Transcript Roaming Honeypots for Mitigating Service-level Denial-of

Roaming Honeypots for Mitigating
Service-level Denial-of-Service Attacks
Sherif M. Khattab, Chatree Sangpachatanaruk, Daniel
Mosse, Rami Melhem, Taieb Znati.
University of Pittsburgh, PA .
BY: Nikhil Mahajan
Sriharsha Hammika
Denial of Service


Attempt to make a computer
resource unavailable to its intended
users.
Typically the targets are high-profile
web servers.
Effects of DoS:


Force the victim computer(s) to
reset or consume its resources such
that it can no longer provide its
intended service.
Obstruct the communication media
between the intended users and the
victim in such that they can no
longer communicate adequately.
Basic Idea comes from previous Paper:
Server Roaming



Proactive server roaming to mitigate the effects of
Denial-of-Service (DoS) attacks.
The active server changes its location within a pool
of servers to defend against unpredictable and
undetectable attacks.
Only legitimate clients can follow the active server
as it roams.
However:
Basic reasons to shift the paradigm:
 Server Bandwidth.
 Clients have to keep track of active
server.
 Ratio of Active to idle servers.
Honeypots ?
Honeypots are closely monitored network
decoys serving several purposes:
 Can distract adversaries from more
valuable machines on a network,
 Can provide early warning about new
attack and exploitation trends
 Allow in-depth examination of adversaries
during and after exploitation of a
honeypot.
Honeypots.




Upgraded method on the same lines.d
A proactive detection mechanism.
Machines that are not supposed to receive
any legitimate traffic.
Any traffic destined to a honeypot is most
probably an ongoing attack and can be
analyzed to reveal vulnerabilities targeted
by attackers.
Standard implementation



Deployed at fixed locations.
Detectable locations and on
machines different than the ones
they are supposed to protect.
Sophisticated attacks can avoid the
honeypots.
Proposed Solution:
Roaming Honeypots



A scheme for mitigating service-level DoS
attacks against back-ends of private
services.
The locations of honeypots are
continuously and unpredictably changing
disguisedly within a pool of back-end
servers.
Each server alternates between providing
the service and acting as a honeypot in a
manner unpredictable to attackers.
On the same lines:




Honeynet: type of honeypot.
High-interaction research honeypot.
Designed to capture extensive
information on threats.
The highly controlled network contains
one or more honeypots for attackers to
interact with, and provides some tools to
collect and analyze the information.
Honeynet:
Three basic jobs:
 Data control
 Data capture and
 Data analysis



DataControl: Reduce risk,
Compromised systems should not
be used.
DataCapture: detect and capture
attackers activities.
DataAnalysis: to analyse and thus
prevent further attcks.
Back to Honeypots:


Filtering Effect.
Connection-dropping effect.
Filtering Effect:

Idle servers (honeypots) detect attacker
addresses so that all their subsequent requests
are filtered out
Connection-Dropping Effect:

Each time a server switches from idle to active, it
drops all its current (attack) connections, opening
a window of opportunity for legitimate requests
before the attack re-builds up.
AGN
Access Gateway Network:
AGN




Keeps track of current active
servers.
Clients contact AG’s to subscribe
and request services.
After the request is authenticated
and authorized, AG redirect the
request to one of the active servers.
Also support dynamic Load
balancing.
Connection Migration





At the end of each service epoch, a subset
of servers change their status from “Activeto-Idle” and “Idle-to-Active”.
Sai and Sia
Sai = Sia.
For each client connection C to a server Sai,
its handling AG selects a server uniformly
from Sia.
Connection is established between this
Active server and the client using the latest
update message from C
Network Level Attacks
Using Spoofed IP address.

Suppose that, attacker uses a forged source address to
hide their identity.

If such a request hits a honeypot then all future
correspondence from this IP address is dropped.

If this IP address is a valid address of a Client then this
client is discarded automatically.
!!!!!!!! ????

Fortunately, AGN automatically takes care of this
situation.
Countering Spoofed attacks:




Legitimate requests are tunneled through AGN
For this attack to be successful an attacker
needs to spoof an AG’s address.
An AG can easily detect that it is under such
an attack (all its requests are being dropped)
and can respond by changing its IP address.
The AG then updates its address registration
with the new IP address.
Attack Models

Two types of attack models




Fixed-target attacks
Follower attacks
Fixed-Target Attack:
The attacker selects few servers and
attacks them continuously.
Follower Attacks:
The attacker tries to continuously
direct the attack into active servers.
Follow delay is found.
Other Attack Models

Service-Level Attack:




Usually found in public services.
Can be possible in private services with
a large client population and high
join/leave and service request rates.
Not possible using a spoofed source
address as a three-way handshake is
required for the TCP service.
Eavesdropping
Experimental Results

Simulation:



ns-2(Network Simulator) was used.
Ns is a discrete event simulator
targeted at network research.
Supports simulation of TCP, routing and
multicast protocols over wired or
wireless networks.
Simulation Model:

Roaming:


Testbed:


Created a wrapper for the ns-2 built-in
FullTcp agent and added a socket layer
Created a multi-threaded FTP server
and client modules
FTP connection remains active until
either the FTP request is fulfilled or
roaming occurs.
Simulation Model (cntd)

What happens if roaming occurs in
between a FTP transfer???




Client module uses its socket layer to record
the current FTP state (number of remaining
bytes) of the connection
Drops the current TCP agent
Connect to another active agent selected at
random
Send the recorded FTP state to new server in
order to resume the FTP transfer
Simulation Model (cntd)


Filtering Effect
Connection-dropping:




Modeled a roaming scheme in which
there is no filtering
Filter roaming (FR) – Roaming
honeypots
Full replication scheme – Non
roaming
No filtering – roaming (R)
Simulation Topology:

Authenticator – functionality of roaming update
Simulation Result:
ART Inferences:


Every point in the graph represents the
ART issued within the previous 30
seconds
Non-roaming:


Roaming:


keeps on increasing during the attack (50250s)
Slight increase
Filter Roaming:

Increases slightly between 50-180s and then
stabilizes as all attackers are recorded
Effect of Migration Interval
M value comparison:


There exists a critical value of M(=10,for this
case)
Below Critical Value



Roaming overhead is dominant
M increases => frequency of connection reestablishment decreases resulting in a decreased
ART.
Beyond Critical Value


M increases => ART increases.
Two reasons:


Connection-dropping effect occurs less frequently
More client requests are issued to attacked server
Effect of Client Load
Comparison:



The attack load is 5Mbps
For small attack loads, non-roaming
scheme outperforms R and FR.
Other attack loads exhibit similar
behavior
Effect of Attack Load
Comparison:

FR:


Non-roaming:



Keeps the ART stable with increasing
attack loads
ART is less for small loads
Art increases for large loads
R:

ART increases with increasing attack
load
Effect of Follow Delay
Follow Delay Comparison:

FR:


R:


ART decreases as follow delay
increases
ART decreases as follow delay
increases
Non-roaming:

ART is same for follower and fixedtarget attacks
Limitations




Roaming honeypots scheme incurs an
overhead that causes performance
degradation, both in the absence of
attacks and under low attack.
Reasons for Overhead:
Load is distributed over k instead of N servers.
During a switch from Active-to-idle state, all the
active connections have to be re-established.
Future Work

A mechanism that adaptively
changes the number of concurrent
active servers depending on attack
and client loads, is a subject of
future work.
Conclusion



At any point of time, a subset of servers
is active and providing service while rest
are acting as honeypots.
All legitimate requests are directed by the
AGN( from Client – server and vice-versa)
Though this scheme offers an overhead,
under the circumstance of high attack
loads, it shows a performance gain.
Thank you.
Any Questions???
Best of luck for your Presentation and
Final exam !!!!!!