/
Intrusion Tolerance and Cloud Intrusion Tolerance and Cloud

Intrusion Tolerance and Cloud - PowerPoint Presentation

yoshiko-marsland
yoshiko-marsland . @yoshiko-marsland
Follow
379 views
Uploaded On 2017-06-12

Intrusion Tolerance and Cloud - PPT Presentation

C Edward Chow Department of Computer Science Outline of the Talk Overview of DDoS Intrusion Tolerance with Multipath Routing Secure DNS with Indirect QueriesIndirect Addresses Multipath Indirect Routing ID: 558785

intrusion dns cloud tolerance dns intrusion tolerance cloud mil net edward chow traffic attack nwns 2013 ddos indirect route client alternate secure

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "Intrusion Tolerance and Cloud" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Intrusion Tolerance and Cloud

C. Edward Chow

Department of Computer ScienceSlide2

Outline of the Talk

Overview of DDoSIntrusion Tolerance with Multipath Routing Secure DNS with Indirect Queries/Indirect AddressesMultipath Indirect RoutingIntrusion Tolerance and IPv6Intrusion Tolerance and CloudConclusion

3/16/2013NWNS'13 Intrusion Tolerance and Cloud / Edward Chow

2Slide3

Network System Research Lab at UCCS

Overview of Network/System Security Research Projects at Network/System LabSecure Collective Internet Defense (SCOLD): an Intrusion Tolerance System.Asymmetric IPSec for Secure Backup Storage Systems.

Secure Information SharingAutonomous Anti-DDoS (A2D2)Integrated enhanced Snort IDS with multi-level adaptive rate limiting firewall

Secure Groupware for First Responders (SGFR): Integrated Group Rekeying (Keystone) with Instant Massaging (Jabber) on MANETSecure Access Mobile Ad Hoc Network (SMANET): Implemented PEAP module on freeRadius server, compared PEAP with TTLSAdvanced Content Switch DesignHuman Motion Tracking and Reasoning3/16/2013

3NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide4

3/16/2013

NWNS'13 Intrusion Tolerance and Cloud / Edward Chow4DDoS: Distributed Denial of Service Attack

DDoS

Victims:

Yahoo/Amazon 2000CERT 5/2001

DNS Root Servers 10/2002

(4up 7 cripple 80Mbps)

Akamai DDNS 5/

2004

White House 7/2009

Dept. Treasure

Federal Trade Commission

Bank of the West 12/2012

DDoS Tools:

Stacheldraht

Trinoo

Tribal Flood Network (TFN)

Research by Moore et al of University of California at San Diego, 2001.

12,805

DoS

in 3-week period

Most of them are Home, small to medium sized organizations

Handler

(

Middleman

)

Agent

(

Attacker

)

Handler

(

Middleman

)

Agent

(

Attacker

)

Agent

(

Attacker

)

Agent

(

Attacker

)

Agent

(

Attacker

)

Client

(

Attack Commander

)

Mastermind

Intruder Slide5

3/16/2013

NWNS'13 Intrusion Tolerance and Cloud / Edward Chow5Slide6

Challenges in DDoS Defenses

Difficult to traceUsually IP addresses are spoofed. Donot give up yet!Cross ISP/Countries boundaries. Need collaboration!

By the time we reach compromised hosts, master mind already long gone.Variants of DDoS: Reflective; DegradedEven reserving a bit in IP/TCP header take years in standards (not approved yet)!

3/16/2013NWNS'13 Intrusion Tolerance and Cloud / Edward Chow6Slide7

DDoS Defense Techniques

Intrusion PreventionGeneral Security PolicyIngress/Engress FilteringIntrusion DetectionAnomaly DetectionMisuse DetectionIntrusion Response

Source Identification: Traceback. Need a lot of cooperation.Network Forensic.

Intrusion pushback (require mutual authentication and correlation along the path)Intrusion Tolerance (your are in control)3/16/2013

NWNS'13 Intrusion Tolerance and Cloud / Edward Chow7Slide8

Wouldn’t it be Nice to Have Alternate Routes?

DNS1

...

Victim

A

A

A

A

A

A

A

A

net-a.mil

net-b.mil

net-c.mil

DNS2

DNS3

...

...

...

R

R

R

R

R2

R1

R3

Alternate

Gateways (cable/

adsl

/satellite)

DNS

DDoS Attack Traffic

Client Traffic

How to reroute clients

traffic through R1-R3?

Multi-homing

3/16/2013

8

NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide9

Implement Alternate Routes

DNS1

...

Victim

A

A

A

A

A

A

A

A

net-a.mil

net-b.mil

net-c.mil

DNS2

DNS3

...

...

...

R

R

R

R

R2

R1

R3

Alternate

Gateways

DNS

DDoS Attack Traffic

Client Traffic

Need to Inform Clients or

Client DNS

servers

about these new route!

Some Clients

may be compromised!!

How to hide

IP addresses of

Alternate Gateways?

3/16/2013

9

NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide10

Possible Solution for Alternate Routes

DNS1

...

Victim

A

A

A

A

A

A

A

A

net-a.mil

net-b.mil

net-c.mil

DNS2

DNS3

...

...

...

R

R

R

R

R2

R1

R3

New route via Proxy3 to R3

Proxy1

block

Proxy3

Proxy2

Blocked by IDS

IDS triggers Step 1.

Sends

Reroute Command

with DNS/IP

Addr

. Of

Proxy and Victim

Distress Call

3/16/2013

10

NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide11

SCOLD

Phase1

DNS1

...Victim

A

A

A

A

A

A

A

A

net-a.mil

net-b.mil

net-c.mil

DNS2

DNS3

...

...

...

R

R

R

R

Proxy1

Proxy2

Proxy3

R2

R1

R3

block

Reroute

Coordinator

Attack Traffic

Client Traffic

1. IDS detects intrusion

Blocks Attack Traffic

Sends distress call to

Reroute Coordinator

blockSlide12

SCOLD

Phase 2

DNS1

...Victim

A

A

A

A

A

A

A

A

net-a.mil

net-b.mil

net-c.mil

DNS2

DNS3

...

...

...

R

R

R

R

Proxy1

Proxy2

Proxy3

R2

R1

R3

block

Attack Traffic

Client Traffic

1. IDS detects intrusion

Blocks Attack Traffic

Sends distress call to

Reroute Coordinator

Reroute

Coordinator

2. Sends Reroute Command with

(DNS Name, IP Addr. Of victim,

Proxy Server(s)) to DNSSlide13

SCOLD

Phase3

DNS1

...Victim

A

A

A

A

A

A

A

A

net-a.mil

net-b.mil

net-c.mil

DNS2

DNS3

...

...

...

R

R

R

Proxy1

Proxy2

Proxy3

R2

R1

R3

Attack Traffic

Client Traffic

Reroute

Coordinator

2. Sends Reroute Command with

(DNS Name, IP Addr. Of victim,

Proxy Server(s)) to DNS

3. New route via

Proxy3 to R3

3. New route via

Proxy2 to R2

3. New route via

Proxy1 to R1

R

blockSlide14

SCOLD

Phase4

DNS1

...Victim

A

A

A

A

A

A

A

A

net-a.mil

net-b.mil

net-c.mil

DNS2

DNS3

...

...

...

R

Proxy1

Proxy2

Proxy3

R1

Attack Traffic

Client Traffic

Reroute

Coordinator

3. New route via

Proxy3 to R3

3. New route via

Proxy2 to R2

3. New route via

Proxy1 to R1

R

block

4a. Attack traffic detected by IDS

blocked by Firewall

4. Attack traffic detected by IDS

blocked by Firewall

R

R

R3

R2Slide15

SCOLD Secure DNS Updatewith New Indirect DNS Entries

(

target.targetnet.com,

133.41.96.7, ALT 203.55.57.102)

203.55.57.103 185.11.16.49

A set of alternate proxy servers for indirect routes

New DNS Entries:

Modified

Bind9

Modified

Bind9

IP Tunnel

IP Tunnel

Modified

Client

Resolve

Library

Trusted Domain

WAN

DMZ

Client

Domain

proxy2

3/16/2013

15

NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide16

SCOLD Indirect Routing

IP tunnel

IP tunnel

3/16/201316NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide17

SCOLD Indirect Routing with Client running SCOLD client daemon

IP tunnel

IP tunnel

3/16/201317NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide18

Performance of SCOLD v0.1

Table 1: Ping Response Time (on 3 hop route)

Table 2: SCOLD FTP/HTTP download Test (from client to target)

No DDoS attack

direct route

DDoS attack

direct route

No DDoS attack

indirect route

DDoS attack

indirect route

0.49 ms

225 ms

0.65 ms

0.65 msSlide19

Secure Collective Defense

Main IdeaExplore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal:

Provide secure alternate routesHide IP addresses of alternate gatewaysTechniques:

Multiple Path (Indirect) RoutingEnhanced Secure DNS extension: how to inform client DNS servers to add new DNS entries with alternate routes (Not your normal DNS name/IP address mapping entry).Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. How to pick and choose proxy servers? (NP complete problem)How to utilize CDN and Cloud Computing?

Partition clients to come in at different proxy servers. can help identify the origin of spoofed attacks!

How clients use the new multiple path indirect DNS entries and route traffic through proxy servers?

 Use Sock protocol, modify resolver library

3/16/2013

19

NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide20

Benefits of Secure Collective Defense

SecurityWhen attacked, users switch to different routes dynamicallyUrgent/critical packets sent over multiple routes simultaneouslyEncrypted content sent over multiple routesInformation on DDoS attacks used to isolate source of attacksReliability:Users can choose most reliable route dynamically

Packet content can spread over multiple routes reduce delay variance. Use redundant transmission or error correction to assurance critical traffic arrived in their destination.Performance:Striping cross multiple

indirect routes could provide additional bandwidthCan be used for dynamic bandwidth provisioning3/16/201320NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide21

New SCOLD Research Directions

How not to hide the alternate gateways.Utilize IP v6 address space and random hops.Utilize BGP to drop attack trafficHow traceback and push DDoS

How to utilize cheap virtual machines from Cloud Computing providers3/16/2013

NWNS'13 Intrusion Tolerance and Cloud / Edward Chow21Slide22

How low cost is Amazon AWS EC2?

3/16/2013NWNS'13 Intrusion Tolerance and Cloud / Edward Chow22Slide23

Current SCOLD Project Results

Proposed new DNS entries for intrusion tolerance, containing multiple proxy servers info for establishing indirect routes.Modified Bind9 DNS server to accept secure DNS updates and to serve queries with new indirect DNS entries.Developed new secure DNS update utility to securely update target zone file in the new enhanced Bind9 DNS server.Implemented new secure indirect routing protocol to allow client DNS to query target DNS during DDoS attack.to allow client to communicate with target server through proxy server and alternate gateway

.Implemented Outpace DDoS Defense SystemFast updates on server IP addressesUtilize BGP Sink Hole to remove trailing attacks.

Simulation done. Real implementation ongoing.3/16/201323NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide24

Conclusion

Opportunities exist on design new secure IP protocols/systems.Tackle hard problem Big payoff. Develop multipath indirect routing/enhanced DNS  better security, better bandwidth, better reliability.

Fundamental solution to DDoS requires Global Cooperation (legal, internet standards, ISP) an

d Information Assurance Awareness (patching diligently, Do not click that alumni picture in email attachment)Cloud Computing/CDN is our next fun playground.3/16/2013NWNS'13 Intrusion Tolerance and Cloud / Edward Chow

24