-Dec-2015
Category:	Documents
View:	212 times
Download:	0 times

1 Cybersecurity Symposium 9/19/2003 chow C. Edward Chow Yu Cai Dave Wilkinson Department of Computer...

Documents