Transcript Written by
Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem Taieb Znati Presented by: Theodor Richardson Ani Starrenburg 1 Denial-of-Service Attacks: • Links – exceeding link capacity • Routers – congesting router buffers • Front-Ends – consuming front-end processing with requests. • Servers – requesting services at a high rate 2 Denial-of-Service Defenses: • Replication – useful in protecting service front-ends • Firewalls – strategy for prohibiting illegal flow of data • Intrusion Detection Services – detection of tampering • Honeypots – may be used for any number of purposes 3 Honeypots A security resource who’s value lies in being probed, attacked or compromised. Properties Environment: Production Research Complexity: Low Medium High Purpose: Deception Deterrence Detection Attacker Profile: Script Kiddie Professional Blackhat 4 Roaming Honeypot Properties …A mechanism that allows the locations of honeypots to be unpredictable, continuouslychanging and disguised within a server pool Properties Environment: Production Complexity: Low Medium Purpose: Deception Deterrence Attacker Profile: Script Kiddie + Detection 5 Proactive Server Roaming Background: Attacker Firewall Idle Servers One Active Server Back-End Servers Clients Firewall 6 Proactive Server Roaming Background One server is active. At end of Epoch Ei of duration Ri server Si assumes role of active server. Client must store information locally Service must track and process legitimate users. 7 Proactive Server Roaming Background Backward chain of hashed keys Ki is built where (0<i<n) Ri = MSBm (H’(Ki)) Si = servers MSBlg NH’’(Ki)) 8 Attacker Roaming Honeypots: Firewall Honeypots & Active Servers Clients Firewall AGN Back-End Servers 9 Roaming Honeypots Uses similar selection algorithms selects for each in a set of servers introduces a lower bound, m, on the epoch Uses k out of N servers as active servers, the remainder of which are honeypots Offloads processing from client and server to Access Gateway 10 Roaming Honeypot Properties Properties Environment: Production Complexity: Low Medium Purpose: Deception Deterrence Attacker Profile: Script Kiddie + Attack Type: Fixed Target Follower Benefits: Filtering Effect Connection-Dropping Effect Detection Degrading Attack Detection 11 Service Model Subscription-based service Protection of a pool of N back-end servers Packet-filtering firewall and IDS deployed AGN as layer of indirection 12 Access Gateway Network Provides level of indirection between client and back-end server Decouples authentication and authorization from service provision Only AGN follows server locations and status – forwards client packets Roaming scheme is transparent to client 13 AGN Structure Back-end server is considered tree root AG’s with higher resistance to attacks and lower reconfiguration rates are closer to the back-end servers (lower in the tree) AG is responsible for address registration and parent registration AG’s closest to root handle connection migration 14 AGN: Address Registration Each AG registers an <ID,Address> tuple with the AG node responsible for storing addresses ID = (SID||L||Index) SID is a service identifier L is the level of the AG in the AGN Index is the AG index within L 15 AGN: Parent Registration AG registers its IP address with its parent (the servers if at the root) AG uses (SID||L-1||Index(parent)) to lookup the parent Address Allows IP routing for migration messages 16 AGN: Connection Migration AG forwards traffic client C messages to server Si When servers change from active to inactive, AG chooses new Sj at random for client C AG re-registers with parent Sj AG encapsulates state information from Si and forwards to Sj in TCP SYN package 17 Roaming Protocol For a single active server: time is divided into epochs – random intervals of activity/inactivity for servers Length of epoch Ei is calculated by long hash chain Ri = H(Ki) where K is a random key and Ri is the number of seconds Location of epoch Si = servers[MSB H’(Ki)] where MSB is Most Significant Bits of hash function H’ (such as MD5) Service Out of N servers, k are active at any time Set of active servers is Pk(S) 18 Network Model Attacker Honeypot Active Server Clients Firewall AGN Back-End Servers 19 Simulation Model Tested on the ns-2 Discrete event simulator aimed at network testing Simulates routing, TCP, and multicast protocol Supports wired and wireless networks http://www.isi.edu/nsnam/ns/ 20 Simulation Model Tested under ns-2 simulation against Average Response Time (ART) is considered as primary metric Comparison of: Nonroaming (Load Sharing) Roaming w/o Filtering (Attacker traffic is not dropped) Roaming w/ Filtering (Attacker traffic is dropped) 21 Effect of Migration Interval Restarting TCP must be balanced with migration interval timing to balance the overhead cost of re-establishing TCP with the new server set 22 Effect of Client Load Under small attack loads, the nonroaming scheme performs better because of the overhead of roaming 23 Effect of Attack Load Using filtering, the ART does not change as the attack load increases once the attacker is detected 24 Effect of Follow Delay In Roaming w/ Filter, clients experience an attack free window as the attacker experiences follow delay 25 Conclusions Strengths: Under high attack load, roaming scheme performs better than load sharing Undetectable honeypot locations Transparent to client traffic 26 Conclusions Weaknesses: Must balance TCP overhead of resetting connections Wastes a large amount of server resources with inactivity (as honeypot) Idea of logical roaming is underdeveloped in paper, but could save resources and reduce overhead 27 Conclusions Vulnerability remains that malicious code can be installed on legitimate servers Periodic reinstall suggested, but service can be compromised before reinstall if attack is sophisticated Violates property of honeypots that they should not adversely affect operation of standard service if compromised 28