Autonomous Anti-DDoS Network V2.0 (A2D2-2)

1
Autonomous Anti-DDoS Network V2.0(A2D2-2)

• Sarah Jelinek
• University Of Colorado, Colo. Spgs.
• sarah.jelinek_at_sun.com
• Spring Semester 2003, CS691 Project

2
Project Goals

• Ultimate goal of project
• To make DDoS technology more robust
• Relationship to other projects
• Enhancements of existing A2D2 architecture to
  incorporate IDIP and Alternate Proxy Servers
• High-level timing goals
• Research and new architecture, now
• Project completion planned for 9/03

3
Description - A2D2

• Developed by Angela Cearns, UCCS Masters Thesis
• DDoS Intrusion Detection and Response
• Uses freeware as main detection component
• Modifications made to affect better response

FOR MORE INFO...
http//cs.uccs.edu/chow/pub/master/acearns/doc/an
gThesis-final.pdf
4
A2D2, cont..
5
A2D2, cont..

• Strengths
• Uses open source components
• Portable
• Configurable
• Weaknesses
• Host Based
• Local Network response
• No attempt made to actively trace intruder
• Possible bottleneck at firewall
• Static thresholds

6
A2D2-2 Technology

• New technology being used
• Intrusion Detection and Isolation Protocol (IDIP)
• Alternate Proxy Servers
• Standards being adopted
• IDIP
• Will work with other IDIP enabled Intrusion
  Detection Networks
• Service Location Protocol (SLP)
• Allows discovery of registered IDIP Nodes

7
A2D2-2 What It Solves

• Host Based
• Now a dynamic, network wide solution
• Will work with other IDIP enabled Intrusion
  Detection Networks utilizing CITRA
• Active Tracing of Intruder
• SLP is used to discover other network IDIP
  services

8
A2D2-2 What It Solves, cont..

• Local Response
• SLP used for location of alternate proxy servers
  for more global response
• Firewall Bottleneck
• Response Coordination Centralized

9
A2D2-2 IDIP

• IDIP
• Developed by Boeing and NAI Labs
• Supports real-time tracking and containment of
  DDoS attacks
• Three layers
• Application Layer
• Message Layer
• Discovery Coordinator

10
A2D2-2 - Discovery Coordinator

• IDIP Discovery Coordinator
• Bulk of the work done here
• Network wide response coordinator
• Will notify clients and client dns of alternate
  routes available
• Standardized language used for messages and
  topology (CISL)
• Local attack response still active if down

11
IDIP Nodes
FOR MORE INFO...
http//zen.ece.ohiou.edu/inbounds/DOCS/reldocs/ID
IP_Architecture.doc
12
A2D2-2 Proposed Architecture
13
Alternate Routes
FOR MORE INFO...
http//cs.uccs.edu/7Echow/research/security/uccsS
ecurityResearch.ppt
14
Alternate Routes, cont..
15
A2D2-2 SLP -gt Alternate Routes
net-a.com
net-b.com
net-c.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
New route via Proxy3 to R3
Attack msgs blocked by IDS
Block and traceback
R IDIP Node
R2
R3
R1
A2D2-2 IDIP DC SLP Discovery and communication
Local IDS Response
A2D2-2 Network IDS
16
A2D2-2 Futures

• IDIP Redundant/Cooperative Discovery Coordinators
• Discovery Coordinator Response Optimization
  Enhancements
• Updates To Snort
• Secure DNS (already started?)