SCOLD: Secure Collective Internet Defense http:cs'uccs'eduscold - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

SCOLD: Secure Collective Internet Defense http:cs'uccs'eduscold

Description:

... a NISSC Summer 2002 grant. 2. Globecom2004. chow. Outline ... RON network, MIT. Detour project, U of Washington. Westwood project, UCLA. mTCP project, Princeton ... – PowerPoint PPT presentation

Number of Views:101
Avg rating:3.0/5.0
Slides: 31
Provided by: TM73
Category:

less

Transcript and Presenter's Notes

Title: SCOLD: Secure Collective Internet Defense http:cs'uccs'eduscold


1
SCOLD Secure Collective Internet
Defensehttp//cs.uccs.edu/scold/
C. Edward Chow, Yu Cai, Ganesh Godavari Departmen
t of Computer Science University of Colorado at
Colorado Springs
Part of this work is based on research sponsored
by the Air Force Research Laboratory, under
agreement number F49620-03-1-0207. It was
sponsored by a NISSC Summer 2002 grant.
2
Outline of the Talk
  • Secure Collective Internet Defense, the idea.
    How should we pursue it?
  • Secure Collective Internet Defense, SCOLDv0.1. A
    technique based Intrusion Tolerance paradigm
  • SCOLDv0.1 implementation and testbed
  • Secure DNS update with indirect routing entries
  • Indirect routing protocol based on IP tunnel
  • Performance Evaluation of SCOLDv0.1
  • SCOLD v0.2 multipath connection
  • Conclusion and Future Directions

3
DDoS Distributed Denial of Service Attack
Research by Moore et al of University of
California at San Diego, 2001. 12,805 DoS in
3-week period Most of them are Home, small to
medium sized organizations
DDoS VictimsYahoo/Amazon 2000CERT
5/2001DNS Root Servers
10/2002(4up 7 cripple 80Mbps) Akamai DDNS
5/2004
DDoS ToolsStacheldrahtTrinooTribal Flood
Network (TFN)
4
DDoS Attack on Akamai?
  • So today an outage of some sort at Akamai's
    distributed DNS service brought down access to
    some major sites from various parts of the world,
    including Google, Yahoo, and Microsoft. Pretty
    quickly, as evidenced by this slashdot thread the
    questions over how the days of "no single point
    of failure" are over started to pop up.Akamai
    problems. Quiet, well kinda quiet, day on the
    Internet--- Diego Doval, CTO of Clevercactus
  • Update (Mon. May 24th 9 am EST, 1300 UTC, 1500
    CEST )
  • It appears that websites that use Akamai's
    distribution system are currently not reachable.
    Security related web sites effected are
    symantec.com and trendmicro.com. Virus updates
    may fail as a result. Further details are
    currently not available and updates will be
    posted here as they become available. Thanks to
    Vidar Wilkens for alerting us of this problem.
    --- infoworld 7/4/2004

5
Secure Collective Internet Defense
  • Internet attacks community seems to be better
    organized.
  • How about Internet Secure Collective Defense?
  • Report/exchange virus info and distribute
    anti-virus not bad (need to pay Norton or
    Network Associate)
  • Report/exchange spam info?not good (spambayes,
    spamassasin, email firewall, remove.org)
  • Report attack (to your admin or FBI?)?not good
  • IP Traceback? difficult to negotiate even the
    use of one bit in IP header
  • Push back attack?slow call to upstream ISP hard
    to find IDIP spec!
  • Form consortium and help each other during
    attacks?almost non-existent

6
An Enterprise Cyber-Defense System
7
Intrusion Related Research Areas
  • Intrusion Prevention
  • General Security Policy
  • Ingress/Egress Filtering
  • Intrusion Detection
  • Honey pot
  • Host-based IDS Tripwire
  • Anomaly Detection
  • Misuse Detection
  • Intrusion Response
  • Identification/Traceback/Pushback
  • Intrusion Tolerance

8
Secure Collective Defense
  • Main Idea?Explore secure alternate paths for
    clients to come in Utilize geographically
    separated proxy servers.
  • Goal
  • Provide secure alternate routes
  • Hide IP addresses of alternate gateways
  • Techniques
  • Multiple Path (Indirect) Routing
  • Secure DNS extension how to inform client DNS
    servers to add alternate new entries (Not your
    normal DNS name/IP address mapping entry).
  • Utilize a consortium of Proxy servers with IDS
    that hides the IP address of alternate gateways.
  • How to partition clients to come at different
    proxy servers?? may help identify the attacker!
  • How clients use the new DNS entries and route
    traffic through proxy server?? Use Sock
    protocol, modify resolver library

9
Wouldnt it be Nice to Have Alternate Routes?
net-a.com
net-b.com
net-c.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
How to reroute clients traffic through
R1-R3?Multi-homing
R
DNS
DDoS Attack Traffic
Client Traffic
Victim
A Compromised Agent
10
Possible Solution for Alternate Routes
net-a.com
net-b.mil
net-c.mil
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
New route via Proxy3 to R3
Proxy2
Proxy1
Proxy3
Attacked blocked
Attack msgs blocked
R2
block
R
R1
R3
Sends Reroute Command with DNS/IP Addr. Of
Proxy and Victim
Victim
Distress Call
11
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
block
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
12
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
Proxy1
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
13
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
block
R
R2
R1
R3
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
14
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R1
R3
R2
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
15
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy2 to R2
3. New route via Proxy3 to R3
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R2
R1
R3
RerouteCoordinator
4b. Client traffic comes in via alternate route
Attack Traffic
1.distress call
Client Traffic
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s))
Victim
16
SCOLD Secure DNS Updatewith New Indirect DNS
Entries
Modified Bind9
Modified Bind9
Modified ClientResolveLibrary
(target.targetnet.com, 133.41.96.71, ALT
203.55.57.102                              
203.55.57.103                               185.1
1.16.49                               221.46.56.3
8
New Indirect DNS Entries
A set of alternate proxy servers for indirect
routes
17
SCOLD Indirect Routing
IP tunnel
IP tunnel
18
SCOLD Indirect Routing with Client running SCOLD
client daemon
IP tunnel
IP tunnel
19
Performance of SCOLD v0.1
  • Table 1 Ping Response Time (on 3 hop route)
  • Table 2 SCOLD FTP/HTTP download Test (from
    client to target)

With Single Indirect Route
With direct Route
20
Benefit of SCOLD v0.1
  • Capability to perform Secure Peer-to-Peer DNS
    update (with enhanced DNS indirect routing
    entries) through indirect routes.
  • Capability to establish multiple indirect routes
    in todays Internet via designated proxy servers
    and alternate gateway.
  • Improved performance larger aggregated bandwidth
    (Can provide bandwidth on-demand service.)
  • Improved reliability
  • Send redundant critical info over geographical
    diverse paths.
  • Avoid network congestion
  • Improved security
  • Dynamically establish alternate paths against
    DDoS
  • Enable peer-to-peer indirect DNS query/update
  • Spread traffic over multiple paths to avoid
    traffic analysis

21
SCOLD 0.2 Multipath Connection
22
Proxy Server based Multipath Connection (PSMC)
  • How to set up multiple routes between two end
    hosts? via a set of intermediate connection relay
    proxy servers by using IP tunneling.
  • How to stripe packets across multiple routes? IP
    layer, weighted round robin manner. Both TCP and
    UDP can benefit from .
  • TCP persistent reordering problem. TCP packets
    over multiple routes are likely to reach
    destination out of sequence order. Our
    experimental results show that it can seriously
    degrade the overall system performance. In PSMC,
    we use double buffer at TCP layer on receiver
    side to solve the problem.
  • TCP high loss rate problem. The loss rate of a
    multipath connection is usually higher than that
    of single path connection. Traditional TCP
    blindly cuts the congestion control window size
    in half upon fast retransmit, which may slow down
    the TCP performance in multipath scenario. In
    PSMC, we set the congestion window size to a more
    appropriate value upon fast retransmit.

23
Proxy Server based Multipath Connection (PSMC)
  • Path selection. To achieve maximum aggregate
    bandwidth, a labeling algorithm is proposed in
    PSMC.
  • Bad path detection. Experimental results show
    that a failed path, a bad path, or paths with
    shared congestion links can seriously affect
    the system performance. In PSMC, by passively
    monitoring on end hosts and periodically
    exchanging network information through
    communication channel, we can quickly detect the
    unwanted paths.
  • Path management. Path addition and path deletion
    need to be finished dynamically with low cost in
    a timely manner.
  • Failure recovery. A multipath system should
    recover quickly from sub-path failure.

24
PSMC Performance result without double buffer
25
PSMC Performance resultwith double buffer
26
processing overhead of PSMC on single path
27
the impact of bad path
28
Selected related works
  • RON network, MIT
  • Detour project, U of Washington
  • Westwood project, UCLA
  • mTCP project, Princeton
  • TCP-PR, UC
  • Multihoming and overlay, SIGCOMM 2004
  • Internet Indirection Infrastructure, TON 2004

29
Future Directions
  • Add thin layer between TCP and IP to utilize the
    multiple geographically diverse routes set up
    with IP tunnels.
  • Scold Proxy Server Selection Problem
  • Porting DNS/Indirect Routing Protocol to Windows.
  • Recruit sites for wide area network SCOLD
    experiments. Northrop Grumman, Air Force
    Academy's IA Lab, and University of Texas are
    initial potential partners. Email me if you would
    like to be part of the SCOLD beta test sites and
    form a SCOLD consortium.
  • SCOLD technologies can be used as a potential
    solution for bottlenecks detected by network
    analysis tool.

30
Conclusion
  • Secure Collective Internet Defense needs
    significant helps from community. Tremendous
    research and development opportunities.
  • SCOLD v.01 demonstrated DDoS defense via
  • use of secure DNS updates with new indirect
    routing
  • IP-tunnel based indirect routing to let
    legitimate clients come in through a set of proxy
    servers and alternate gateways.
  • Multiple indirect routes can also be used for
    improving the performance of Internet
    connections by using the proxy servers of an
    organization as connection relay servers.
Write a Comment
User Comments (0)
About PowerShow.com