Transcript Leveraging Good Intentions to Reduce Unwanted Network

Leveraging Good Intentions to
Reduce Unwanted Network Traffic
Marianne Shaw (U. Washington)
USENIX 2nd Workshop on Steps to Reducing
Unwanted Traffic on the Internet (SRUTI), 2006.
Related Work:
Reduce Unwanted Network Traffic

Network-based approach



Source-limiting approach



Monitor and characterize network traffic (normal or
abnormal)
Eliminate unwanted traffic by identify them
E.g., Ingress filtering, reverse firewall…
Define good behaviors of managed users
Approach is not independent

2009/4/7
Protect one side, assume one side is trustworthy
Speaker: Li-Ming Chen
2
Motivation

User-administrated machines are wellintentioned but easily compromised


Once compromised, they will be used to amplify
attacker’s ability to inflict damage
Can we leverage users’ non-malicious
intentions to prevent their machines from being
used to generate unwanted traffic?

2009/4/7
Say, even when compromised, these machines only
generate well-behaved traffic
Speaker: Li-Ming Chen
3
The Concept
Normal
communication
Okay,
I accept.
Hmm, I don’t
want this one :(
(not being blocked!)
Malicious attempt
blocked
Malicious
!
attempt !
A
B
Stop sending, please…
(good intention!!)
2009/4/7
Speaker: Li-Ming Chen
4
Goal

Propose a solution to reduce unwanted network
traffic by enabling either side of a conversation
to summarily terminate the conversation without
the other endpoints cooperation.



2009/4/7
A control plane is used to monitor conversations
between endhosts
A enforcement mechanism is used to prevent
unwanted traffic injecting into the network
Host-based, no extra mechanism is needed within the
network
Speaker: Li-Ming Chen
5
3 Key Observations (Design Rationales)
Can we leverage users’ non-malicious intentions to prevent
their machines from being used to generate unwanted traffic?

Accept that machines will be compromised



But can avoid them generate unwanted traffic?!
Users would be willing to thwart their machines to be
used to inflict damage
Defining and identifying unwanted behavior is
difficult and often subjective

2009/4/7
Two hosts may not classify the same traffic in the same
way
Speaker: Li-Ming Chen
6
A Simple Example: TCP-based Prototype

Leverage the characteristics of TCP (connection
oriented) to develop a prototype that is virtually
invisible to endhosts
A
Enf.
Mech.
B
In this case,
• The enforcement mechanism executes on a
separate physical machine (act as a gateway for A)
• Connect with a dedicated Ethernet connection
• Guarantee host A will not generate unwanted traffic
2009/4/7
Speaker: Li-Ming Chen
7
A Simple Example: TCP-based Prototype
Normal case:
When A starts flooding B,
B may send a RST packet to stop the packet flood.
Stop flooding!
A
Enf.
Mech.
Flooding packets
B
RST
(good intention!!)
 However, attacker may ignore the RST,
and continue to send high rates of unwanted packets.
2009/4/7
Speaker: Li-Ming Chen
8
A Simple Example: TCP-based Prototype
Leverage good intention:
Once the enf. mech. observes a valid incoming RST
packet, the enf. mech. drops all outgoing network
packets associated with this connection.
Continue flooding packets
Packets blocked
A
Enf.
Mech.
B
RST
(good intention!!)
I know that
B
 Oh,
However,
attacker
may ignore the RST,
want to close this
and continue to send high rates of unwanted packets.
connection & the
intention is good!
2009/4/7
Speaker: Li-Ming Chen
9
Requirements (problems)
Upon receiving a termination
request, the packet stream
must be terminated without
A’s cooperation.
A
When receiving unwanted
traffic, B must be able to
identify the source.
Enf. mech. must be
voluntarily adopted
by endhosts.
Enf.
Mech.
Enf.
Mech.
B
Only honor requests to temporarily
terminate an existing packet stream.
Only a recipient of unwanted traffic can make the request.
(This mechanism can not be used for malicious intention)
2009/4/7
Speaker: Li-Ming Chen
10
Design


The control plane
The enforcement mechanism
2009/4/7
Speaker: Li-Ming Chen
11
Design: Control Plan Signaling
1. Unique Identifier
 IP is the unique identifier of an active conversation
 IP Accountability is necessary!
A must not spoof its IP address.
B can identify and contact A.
B should not be penalized for spoofed packet.
A
Problem:
Enf.
Mech.
Enf.
Mech.
B
Enf. Mech. can sense reasonable IP change.
Enf. Mech. will discard requests coming from spoofed IP
DHCP,
IP spoofing.
2009/4/7
Speaker: Li-Ming Chen
12
Design: Control Plan Signaling
2. Defining a Network Conversation
A network conversation is used to track sequence of network packets
 Dictates which packets will be dropped when a termination request
is received.
A
Enf.
Mech.
Enf.
Mech.
B
• Conversation principals: 5-tuples
• Conversation start/stop:
1. observe network packets and maintain internal state (e.g., TCP)
2. or observe patterns of network activity
2009/4/7
Speaker: Li-Ming Chen
13
Design: Control Plan Signaling
3. Termination Requests
Require a new signaling mechanism
• Indicate which network conversation is being terminated
• Indicate the amount of time of the termination
A
Enf.
Mech.
Enf.
Mech.
B
B must decide unwanted traffic,
Send termination requests back to A,
Must not spoof its own identify (IP address).
2009/4/7
Speaker: Li-Ming Chen
14
Design: Enforcement Mechanism
(avoid being attacked/misused)

1) the enforcement mechanism cannot be
bypassed or subverted by attackers

2) the enforcement mechanism cannot be
undermined by replaying a previous
conversation through the mechanism

3) the enforcement mechanism can be deployed
incrementally by end users and removed as
needed, which should be extremely rare.
2009/4/7
Speaker: Li-Ming Chen
15
Endpoint Authentication (TCP example)

The enforcement mechanism must provide its
own endpoint authentication.



Adding a random 32-bit nonce to the initial sequence
number (ISN) during connection establishment
Ensure that two untrusted, colluding hosts cannot
subvert the enforcement mechanism.
 Man in the middle attack?
2009/4/7
Speaker: Li-Ming Chen
16
Conclusion

Argue that one can leverage good intentions of
uses to reduce unwanted traffic on the Internet.


2009/4/7
Well-intentioned hosts can summarily terminate
unwanted traffic
By using independent control plane and enforcement
mechanism
Speaker: Li-Ming Chen
17
My Comment (1/3)


A new idea to build up security mechanism
But it’s somewhat passive :(




Accept host is vulnerable and will be compromised
Once being bothered by a malicious host, request for
termination
 In real world, compromised might be unacceptable
 besides, a vulnerable host gains nothing from this
mechanism

2009/4/7
Except not generating too much unwanted traffic to the
Internet, after it got infected !!
Speaker: Li-Ming Chen
18
My Comment (2/3)

The action is triggered by well-intentioned hosts


What does unwanted traffic mean to me?
How to show my good intention?



 not discussed in this paper…
 or not implemented in on-line protocols & applications
and enforced by its peer (who sends unwanted
traffic)

2009/4/7
Accountable, integrity (for both)
Speaker: Li-Ming Chen
19
My Comment (3/3)

Receive unwanted traffic, but request for
termination for others!



E.g., stop sending packets to this subnet
Or stop scanning on these ports
Reflection !?

2009/4/7
Why everybody don’t like me? It must be something
wrong…
Speaker: Li-Ming Chen
20