C Edward Chow Department of Computer Science Outline of the Talk Overview of DDoS Intrusion Tolerance with Multipath Routing Secure DNS with Indirect QueriesIndirect Addresses Multipath Indirect Routing ID: 558785
Download Presentation The PPT/PDF document "Intrusion Tolerance and Cloud" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Intrusion Tolerance and Cloud
C. Edward Chow
Department of Computer ScienceSlide2
Outline of the Talk
Overview of DDoSIntrusion Tolerance with Multipath Routing Secure DNS with Indirect Queries/Indirect AddressesMultipath Indirect RoutingIntrusion Tolerance and IPv6Intrusion Tolerance and CloudConclusion
3/16/2013NWNS'13 Intrusion Tolerance and Cloud / Edward Chow
2Slide3
Network System Research Lab at UCCS
Overview of Network/System Security Research Projects at Network/System LabSecure Collective Internet Defense (SCOLD): an Intrusion Tolerance System.Asymmetric IPSec for Secure Backup Storage Systems.
Secure Information SharingAutonomous Anti-DDoS (A2D2)Integrated enhanced Snort IDS with multi-level adaptive rate limiting firewall
Secure Groupware for First Responders (SGFR): Integrated Group Rekeying (Keystone) with Instant Massaging (Jabber) on MANETSecure Access Mobile Ad Hoc Network (SMANET): Implemented PEAP module on freeRadius server, compared PEAP with TTLSAdvanced Content Switch DesignHuman Motion Tracking and Reasoning3/16/2013
3NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide4
3/16/2013
NWNS'13 Intrusion Tolerance and Cloud / Edward Chow4DDoS: Distributed Denial of Service Attack
DDoS
Victims:
Yahoo/Amazon 2000CERT 5/2001
DNS Root Servers 10/2002
(4up 7 cripple 80Mbps)
Akamai DDNS 5/
2004
White House 7/2009
Dept. Treasure
Federal Trade Commission
Bank of the West 12/2012
DDoS Tools:
Stacheldraht
Trinoo
Tribal Flood Network (TFN)
Research by Moore et al of University of California at San Diego, 2001.
12,805
DoS
in 3-week period
Most of them are Home, small to medium sized organizations
Handler
(
Middleman
)
Agent
(
Attacker
)
Handler
(
Middleman
)
Agent
(
Attacker
)
Agent
(
Attacker
)
Agent
(
Attacker
)
Agent
(
Attacker
)
Client
(
Attack Commander
)
Mastermind
Intruder Slide5
3/16/2013
NWNS'13 Intrusion Tolerance and Cloud / Edward Chow5Slide6
Challenges in DDoS Defenses
Difficult to traceUsually IP addresses are spoofed. Donot give up yet!Cross ISP/Countries boundaries. Need collaboration!
By the time we reach compromised hosts, master mind already long gone.Variants of DDoS: Reflective; DegradedEven reserving a bit in IP/TCP header take years in standards (not approved yet)!
3/16/2013NWNS'13 Intrusion Tolerance and Cloud / Edward Chow6Slide7
DDoS Defense Techniques
Intrusion PreventionGeneral Security PolicyIngress/Engress FilteringIntrusion DetectionAnomaly DetectionMisuse DetectionIntrusion Response
Source Identification: Traceback. Need a lot of cooperation.Network Forensic.
Intrusion pushback (require mutual authentication and correlation along the path)Intrusion Tolerance (your are in control)3/16/2013
NWNS'13 Intrusion Tolerance and Cloud / Edward Chow7Slide8
Wouldn’t it be Nice to Have Alternate Routes?
DNS1
...
Victim
A
A
A
A
A
A
A
A
net-a.mil
net-b.mil
net-c.mil
DNS2
DNS3
...
...
...
R
R
R
R
R2
R1
R3
Alternate
Gateways (cable/
adsl
/satellite)
DNS
DDoS Attack Traffic
Client Traffic
How to reroute clients
traffic through R1-R3?
Multi-homing
3/16/2013
8
NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide9
Implement Alternate Routes
DNS1
...
Victim
A
A
A
A
A
A
A
A
net-a.mil
net-b.mil
net-c.mil
DNS2
DNS3
...
...
...
R
R
R
R
R2
R1
R3
Alternate
Gateways
DNS
DDoS Attack Traffic
Client Traffic
Need to Inform Clients or
Client DNS
servers
about these new route!
Some Clients
may be compromised!!
How to hide
IP addresses of
Alternate Gateways?
3/16/2013
9
NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide10
Possible Solution for Alternate Routes
DNS1
...
Victim
A
A
A
A
A
A
A
A
net-a.mil
net-b.mil
net-c.mil
DNS2
DNS3
...
...
...
R
R
R
R
R2
R1
R3
New route via Proxy3 to R3
Proxy1
block
Proxy3
Proxy2
Blocked by IDS
IDS triggers Step 1.
Sends
Reroute Command
with DNS/IP
Addr
. Of
Proxy and Victim
Distress Call
3/16/2013
10
NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide11
SCOLD
Phase1
DNS1
...Victim
A
A
A
A
A
A
A
A
net-a.mil
net-b.mil
net-c.mil
DNS2
DNS3
...
...
...
R
R
R
R
Proxy1
Proxy2
Proxy3
R2
R1
R3
block
Reroute
Coordinator
Attack Traffic
Client Traffic
1. IDS detects intrusion
Blocks Attack Traffic
Sends distress call to
Reroute Coordinator
blockSlide12
SCOLD
Phase 2
DNS1
...Victim
A
A
A
A
A
A
A
A
net-a.mil
net-b.mil
net-c.mil
DNS2
DNS3
...
...
...
R
R
R
R
Proxy1
Proxy2
Proxy3
R2
R1
R3
block
Attack Traffic
Client Traffic
1. IDS detects intrusion
Blocks Attack Traffic
Sends distress call to
Reroute Coordinator
Reroute
Coordinator
2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNSSlide13
SCOLD
Phase3
DNS1
...Victim
A
A
A
A
A
A
A
A
net-a.mil
net-b.mil
net-c.mil
DNS2
DNS3
...
...
...
R
R
R
Proxy1
Proxy2
Proxy3
R2
R1
R3
Attack Traffic
Client Traffic
Reroute
Coordinator
2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
3. New route via
Proxy3 to R3
3. New route via
Proxy2 to R2
3. New route via
Proxy1 to R1
R
blockSlide14
SCOLD
Phase4
DNS1
...Victim
A
A
A
A
A
A
A
A
net-a.mil
net-b.mil
net-c.mil
DNS2
DNS3
...
...
...
R
Proxy1
Proxy2
Proxy3
R1
Attack Traffic
Client Traffic
Reroute
Coordinator
3. New route via
Proxy3 to R3
3. New route via
Proxy2 to R2
3. New route via
Proxy1 to R1
R
block
4a. Attack traffic detected by IDS
blocked by Firewall
4. Attack traffic detected by IDS
blocked by Firewall
R
R
R3
R2Slide15
SCOLD Secure DNS Updatewith New Indirect DNS Entries
(
target.targetnet.com,
133.41.96.7, ALT 203.55.57.102)
203.55.57.103 185.11.16.49
A set of alternate proxy servers for indirect routes
New DNS Entries:
Modified
Bind9
Modified
Bind9
IP Tunnel
IP Tunnel
Modified
Client
Resolve
Library
Trusted Domain
WAN
DMZ
Client
Domain
proxy2
3/16/2013
15
NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide16
SCOLD Indirect Routing
IP tunnel
IP tunnel
3/16/201316NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide17
SCOLD Indirect Routing with Client running SCOLD client daemon
IP tunnel
IP tunnel
3/16/201317NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide18
Performance of SCOLD v0.1
Table 1: Ping Response Time (on 3 hop route)
Table 2: SCOLD FTP/HTTP download Test (from client to target)
No DDoS attack
direct route
DDoS attack
direct route
No DDoS attack
indirect route
DDoS attack
indirect route
0.49 ms
225 ms
0.65 ms
0.65 msSlide19
Secure Collective Defense
Main IdeaExplore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal:
Provide secure alternate routesHide IP addresses of alternate gatewaysTechniques:
Multiple Path (Indirect) RoutingEnhanced Secure DNS extension: how to inform client DNS servers to add new DNS entries with alternate routes (Not your normal DNS name/IP address mapping entry).Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. How to pick and choose proxy servers? (NP complete problem)How to utilize CDN and Cloud Computing?
Partition clients to come in at different proxy servers. can help identify the origin of spoofed attacks!
How clients use the new multiple path indirect DNS entries and route traffic through proxy servers?
Use Sock protocol, modify resolver library
3/16/2013
19
NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide20
Benefits of Secure Collective Defense
SecurityWhen attacked, users switch to different routes dynamicallyUrgent/critical packets sent over multiple routes simultaneouslyEncrypted content sent over multiple routesInformation on DDoS attacks used to isolate source of attacksReliability:Users can choose most reliable route dynamically
Packet content can spread over multiple routes reduce delay variance. Use redundant transmission or error correction to assurance critical traffic arrived in their destination.Performance:Striping cross multiple
indirect routes could provide additional bandwidthCan be used for dynamic bandwidth provisioning3/16/201320NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide21
New SCOLD Research Directions
How not to hide the alternate gateways.Utilize IP v6 address space and random hops.Utilize BGP to drop attack trafficHow traceback and push DDoS
How to utilize cheap virtual machines from Cloud Computing providers3/16/2013
NWNS'13 Intrusion Tolerance and Cloud / Edward Chow21Slide22
How low cost is Amazon AWS EC2?
3/16/2013NWNS'13 Intrusion Tolerance and Cloud / Edward Chow22Slide23
Current SCOLD Project Results
Proposed new DNS entries for intrusion tolerance, containing multiple proxy servers info for establishing indirect routes.Modified Bind9 DNS server to accept secure DNS updates and to serve queries with new indirect DNS entries.Developed new secure DNS update utility to securely update target zone file in the new enhanced Bind9 DNS server.Implemented new secure indirect routing protocol to allow client DNS to query target DNS during DDoS attack.to allow client to communicate with target server through proxy server and alternate gateway
.Implemented Outpace DDoS Defense SystemFast updates on server IP addressesUtilize BGP Sink Hole to remove trailing attacks.
Simulation done. Real implementation ongoing.3/16/201323NWNS'13 Intrusion Tolerance and Cloud / Edward ChowSlide24
Conclusion
Opportunities exist on design new secure IP protocols/systems.Tackle hard problem Big payoff. Develop multipath indirect routing/enhanced DNS better security, better bandwidth, better reliability.
Fundamental solution to DDoS requires Global Cooperation (legal, internet standards, ISP) an
d Information Assurance Awareness (patching diligently, Do not click that alumni picture in email attachment)Cloud Computing/CDN is our next fun playground.3/16/2013NWNS'13 Intrusion Tolerance and Cloud / Edward Chow
24