Autonomous Anti-DDoS Network V2.0

(A2D2-2)Sarah JelinekUniversity Of Colorado, Colo. Spgs.sarah.jelinek@sun.com

Spring Semester 2003, CS691 Project

Project Goals

• Ultimate goal of project– To make DDoS technology more robust

• Relationship to other projects– Enhancements of existing A2D2 architecture to

incorporate IDIP and Alternate Proxy Servers• High-level timing goals

– Research and new architecture, now – Project completion planned for 9/03

Description - A2D2

• Developed by Angela Cearns, UCCS Masters Thesis

• DDoS Intrusion Detection and Response• Uses freeware as main detection component• Modifications made to affect better response

FOR MORE INFO...

http://cs.uccs.edu/~chow/pub/master/acearns/doc/angThesis-final.pdf

A2D2, cont..

A2D2, cont..

• Strengths– Uses open source components– Portable– Configurable

• Weaknesses– Host Based– Local Network response– No attempt made to actively trace intruder– Possible bottleneck at firewall– Static thresholds

A2D2-2 Technology

• New technology being used– Intrusion Detection and Isolation Protocol (IDIP)– Alternate Proxy Servers

• Standards being adopted– IDIP

• Will work with other IDIP enabled Intrusion Detection Networks

– Service Location Protocol (SLP)• Allows discovery of registered IDIP Nodes

A2D2-2 What It Solves

• Host Based– Now a dynamic, network wide solution

• Will work with other IDIP enabled Intrusion Detection Networks utilizing CITRA

• Active Tracing of Intruder– SLP is used to discover other network IDIP

services

A2D2-2 What It Solves, cont..

• Local Response– SLP used for location of alternate proxy servers

for more global response• Firewall Bottleneck

– Response Coordination Centralized

A2D2-2 & IDIP

• IDIP– Developed by Boeing and NAI Labs– Supports real-time tracking and containment of

DDoS attacks– Three layers:

• Application Layer• Message Layer• Discovery Coordinator

A2D2-2 - Discovery Coordinator

• IDIP Discovery Coordinator– Bulk of the work done here– Network wide response coordinator– Will notify clients and client dns of alternate

routes available– Standardized language used for messages and

topology (CISL)– Local attack response still active if down

IDIP Nodes

Intrusion DetectionSys tem

Routers

Firewall

Server Clien t

Network Manager(Discovery Coordinator)

Intrusion DetectionSys tem

Firewall

Firewall

FOR MORE INFO...

http://zen.ece.ohiou.edu/~inbounds/DOCS/reldocs/IDIP_Architecture.doc

A2D2-2 Proposed Architecture

Alternate Routes

FOR MORE INFO...

http://cs.uccs.edu/%7Echow/research/security/uccsSecurityResearch.ppt

22Security Research 1/10/2003 chow

Implement Alternate RoutesImplement Alternate Routes

DNS1

...

Victim

AA A A A A A A

net-a.com net-b.com net-c.com

DNS2 DNS3

... ......

R R R

RR2 R1R3

Alternate Gateways

DNS

DDoS Attack TrafficClient Traffic

Need to Inform Clients or Client DNS servers!

But how to tell which Clients are not compromised?

How to hide IP addresses of

Alternate Gateways?

Alternate Routes, cont..

23Security Research 1/10/2003 chow

Possible Solution for Alternate RoutesPossible Solution for Alternate Routes

DNS1

...

Victim

AA A A A A A A

net-a.com net-b.com net-c.com

DNS2 DNS3

... ......

R R R

R

Sends Reroute Command with DNS/IP Addr. Of Proxy and Victim

distresscall

Proxy1Proxy2 Proxy3

Blocked by IDSR2

R1 R3

blockAttack msgs blocked by IDS

New route via Proxy3 to R3

A2D2-2 & SLP -> Alternate Routes

DNS1

...

A2D2-2Network IDS

AA A A A A A A

net-a.com net-b.com net-c.com

DNS2 DNS3

... ......

R R R

RIDIPNode

A2D2-2 IDIP DCSLP Discovery and communication

Proxy1IDIP Node

Proxy2IDIP Node Proxy3

IDIP Node

R2R1 R3

Block and traceback Attack msgs blocked by IDS

New route via Proxy3 to R3

Local IDS ResponseLocal Netw ork

A2D2-2 Futures

• IDIP Redundant/Cooperative Discovery Coordinators

• Discovery Coordinator Response Optimization Enhancements

• Updates To Snort• Secure DNS (already started?)