1

.

SOS: Secure Overlay Service (+Mayday)

A. D. Keromytis, V. Misra, D. RunbensteinColumbia University

Presented by Yingfei Dong

2

Motivations

Goal: Proactively Prevent DOS attacks to allow legitimate users to communicate with a critical target DOS attacks try to stop the communication The target is difficult to replicate

– e.g., high security or dynamic contents Legitimate users are mobile ( IP addresses are not fixed )

Motivation Applications: Emergency Response Teams (ERTs) Phone Networks are easy to be crashed FBI/Police/Fire dept contacts with a center database

Bank users / stock brokers access their accountsOn-line transactions

Application Requirements– Protect private communications on top of public

networks– Authenticated Mobile Users

3

Denial Of Service (DOS) Attacks

DOS Select a target to degrade its performance Generate “high volume” traffic to the target

– Use up network resources bandwidth, buffers* Packet flooding: for a 10Mbps-link, 830 1500-byte packets

– Overload CPU with security-checking or kernel resources

* Security Handshaking* TCP SYN flooding: holding all TCP control blocks* Force to a server fork many processes

SOS is not for general DOS attacks Not for global traffic analysis A number of authenticated users to communicate with a

selected target on a public network

4

Related Work

Participation Global Routers changes

Local filters atend-systems or routers

Detect/Prevent Spoofing

Router-based filtering,Ingress filtering

IP traceback

Identify/shutdown ongoing attacks

IP pushbackRate-limiting

Pattern matching and filtering

Proactively Prevent attacks

IPsec (in each step) SOS

Less implementation costs

More Secure

5

Players in SOS

Target Node / Server protected by SOS from DOS Fixed IP address, non-duplicable

Legitimate User Authenticated Users communicate with the

target Mobile IP address

Attacker Try to stop users to communicate with the target Limited Capability: not draging down core

routers

6

Basic Idea

Why DOS is effective? many-to-one Solution: hiding paths to the target through a large-

scale distributed filter Difficult to do because

– The Internet is an open architecture and will keep open– IP spoofing is easy and Ingress filters are not broadly

deployed, … Idea: Forwarding secure packets on a virtual overlay

network on top of the Internet– Secure packets are forwarded between overlay

nodes– Using a larger number of overlay nodes– Overlay network adapts to attacks quickly

Attackers must attack many nodes to be successful !

7

SOS Functionalities

Goals Allow legitimate users to communicate with

target Prevent packets from illegitimate attackers to

reach the target

Ideal Solution No changes required in intermediate routers No high-cost security checking near/at the

target

Assumptions Attackers have a limited number of resources Attackers cannot drag down core routers

– Does NOT solve the general DoS problem

8

Method 1: Source-Address Filtering

Routers near the target do simple filtering based on source IP addresses Only packets from legitimate nodes can reach the

target Packets from other sources

are dropped Fast Light-weight authenticator Routers are difficult to hack

Problems Attackers obtain an account on a legitimate node Attackers spoof packets with a legitimate src IP Legitimate users are mobile and don’t have fixed

IPs

9

Method 2: Filters + Proxy Servers

Idea: A proxy server between a legitimate user and the

target The proxy only forwards authenticated packets Only packets from the proxy can reach the target

Problems Once attackers know the IP of a proxy, x.x.x.x

they can spoof packets with x.x.x.x and reach the target

Attackers directly attack on the proxy to drag it down

10

Method 3: Filters + Secret Proxy Servers

Hiding the identity (IP address) of a proxy to prevent IP spoofing or attacks aiming at a proxy Secret Servlet is a hidden proxy is chosen by the

target A filter only allows packets whose source address

matches n Ns, a set of nodes selected

Only the target, secret servelets, and other few trusted nodes know the IP address of secret servlets

Attacker is not sure which node is a proxy for the target

11

Method 4: Filter + Secret Proxy + Overlay Routing + SOAP

Question: How to forward packets to a Secret Servlet without knowing its IP address?

Virtual Overlay Network Each node is an end host Only some nodes how to reach a proxy (Servlet) Indirect Assumption: large number of nodes

attackers couldn’t monitor all overlay nodes Service Overlay Access Points (SOAP’s)

Everyone knows a set of SOAP’s An SOAP is an entry node to the overlay network Receive and verify traffic via IPSec/TLS A large number of SOAPs as a distributed firewall

User SOAP across overlay Secret Servlet Target

12

Overlay Routing: SOAP Servlet Target

A Path from a SOAP to a Servlet must be hard to find

Random Walk: O(N/Ns) time, N is total # of overlay nodes, Ns is the # of

Servlet

Chord: O( log N )

A path must be resilient to attacks, fast recovery

13

Dynamic Hash Table (DHT)

Examples: Chord, CAN, PASTRY, Tapestry, …

Chord A distributed protocol with N homogenous overlay

nodes Each node has a node identifier Each object has an object key Distribute all object keys to N nodes:

the object with key T is mapped to node B, if H(T) = B,where object T is managed by node B

Chord Property: To find key T from any node to B is O(logN)

steps

14

A Beacon Connects a SOAP and a Servlet

An object key in SOS is the IP address of a target

Beacon B for IP address T is an overly node with an identifier B = H(T) Secret Servlet S finds Beacon B by B = H(T),

andtells it to forward packets with DST T from B to S SOAP A also finds Beacon B by B = H(T), and

forwards secure packets with DST T to B

Multiple hash functions produce different Beacons, i.e., different paths to the target.

15

Routing Summary

Target T randomly selects Secret Servlet S Secret Servlet S informs Beacon B to forward packets with DST

T to S SOAP A forwards authenticated packets with DST T to B

Overlay nodes are known to the public but their roles are secret Communications between overlay nodes are

secure/authenticated Packets are authenticated by SOAP before the overlay

16

Against the DoS attacks

Redundancy in SOS Every overlay node can be SOAP, Beacon or Servlet A target can select multiple Servlets Multiple beacons can be used by using different hashes Many SOAP’s

User SOAP Beacon Servlet Target

Attacks on an overlay nodeChord self-heals by removing the node from Chord

Attacks on all SOAP’s, otherwise an alternative SOAP exists Attacks on all Beacons: remove the nodes and change hash

functions Attacks on all Servlets

The target can real-time change the set of Servlets Target is protected by filters

17

Static Attack Analysis

N nodes in the overlay For a given target T

S is the number of Servlets B is the number of Beacons A is the number of SOAPs

Static Attacks: attackers randomly shutdown M out of N nodes

Pstatic = P(N, M, S, B, A) = P{stop communications with T}

P(n,b,c) = P{set of b nodes chosen randomly from set of n nodes, and set of b nodes contains set of c nodes} c

n

cb

bn

cbcn

C

C

C

CcbnP

),,(

18

Successfully Attack all Servlets or all Beacons or all SOAPs

Number of nodes attacked

Pstatic = P(N, M, S, B, A)= 1 – (1-P(N,M,S))(1-P(N,M,B))(1-P(N,M,A))

Prob Of Attack Success

19

Dynamic Attacks

Attack/Repair Battle The Overlay removes attacked nodes, taking

time TR

Attackers shifts attacking traffic from removed nodes to active nodes, taking time TA

Assume TR and TA are exponential distributed R.V., modeled as a birth-death process

Attacking rate Repairing rate Attack Load Ratio = /

20

Centralized Attacks and Centralized Recovery M/M/1/K

• 1000 nodes, 10 SOAP, 10 Beacons, 10 Servlets

• If repairing is faster then attacking, SOS can survive under large scale attacks

23

Distributed Attacks and Distributed Recovery, M/M///K

24

Conclusions

SOS protects a target from DOS Only legitimate traffic will reach the target

Approach Ingress Filtering Hidden Proxies Self-healing overlay networks to defeat attacks

Preliminary Analysis Static Attacks Dynamic Attacks

25

Mayday

Goal: protect critical servers Components

A Server: centralized resource A Filter Ring: around the server to protect it

– Edge routers of a domain An Overlay network

– An Overlay node can be * an ingress point of the overlay network (SOAP)* an egress point from the overlay network to

the filter ring (Servlet)* a forwarding node of the overlay network

A Client is authenticated by an overlay node but not trusted

26

Mayday Architecture

27

Generalizing the Idea of SOS

Packet Authenticators at a filter (mostly in IP header) Egress Sources IP Address (SOS) Server Destination Port: 1 to 65,536, large search

space Server Destination Address: 1 out of N reserved IP

addresses, (like VPN shield) Application-defined: ok with firewall, not core routers

Overlay routing schemes Proximity Routing: proxies close to client, filter is

known Singly-Indirect Routing: egress address is known Double-Indirect Routing (SOS) Random Walk Mix Routing: each node only know next step

28

Summary

SOS provides formal analysis Mayday discusses potential practical solutions

Discussion of Advanced attacking approaches

Questions: Long Delay in overlay routing Trust of overlay nodes Repair Speed v.s. Attacking Rate