Date post: | 22-Dec-2015 |
Category: |
Documents |
View: | 212 times |
Download: | 0 times |
1Cybersecurity Symposium 9/19/2003 chow
C. Edward ChowYu Cai
Dave Wilkinson
Department of Computer ScienceUniversity of Colorado at Colorado Springs
C. Edward ChowYu Cai
Dave Wilkinson
Department of Computer ScienceUniversity of Colorado at Colorado Springs
SCOLD: Secure Collective Internet Defense
http://cs.uccs.edu/~scold/A NISSC Sponsored Project
SCOLD: Secure Collective Internet Defense
http://cs.uccs.edu/~scold/A NISSC Sponsored Project
Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreement number F49620-03-1-0207. It was sponsored by a NISSC Summer 2002
grant.
2Cybersecurity Symposium 9/19/2003 chow
Outline of the TalkOutline of the Talk
Network security related research projects at UCCS Network/Protocol Research Lab
Secure Collective Internet Defense, the idea. How should we pursue it?
Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm
SCOLDv0.1 implementation and testbed
Secure DNS update with indirect routing entries
Indirect routing protocol based on IP tunnel
Performance Evaluation of SCOLDv0.1
Conclusion and Future Directions
Network security related research projects at UCCS Network/Protocol Research Lab
Secure Collective Internet Defense, the idea. How should we pursue it?
Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm
SCOLDv0.1 implementation and testbed
Secure DNS update with indirect routing entries
Indirect routing protocol based on IP tunnel
Performance Evaluation of SCOLDv0.1
Conclusion and Future Directions
3Cybersecurity Symposium 9/19/2003 chow
New UCCS IA Degree/CertificateNew UCCS IA Degree/Certificate
Master of Engineering Degree in Information Assurance Certificate in Information Assurance (First program
offered to officers of SPACECOM at Peterson AFB through NISSC and UCCS Continue Education, 2002-3) It includes four courses: Computer Networks;
Fundamental of Security; Cryptography; Advanced System Security Design
4Cybersecurity Symposium 9/19/2003 chow
UCCS Network/System Research LabUCCS Network/System Research Lab Director: Dr. C. Edward Chow Network System Research Seminar: Every Tuesday EAS177 5-6pm, open to public New CS Faculty: Dr. Xiaobo Zhou (Differential Service; QoS; Degraded DDoS Defense) Graduate students:
John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability (Two US Patents)
Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari (Ph.D.): Linux based Secure Web Switch; Secure Groupware; Wireless Sensor
Network Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch Yu Cai (Ph.D.): SCOLD: Indirect Routing, Multipath Routing Jianhua Xie (Ph.D.): Secure Storage Networks Frank Watson: Content Switch for Email Security Paul Fong: Wireless AODV Routing for sensor networks Nirmala Belusu: Wireless Network Security PEAP vs. TTLS apply to ad hoc network access control David Wikinson: SCOLD: Secure DNS Update. Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN; Disaster Recovery based on iSCSI.
5Cybersecurity Symposium 9/19/2003 chow
UCCS Network Lab SetupUCCS Network Lab Setup
Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP:
8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8 Linksys/Dlink Switches.
Sonicwall Pro 300 Firewall*, 8VPN gateway*, 8 Intel 7112 SSL accelerators*; 4 7820 XML directors*. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI
cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board
Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*. Workstations/PCs:
8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 9.0; Window XP/2000
* Equipment donated by Intel
Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP:
8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8 Linksys/Dlink Switches.
Sonicwall Pro 300 Firewall*, 8VPN gateway*, 8 Intel 7112 SSL accelerators*; 4 7820 XML directors*. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI
cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board
Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*. Workstations/PCs:
8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 9.0; Window XP/2000
* Equipment donated by Intel
6Cybersecurity Symposium 9/19/2003 chow
DDoS: Distributed Denial of Service AttackDDoS: Distributed Denial of Service Attack
DDoS Victims:Yahoo/Amazon
2000CERT
5/2001DNS Root Servers
10/2002
DDoS Tools:Stacheldraht
TrinooTribal Flood Network (TFN)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Handler(Middleman)
Agent(Attacker)
Handler(Middleman)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Client(Attack Commander)
MastermindIntruder
Research by Moore et al of University of California at San Diego, 2001.
12,805 DoS in 3-week periodMost of them are Home, small to medium sized organizations
7Cybersecurity Symposium 9/19/2003 chow
Secure Collective Internet DefenseSecure Collective Internet Defense
Internet “attacks” community seems to be better organized. How about Internet Secure Collective Defense?
Report/exchange virus info and distribute anti-virus not bad (need to pay Norton or Network Associate)
Report/exchange spam infonot good (spambayes, spamassasin, email firewall, remove.org)
Report attack (to your admin or FBI?)not good
IP Traceback difficult to negotiate even the use of one bit in IP header
Push back attackslow call to upstream ISP hard to find IDIP spec!
Form consortium and help each other during attacksalmost non-existent
Internet “attacks” community seems to be better organized. How about Internet Secure Collective Defense?
Report/exchange virus info and distribute anti-virus not bad (need to pay Norton or Network Associate)
Report/exchange spam infonot good (spambayes, spamassasin, email firewall, remove.org)
Report attack (to your admin or FBI?)not good
IP Traceback difficult to negotiate even the use of one bit in IP header
Push back attackslow call to upstream ISP hard to find IDIP spec!
Form consortium and help each other during attacksalmost non-existent
8Cybersecurity Symposium 9/19/2003 chow
Intrusion Related Research AreasIntrusion Related Research Areas
Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering
Intrusion DetectionHoney potHost-based IDS Tripwire; Anomaly DetectionMisuse Detection
Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance
Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering
Intrusion DetectionHoney potHost-based IDS Tripwire; Anomaly DetectionMisuse Detection
Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance
9Cybersecurity Symposium 9/19/2003 chow
Wouldn’t it be Nice to Have Alternate Routes?Wouldn’t it be Nice to Have Alternate Routes?
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
R2 R1R3
Alternate Gateways
DNS
DDoS Attack Traffic
Client Traffic
How to reroute clients traffic through R1-R3?
Multi-homing
10Cybersecurity Symposium 9/19/2003 chow
Secure Collective DefenseSecure Collective Defense Main IdeaExplore secure alternate paths for clients to come in; Utilize
geographically separated proxy servers. Goal:
Provide secure alternate routes Hide IP addresses of alternate gateways
Techniques: Multiple Path (Indirect) Routing Secure DNS extension: how to inform client DNS servers to add alternate
new entries (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of
alternate gateways. How to partition clients to come at different proxy servers?
may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?
Use Sock protocol, modify resolver library
11Cybersecurity Symposium 9/19/2003 chow
Implement Alternate RoutesImplement Alternate Routes
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
R2 R1R3
Alternate Gateways
DNS
DDoS Attack Traffic
Client Traffic
Need to Inform Clients or Client DNS servers!
But how to tell which Clients are not compromised?
How to hide IP addresses of
Alternate Gateways?
12Cybersecurity Symposium 9/19/2003 chow
SCOLDSCOLD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
Proxy1
Proxy2Proxy3
R2
R1 R3
block
RerouteCoordinato
rAttack TrafficClient Traffic
1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator
block
13Cybersecurity Symposium 9/19/2003 chow
SCOLDSCOLD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
Proxy1
Proxy2Proxy3
R2
R1 R3
block
Attack TrafficClient Traffic
1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator
RerouteCoordinato
r
2. Sends Reroute Command with (DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
14Cybersecurity Symposium 9/19/2003 chow
SCOLDSCOLD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R
R
Proxy1
Proxy2Proxy3
R2
R1 R3
Attack TrafficClient Traffic
RerouteCoordinato
r
2. Sends Reroute Command with (DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
R
block
15Cybersecurity Symposium 9/19/2003 chow
SCOLDSCOLD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R
Proxy1
Proxy2Proxy3
R1
Attack TrafficClient Traffic
RerouteCoordinato
r
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
R
block4a. Attack traffic detected by IDSblock by Firewall
4. Attack traffic detected by IDSblock by Firewall
R R
R3R2
16Cybersecurity Symposium 9/19/2003 chow
SCOLDSCOLD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
1.distress call
Proxy1Proxy2 Proxy3
4a. Attack traffic detected by IDSblock by Firewall
R2
R1 R3
block
3. New route via Proxy2 to R2
RerouteCoordinato
rAttack TrafficClient Traffic
3. New route via Proxy3 to R3
4. Attack traffic detected by IDSblock by Firewall
4b. Client traffic comes in via alternate route 2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim, Proxy Server(s))
3. New route via Proxy1 to R1
17Cybersecurity Symposium 9/19/2003 chow
SCOLD Secure DNS Updatewith New Indirect DNS EntriesSCOLD Secure DNS Update
with New Indirect DNS Entries
(target.targetnet.com, 133.41.96.71, ALT 203.55.57.102 203.55.57.103 185.11.16.49 221.46.56.38
A set of alternate proxy servers for indirect routes
New Indirect DNS Entries:
Modified
Bind9
Modified
Bind9
Modified
ClientResolveLibrary
18Cybersecurity Symposium 9/19/2003 chow
SCOLD Indirect RoutingSCOLD Indirect Routing
IP tunnelIP tunnel
19Cybersecurity Symposium 9/19/2003 chow
SCOLD Indirect Routing with Client running SCOLD client daemon
SCOLD Indirect Routing with Client running SCOLD client daemon
IP tunnelIP tunnel
20Cybersecurity Symposium 9/19/2003 chow
Performance of SCOLD v0.1Performance of SCOLD v0.1
Table 1: Ping Response Time (on 3 hop route)
Table 2: SCOLD FTP/HTTP download Test (from client to target)
Table 1: Ping Response Time (on 3 hop route)
Table 2: SCOLD FTP/HTTP download Test (from client to target)
No DDoS attack, direct route
DDoS attack, direct route
No DDoS attack, indirect route
with DDoS attack indirect route Doc
Size
FTP HTTP FTP HTTP FTP HTTP FTP HTTP 100k 0.11 s 3.8 s 8.6 s 9.1 s 0.14 s 4.6 s 0.14 s 4.6 s 250k 0.28 s 11.3 s 19.5 s 13.3 s 0.31 s 11.6 s 0.31 s 11.6 s 500k 0.65 s 30.8 s 39 s 59 s 0.66 s 31.1 s 0.67 s 31.1 s 1000k 1.16 s 62.5 s 86 s 106 s 1.15 s 59 s 1.15 s 59 s 2000k 2.34 s 121 s 167 s 232 s 2.34 s 122 s 2.34 s 123 s
No DDoS attack direct route
DDoS attackdirect route
No DDoS attack indirect route
DDoS attack indirect route
0.49 ms 225 ms 0.65 ms 0.65 ms
21Cybersecurity Symposium 9/19/2003 chow
A2D2 Multi-Level Adaptive Rate Limiting For
Anti-DDos Defense
A2D2 Multi-Level Adaptive Rate Limiting For
Anti-DDos Defense
IP: 128.198.61.12NM: 255.255.255.128
GW: 128.198.61.1
eth0
Firewall Gateway
Multi-LevelRate Limiting
as Linux Router
IP: 192.168.0.1NM: 255.255.0.0
GW: 128.198.61.12
eth1
IDS
snort.confFloodPreprocessor
Threshold
snort.confFloodRateLimiter
PreprocessorThresholds
rateif.conflevels, rate,expiration,port # etc.
./snort -A UNSOCK
report.c./alert
rateif.pl
Level 4
Open(5 days)
Level 3
100 p/s
Level 2
50 p/s
Level 1
Block(2 hrs)
Level 0
Block(2 days)
Level 1Expires
22Cybersecurity Symposium 9/19/2003 chow
Future DirectionsFuture Directions
Modify TCP to utilize the multiple geographically diverse routes set up with IP tunnels.
Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. Email me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium.
We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool.
The network status information collected and analyzed by the MIND can be used for selecting proxy server sites.
Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem.
SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND.
Modify TCP to utilize the multiple geographically diverse routes set up with IP tunnels.
Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. Email me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium.
We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool.
The network status information collected and analyzed by the MIND can be used for selecting proxy server sites.
Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem.
SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND.
23Cybersecurity Symposium 9/19/2003 chow
ConclusionConclusion
Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities.
SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate
clients come in through a set of proxy servers and alternate gateways.
Multiple indirect routes can also be used for improving the performance of Internet connections by using the proxy servers of an organization as connection relay servers.
Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities.
SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate
clients come in through a set of proxy servers and alternate gateways.
Multiple indirect routes can also be used for improving the performance of Internet connections by using the proxy servers of an organization as connection relay servers.