SOS: Secure Overlay Service Mayday - PowerPoint PPT Presentation

1 / 26

About This Presentation

Title:

SOS: Secure Overlay Service Mayday

Description:

SOS: Secure Overlay Service ( Mayday) A. D. Keromytis, V. Misra, ... Mayday discusses potential practical solutions. Discussion of Advanced attacking approaches ... – PowerPoint PPT presentation

Number of Views:54

Avg rating:3.0/5.0

Slides: 27

Provided by: kxu

Category:

more less

Transcript and Presenter's Notes

Title: SOS: Secure Overlay Service Mayday

1
.

SOS Secure Overlay Service (Mayday)
A. D. Keromytis, V. Misra, D. Runbenstein
Columbia University
Presented by Yingfei Dong

2
Motivations

Goal Proactively Prevent DOS attacks to allow
legitimate users to communicate with a critical
target
DOS attacks try to stop the communication
The target is difficult to replicate
e.g., high security or dynamic contents
Legitimate users are mobile ( IP addresses are
not fixed )
Motivation Applications Emergency Response Teams
(ERTs)
Phone Networks are easy to be crashed
FBI/Police/Fire dept contacts with a center
database
Bank users / stock brokers access their accounts
On-line transactions
Application Requirements
Protect private communications on top of public
networks
Authenticated Mobile Users

3
Denial Of Service (DOS) Attacks

DOS
Select a target to degrade its performance
Generate high volume traffic to the target
Use up network resources bandwidth, buffers
Packet flooding for a 10Mbps-link, 830
1500-byte packets
Overload CPU with security-checking or kernel
resources
Security Handshaking
TCP SYN flooding holding all TCP control blocks
Force to a server fork many processes
SOS is not for general DOS attacks
Not for global traffic analysis
A number of authenticated users to communicate
with a selected target on a public network

4
Related Work

More Secure
Less implementation costs
5
Players in SOS

Target
Node / Server protected by SOS from DOS
Fixed IP address, non-duplicable
Legitimate User
Authenticated Users communicate with the target
Mobile IP address
Attacker
Try to stop users to communicate with the target
Limited Capability not draging down core routers

6
Basic Idea

Why DOS is effective? many-to-one
Solution hiding paths to the target through a
large- scale distributed filter
Difficult to do because
The Internet is an open architecture and will
keep open
IP spoofing is easy and Ingress filters are not
broadly deployed,
Idea Forwarding secure packets on a virtual
overlay network on top of the Internet
Secure packets are forwarded between overlay
nodes
Using a larger number of overlay nodes
Overlay network adapts to attacks quickly
Attackers must attack many nodes to be successful
!

7
SOS Functionalities

Goals
Allow legitimate users to communicate with target
Prevent packets from illegitimate attackers to
reach the target
Ideal Solution
No changes required in intermediate routers
No high-cost security checking near/at the target
Assumptions
Attackers have a limited number of resources
Attackers cannot drag down core routers
Does NOT solve the general DoS problem

8
Method 1 Source-Address Filtering

Routers near the target do simple filtering based
on source IP addresses
Only packets from legitimate nodes can reach the
target
Packets from other sources
are dropped
Fast Light-weight authenticator
Routers are difficult to hack
Problems
Attackers obtain an account on a legitimate node
Attackers spoof packets with a legitimate src IP
Legitimate users are mobile and dont have fixed
IPs

9
Method 2 Filters Proxy Servers

Idea
A proxy server between a legitimate user and the
target
The proxy only forwards authenticated packets
Only packets from the proxy can reach the
target
Problems
Once attackers know the IP of a proxy, x.x.x.x
they can spoof packets with x.x.x.x and reach
the target
Attackers directly attack on the proxy to drag it
down

10
Method 3 Filters Secret Proxy Servers

Hiding the identity (IP address) of a proxy to
prevent IP spoofing or attacks aiming at a proxy
Secret Servlet is a hidden proxy is chosen by the
target
A filter only allows packets whose source address
matches n ? Ns, a set of nodes selected
Only the target, secret servelets, and other few
trusted nodes know the IP address of secret
servlets
Attacker is not sure which node is a proxy for
the target

11
Method 4 Filter Secret Proxy Overlay Routing
SOAP

Question How to forward packets to a Secret
Servlet without knowing its IP address?
Virtual Overlay Network
Each node is an end host
Only some nodes how to reach a proxy (Servlet)
Indirect Assumption large number of nodes ?
attackers couldnt monitor all overlay nodes
Service Overlay Access Points (SOAPs)
Everyone knows a set of SOAPs
An SOAP is an entry node to the overlay network
Receive and verify traffic via IPSec/TLS
A large number of SOAPs as a distributed firewall
User ? SOAP ? across overlay ? Secret Servlet ?
Target

12
Overlay Routing SOAP ? Servlet ? Target

A Path from a SOAP to a Servlet must be hard to
find
Random Walk O(N/Ns) time, N is total of
overlay nodes, Ns is the of Servlet
Chord O( log N )
A path must be resilient to attacks, fast
recovery

13
Dynamic Hash Table (DHT)

Examples Chord, CAN, PASTRY, Tapestry,
Chord
A distributed protocol with N homogenous overlay
nodes
Each node has a node identifier
Each object has an object key
Distribute all object keys to N nodes
the object with key T is mapped to node B, if
H(T) B,
where object T is managed by node B
Chord Property
To find key T from any node to B is O(logN)
steps

14
A Beacon Connects a SOAP and a Servlet

An object key in SOS is the IP address of a
target
Beacon B for IP address T is an overly node with
an identifier B H(T)
Secret Servlet S finds Beacon B by B H(T), and
tells it to forward packets with DST T from B to
S
SOAP A also finds Beacon B by B H(T), and
forwards secure packets with DST T to B
Multiple hash functions produce different
Beacons, i.e., different paths to the target.

15
Routing Summary

Target T randomly selects Secret Servlet S
Secret Servlet S informs Beacon B to forward
packets with DST T to S
SOAP A forwards authenticated packets with DST T
to B
Overlay nodes are known to the public but their
roles are secret
Communications between overlay nodes are
secure/authenticated
Packets are authenticated by SOAP before the
overlay

16
Against the DoS attacks

Redundancy in SOS
Every overlay node can be SOAP, Beacon or Servlet
A target can select multiple Servlets
Multiple beacons can be used by using different
hashes
Many SOAPs
User ? SOAP ? Beacon ? Servlet ? Target

Attacks on an overlay node
Chord self-heals by removing the node from
Chord
Attacks on all SOAPs, otherwise an alternative
SOAP exists
Attacks on all Beacons remove the nodes and
change hash functions
Attacks on all Servlets
The target can real-time change the set of
Servlets
Target is protected by filters

17
Static Attack Analysis

N nodes in the overlay
For a given target T
S is the number of Servlets
B is the number of Beacons
A is the number of SOAPs
Static Attacks attackers randomly shutdown M out
of N nodes
Pstatic P(N, M, S, B, A) Pstop
communications with T
P(n,b,c) Pset of b nodes chosen randomly from
set of n nodes, and set of b nodes contains set
of c nodes

18
Successfully Attack all Servlets or all Beacons
or all SOAPs
Pstatic P(N, M, S, B, A) 1
(1-P(N,M,S))(1-P(N,M,B))(1-P(N,M,A))
Prob Of Attack Success
Number of nodes attacked
19
Dynamic Attacks

Attack/Repair Battle
The Overlay removes attacked nodes, taking time
TR
Attackers shifts attacking traffic from removed
nodes to active nodes, taking time TA
Assume TR and TA are exponential distributed
R.V., modeled as a birth-death process
Attacking rate ?
Repairing rate ?
Attack Load Ratio ? ? / ?

20
Centralized Attacks and Centralized Recovery
M/M/1/K

1000 nodes, 10 SOAP, 10 Beacons, 10 Servlets
If repairing is faster then attacking, SOS can
survive under large scale attacks

21
Centralized Attacks and Distributed, M/M/K/K
22
Distributed Attacks and Centralized Recovery
M/M/1//K
23
Distributed Attacks and Distributed Recovery,
M/M///K
24
Conclusions