Roaming Honeypots for Mitigating ServiceLevel DenialofService Attacks

1
Roaming Honeypots for Mitigating Service-Level
Denial-of-Service Attacks

• Written by
• Sherif M. Khattab Chatree Sangpachatanarukz
  Daniel Mossé Rami MelhemTaieb Znati
• Presented by
• Theodor Richardson
• Ani Starrenburg

2
Denial-of-Service Attacks

• Links exceeding link capacity
• Routers congesting router buffers
• Front-Ends consuming front-end processing with
• requests.
• Servers requesting services at a high rate

3
Denial-of-Service Defenses

• Replication useful in protecting service
  front-ends
• Firewalls strategy for prohibiting illegal
  flow of data
• Intrusion Detection Services detection of
  tampering
• Honeypots may be used for any number of
  purposes

4
Honeypots

• A security resource whos value lies in being
  probed, attacked or compromised.

5
Roaming Honeypot Properties
A mechanism that allows the locations of
honeypots to be unpredictable, continuously-changi
ng and disguised within a server pool
6
Proactive Server Roaming Background
Attacker
Firewall
Idle Servers
One ActiveServer
Back-EndServers
Firewall
Clients
7
Proactive Server Roaming Background

• One server is active.
• At end of Epoch Ei of duration Ri server Si
  assumes role of active server.
• Client must store information locally
• Service must track and process legitimate users.

8
Proactive Server Roaming Background

• Backward chain of hashed keys Ki is built where
  (0ltiltn)
• Ri MSBm (H(Ki))
• Si servers MSB?lg N?H(Ki))

9
Roaming Honeypots
Attacker
Firewall
Honeypots Active Servers
Back-EndServers
AGN
Firewall
Clients
10
Roaming Honeypots

• Uses similar selection algorithms
• selects for each in a set of servers
• introduces a lower bound, m, on the epoch
• Uses k out of N servers as active servers, the
  remainder of which are honeypots
• Offloads processing from client and server to
  Access Gateway

11
Roaming Honeypot Properties
12
Service Model

• Subscription-based service
• Protection of a pool of N back-end servers
• Packet-filtering firewall and IDS deployed
• AGN as layer of indirection

13
Access Gateway Network

• Provides level of indirection between client and
  back-end server
• Decouples authentication and authorization from
  service provision
• Only AGN follows server locations and status
  forwards client packets
• Roaming scheme is transparent to client

14
AGN Structure

• Back-end server is considered tree root
• AGs with higher resistance to attacks and lower
  reconfiguration rates are closer to the back-end
  servers (lower in the tree)
• AG is responsible for address registration and
  parent registration
• AGs closest to root handle connection migration

15
AGN Address Registration

• Each AG registers an ltID,Addressgt tuple with the
  AG node responsible for storing addresses
• ID (SIDLIndex)
• SID is a service identifier
• L is the level of the AG in the AGN
• Index is the AG index within L

16
AGN Parent Registration

• AG registers its IP address with its parent (the
  servers if at the root)
• AG uses (SIDL-1Index(parent)) to lookup the
  parent Address
• Allows IP routing for migration messages

17
AGN Connection Migration

• AG forwards traffic client C messages to server
  Si
• When servers change from active to inactive, AG
  chooses new Sj at random for client C
• AG re-registers with parent Sj
• AG encapsulates state information from Si and
  forwards to Sj in TCP SYN package

18
Roaming Protocol

• For a single active server
• Service time is divided into epochs random
  intervals of activity/inactivity for servers
• Length of epoch Ei is calculated by long hash
  chain Ri H(Ki) where K is a random key and Ri
  is the number of seconds
• Location of epoch Si serversMSB H(Ki) where
  MSB is Most Significant Bits of hash function H
  (such as MD5)
• Out of N servers, k are active at any time
• Set of active servers is Pk(S)

19
Network Model
Attacker
Honeypot
ActiveServer
Back-EndServers
AGN
Firewall
Clients
20
Simulation Model

• Tested on the ns-2
• Discrete event simulator aimed at network testing
• Simulates routing, TCP, and multicast protocol
• Supports wired and wireless networks
• http//www.isi.edu/nsnam/ns/

21
Simulation Model

• Tested under ns-2 simulation against
• Average Response Time (ART) is considered as
  primary metric
• Comparison of
• Nonroaming (Load Sharing)
• Roaming w/o Filtering (Attacker traffic is not
  dropped)
• Roaming w/ Filtering (Attacker traffic is dropped)

22
Effect of Migration Interval

• Restarting TCP must be balanced with migration
  interval timing to balance the overhead cost of
  re-establishing TCP with the new server set

23
Effect of Client Load

• Under small attack loads, the nonroaming scheme
  performs better because of the overhead of roaming

24
Effect of Attack Load

• Using filtering, the ART does not change as the
  attack load increases once the attacker is
  detected

25
Effect of Follow Delay

• In Roaming w/ Filter, clients experience an
  attack free window as the attacker experiences
  follow delay

26
Conclusions

• Strengths
• Under high attack load, roaming scheme performs
  better than load sharing
• Undetectable honeypot locations
• Transparent to client traffic

27
Conclusions

• Weaknesses
• Must balance TCP overhead of resetting
  connections
• Wastes a large amount of server resources with
  inactivity (as honeypot)
• Idea of logical roaming is underdeveloped in
  paper, but could save resources and reduce
  overhead

28
Conclusions

• Vulnerability remains that malicious code can be
  installed on legitimate servers
• Periodic reinstall suggested, but service can be
  compromised before reinstall if attack is
  sophisticated
• Violates property of honeypots that they should
  not adversely affect operation of standard
  service if compromised