Date post: | 20-Dec-2015 |
Category: |
Documents |
View: | 217 times |
Download: | 0 times |
1TPAC 10/10/2003 chow
C. Edward Chow
Department of Computer ScienceUniversity of Colorado at Colorado Springs
C. Edward Chow
Department of Computer ScienceUniversity of Colorado at Colorado Springs
SCOLD: Secure Collective Internet Defense
http://cs.uccs.edu/~scold/A NISSC Sponsored Project
SCOLD: Secure Collective Internet Defense
http://cs.uccs.edu/~scold/A NISSC Sponsored Project
Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreement number F49620-03-1-0207. It was sponsored by a NISSC Summer 2003
grant.
2TPAC 10/10/2003 chow
Outline of the TalkOutline of the Talk
Network Security Research in UCCS Network Lab
Secure Collective Internet Defense, the Basic Idea.
Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm
SCOLDv0.1 implementation and testbed
Secure DNS update with indirect routing entries
Indirect routing protocol based on IP tunnel
Performance Evaluation of SCOLDv0.1
Conclusion and Future Directions
Network Security Research in UCCS Network Lab
Secure Collective Internet Defense, the Basic Idea.
Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm
SCOLDv0.1 implementation and testbed
Secure DNS update with indirect routing entries
Indirect routing protocol based on IP tunnel
Performance Evaluation of SCOLDv0.1
Conclusion and Future Directions
3TPAC 10/10/2003 chow
New UCCS IA Degree/CertificateNew UCCS IA Degree/Certificate
Master of Engineering Degree in Information Assurance Certificate in Information Assurance (First program
offered to officers of SPACECOM at Peterson AFB through NISSC and UCCS Continue Education, 2002-3) It includes four courses: Computer Networks;
Fundamental of Security; Cryptography; Advanced System Security Design
4TPAC 10/10/2003 chow
UCCS Network/System Research LabUCCS Network/System Research Lab Director: Dr. C. Edward Chow Network System Research Seminar: Every Tuesday EAS177 5-6pm, open to public New CS Faculty: Dr. Xiaobo Zhou (Differential Service; QoS; Degraded DDoS Defense) Graduate students:
John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability (Two US Patents)
Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari (Ph.D.): Linux based Secure Web Switch; Secure Groupware; First
Responder Wireless Sensor Network Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch Yu Cai (Ph.D.): SCOLD: Indirect Routing, Multipath Routing Jianhua Xie (Ph.D.): Secure Storage Networks Frank Watson: Content Switch for Email Security Paul Fong: Wireless AODV Routing for sensor networks Nirmala Belusu: Wireless Network Security PEAP vs. TTLS apply to ad hoc network access control David Wikinson: SCOLD: Secure DNS Update. Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN; Disaster Recovery based on iSCSI.
Research Projects with Local Companies: MCI on Network Restoration/Survivability. Two Patents Awarded. Beta test Northrop Grumman’s MIND enhanced network analysis tool. CASI-Omnipoint on Wireless Antenna Placement Tool.
5TPAC 10/10/2003 chow
UCCS Network Lab SetupUCCS Network Lab Setup
Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP:
8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8 Linksys/Dlink Switches.
Sonicwall Pro 300 Firewall*, 8VPN gateway*, 8 Intel 7112 SSL accelerators*; 4 7820 XML directors*. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI
cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board
Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*. Workstations/PCs:
8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 9.0; Window XP/2000
* Equipment donated by Intel
Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP:
8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8 Linksys/Dlink Switches.
Sonicwall Pro 300 Firewall*, 8VPN gateway*, 8 Intel 7112 SSL accelerators*; 4 7820 XML directors*. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI
cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board
Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*. Workstations/PCs:
8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 9.0; Window XP/2000
* Equipment donated by Intel
6TPAC 10/10/2003 chow
DDoS: Distributed Denial of Service AttackDDoS: Distributed Denial of Service Attack
DDoS Major Victims:Yahoo/Amazon
2000CERT
5/2001DNS Root Servers
10/2002
DDoS Tools:Stacheldraht
TrinooTribal Flood Network (TFN)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Handler(Middleman)
Agent(Attacker)
Handler(Middleman)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Client(Attack Commander)
MastermindIntruder
Research by Moore et al of University of California at San Diego, 2001.
12,805 DoS in 3-week periodMost of them are Home, small to medium sized organizations
7TPAC 10/10/2003 chow
Where is Cyber-Neighborhood Watch?Where is Cyber-Neighborhood Watch?
When Neighbor Watch started? http://www.usaonwatch.org/history.asp
How Old is this?
8TPAC 10/10/2003 chow
Secure Collective Internet DefenseSecure Collective Internet Defense
Internet “attacks” community seems to be better organized. How about Internet Secure Collective Defense?
Report/exchange virus info and distribute anti-virus not bad (need to pay Norton or Network Associate)
Report/exchange spam infonot good (spambayes, spamassasin, email firewall, remove.org)
Report attack (Have you ever done that? to your admin or FBI? 303-629-7171, http://www1.ifccfbi.gov/index.asp)not good
IP Traceback difficult to negotiate even the use of one bit in IP header
Push back attackslow call to upstream ISP hard to find Intrusion Detection and Isolation Protocol spec!
Form consortium and help each other during attacksnot exist!
Internet “attacks” community seems to be better organized. How about Internet Secure Collective Defense?
Report/exchange virus info and distribute anti-virus not bad (need to pay Norton or Network Associate)
Report/exchange spam infonot good (spambayes, spamassasin, email firewall, remove.org)
Report attack (Have you ever done that? to your admin or FBI? 303-629-7171, http://www1.ifccfbi.gov/index.asp)not good
IP Traceback difficult to negotiate even the use of one bit in IP header
Push back attackslow call to upstream ISP hard to find Intrusion Detection and Isolation Protocol spec!
Form consortium and help each other during attacksnot exist!
9TPAC 10/10/2003 chow
Intrusion Related Research AreasIntrusion Related Research Areas
Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering
Intrusion DetectionHoney potHost-based IDS Tripwire; Anomaly DetectionMisuse Detection
Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance
Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering
Intrusion DetectionHoney potHost-based IDS Tripwire; Anomaly DetectionMisuse Detection
Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance
10TPAC 10/10/2003 chow
Wouldn’t it be Nice to Have Alternate Routes?Wouldn’t it be Nice to Have Alternate Routes?
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
R2 R1R3
Alternate Gateways
DNS
DDoS Attack Traffic
Client Traffic
How to reroute clients traffic through R1-R3?
Multi-homing
11TPAC 10/10/2003 chow
Secure Collective DefenseSecure Collective Defense Main IdeaExplore secure alternate paths for clients to come in; Utilize
geographically separated proxy servers. Goal:
Provide secure alternate routes Hide IP addresses of alternate gateways
Techniques: Multiple Path (Indirect) Routing Secure DNS extension: how to inform client DNS servers to add alternate
new entries (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of
alternate gateways. How to partition clients to come at different proxy servers?
may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?
Use Sock protocol, modify resolver library
12TPAC 10/10/2003 chow
Implement Alternate RoutesImplement Alternate Routes
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
R2 R1R3
Alternate Gateways
DNS
DDoS Attack Traffic
Client Traffic
Need to Inform Clients or Client DNS servers!
But how to tell which Clients are not compromised?
How to hide IP addresses of
Alternate Gateways?
13TPAC 10/10/2003 chow
SCOLDSCOLD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
Proxy1
Proxy2Proxy3
R2
R1 R3
block
RerouteCoordinato
rAttack TrafficClient Traffic
1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator
block
14TPAC 10/10/2003 chow
SCOLDSCOLD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
Proxy1
Proxy2Proxy3
R2
R1 R3
block
Attack TrafficClient Traffic
1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator
RerouteCoordinato
r
2. Sends Reroute Command with (DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
15TPAC 10/10/2003 chow
SCOLDSCOLD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R
R
Proxy1
Proxy2Proxy3
R2
R1 R3
Attack TrafficClient Traffic
RerouteCoordinato
r
2. Sends Reroute Command with (DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
R
block
16TPAC 10/10/2003 chow
SCOLDSCOLD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R
Proxy1
Proxy2Proxy3
R1
Attack TrafficClient Traffic
RerouteCoordinato
r
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
R
block4a. Attack traffic detected by IDSblock by Firewall
4. Attack traffic detected by IDSblock by Firewall
R R
R3R2
17TPAC 10/10/2003 chow
SCOLDSCOLD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
1.distress call
Proxy1Proxy2 Proxy3
4a. Attack traffic detected by IDSblock by Firewall
R2
R1 R3
block
3. New route via Proxy2 to R2
RerouteCoordinato
rAttack TrafficClient Traffic
3. New route via Proxy3 to R3
4. Attack traffic detected by IDSblock by Firewall
4b. Client traffic comes in via alternate route 2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim, Proxy Server(s))
3. New route via Proxy1 to R1
18TPAC 10/10/2003 chow
SCOLD Secure DNS Updatewith New Indirect DNS EntriesSCOLD Secure DNS Update
with New Indirect DNS Entries
(target.targetnet.com, 133.41.96.71, ALT 203.55.57.102 203.55.57.103 185.11.16.49 221.46.56.38
A set of alternate proxy servers for indirect routes
New Indirect DNS Entries:
Modified
Bind9
Modified
Bind9
Modified
ClientResolveLibrary
Major WorkNew
Protocol
19TPAC 10/10/2003 chow
SCOLD Indirect RoutingSCOLD Indirect Routing
IP tunnelIP tunnel
20TPAC 10/10/2003 chow
Performance of SCOLD v0.1Performance of SCOLD v0.1
Table 1: Ping Response Time (on 3 hop route)
Table 2: SCOLD FTP/HTTP download Test (from client to target)
Table 1: Ping Response Time (on 3 hop route)
Table 2: SCOLD FTP/HTTP download Test (from client to target)
No DDoS attack, direct route
DDoS attack, direct route
No DDoS attack, indirect route
with DDoS attack indirect route Doc
Size
FTP HTTP FTP HTTP FTP HTTP FTP HTTP 100k 0.11 s 3.8 s 8.6 s 9.1 s 0.14 s 4.6 s 0.14 s 4.6 s 250k 0.28 s 11.3 s 19.5 s 13.3 s 0.31 s 11.6 s 0.31 s 11.6 s 500k 0.65 s 30.8 s 39 s 59 s 0.66 s 31.1 s 0.67 s 31.1 s 1000k 1.16 s 62.5 s 86 s 106 s 1.15 s 59 s 1.15 s 59 s 2000k 2.34 s 121 s 167 s 232 s 2.34 s 122 s 2.34 s 123 s
No DDoS attack direct route
DDoS attackdirect route
No DDoS attack indirect route
DDoS attack indirect route
0.49 ms 225 ms 0.65 ms 0.65 ms
21TPAC 10/10/2003 chow
A2D2 Multi-Level Adaptive Rate Limiting For
Anti-DDos Defense
A2D2 Multi-Level Adaptive Rate Limiting For
Anti-DDos Defense
IP: 128.198.61.12NM: 255.255.255.128
GW: 128.198.61.1
eth0
Firewall Gateway
Multi-LevelRate Limiting
as Linux Router
IP: 192.168.0.1NM: 255.255.0.0
GW: 128.198.61.12
eth1
IDS
snort.confFloodPreprocessor
Threshold
snort.confFloodRateLimiter
PreprocessorThresholds
rateif.conflevels, rate,expiration,port # etc.
./snort -A UNSOCK
report.c./alert
rateif.pl
Level 4
Open(5 days)
Level 3
100 p/s
Level 2
50 p/s
Level 1
Block(2 hrs)
Level 0
Block(2 days)
Level 1Expires
22TPAC 10/10/2003 chow
Future DirectionsFuture Directions Modify TCP to utilize the multiple geographically diverse routes set up with IP
tunnels. Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air
Force Academy's IA Lab, and University of Texas are initial potential partners. Email me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium.
We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool.
The network status information collected and analyzed by the MIND can be used for selecting proxy server sites.
Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem.
SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND.
SCOLD can be used to provide additional Internet bandwidth dynamically when there is sudden bandwidth and connection need. Not just a security tool.
A company can deploy SCOLD by using its branch offices to provide proxy servers.
Modify TCP to utilize the multiple geographically diverse routes set up with IP tunnels.
Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. Email me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium.
We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool.
The network status information collected and analyzed by the MIND can be used for selecting proxy server sites.
Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem.
SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND.
SCOLD can be used to provide additional Internet bandwidth dynamically when there is sudden bandwidth and connection need. Not just a security tool.
A company can deploy SCOLD by using its branch offices to provide proxy servers.
23TPAC 10/10/2003 chow
ConclusionConclusion
Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities.
SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate clients come in
through a set of proxy servers and alternate gateways. Can be used to provide additional Internet bandwidth (nice side
effect!) Multiple indirect routes can also be used for improving the
performance of Internet connections by using the proxy servers of an organization as connection relay servers.
If you would like to fund this project or commercialize it, let me know.
Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities.
SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate clients come in
through a set of proxy servers and alternate gateways. Can be used to provide additional Internet bandwidth (nice side
effect!) Multiple indirect routes can also be used for improving the
performance of Internet connections by using the proxy servers of an organization as connection relay servers.
If you would like to fund this project or commercialize it, let me know.