Transcript Document

Network Research
at
College of Computing and
Digital Media
James Yu, Ph.D.
Associate Professor
DePaul University
[email protected]
7/17/2015
08/31/09
DePaul University
1
Outline




08/31/09
Wireless LAN Security Protection against DoS
Attacks
VoIP Traffic Engineering
Netconf for Configuration Validation
Hybrid Routing for MANET
DePaul University
2
WLAN Security:
Problem Statement




It is relatively easy for a hacker to send a faked
deauthenitcaiton or disaasoication frame to a wireless client,
and to terminate its connection to the Wireless Access
Point (WAP).
Making it worse, a hacker could flood a wireless client
with deauthentication or disassociatation frames.
During the attacks, communications to the client are dead.
802.11i provides an effective mechanism to address
crypto attacks, but it does not prevent most DoS attacks.
08/31/09
DePaul University
3
Research Approach
Building an empirical framework to study DoS
attacks over WLANs.
 Investigation of DoS attacks on wireless
communication.
 802.11w – a draft solution to the problem
 Network simulation of WLAN DoS Attacks
 Implementation and improvement of 802.11w
to resolve DoS attacks.
 Verification and Validation

08/31/09
DePaul University
4
DeauthF and DisassF DoS attacks
1. Deauthentication Flooding (DeauthF): A
hacker floods the WLAN with faked
deauthentication frames to force authenticated
wireless clients to drop their connections with
the AP.
2. Disassociation Flooding (DisassF): The
attacker floods disassociation frames to
wireless clients to force them to disconnect
from the AP.
08/31/09
DePaul University
5
Test Environment for WLAN DoS
Attacks
08/31/09
DePaul University
6
Flow Analysis of
Deauthentication attacks
08/31/09
DePaul University
7
802.11w (draft)
A new draft standard to enhance 802.11i
capability
 802.11w extends the security protection to
802.11 management frames
 Deauthentication or disassociation frames are
encrypted and sent to the client. The client
check for the authenticity of the management
frame and then accept (or reject) it.

08/31/09
DePaul University
8
Implementation and
Analyses of 802.11w
 We implement and investigate the performance
and effectiveness of 802.11w to protect the
management frames of deauthentication and
disassociation.
 We use the ns-2 simulator to analyze 802.11w
under four cases. They are the
1. normal WLAN,
2. the WLAN under DeauthF,
3. the WLAN under DeauthF-802.11w, and
4. the WLAN under DeauthF-802.11w w/ Traffic
Shaping.
08/31/09
DePaul University
9
WLAN under
Deauthentication Attacks
08/31/09
DePaul University
10
WLAN under 802.11w Protection
08/31/09
DePaul University
11
Traffic Shaping




An enhancement implemented in the 802.1w solution.
Monitor the DoS attacking rate.
When the attacking rate is higher than a threshold
value (which is configurable), the client will shape the
traffic to no more than 10 fps.
When the attacking rate is below the threshold value,
the standard 802.11w operation continues.
08/31/09
DePaul University
12
WLAN under Protection of
802.11w and Traffic Shaping
08/31/09
DePaul University
13
Contribution and Future Research
Empirical work
 Implementation of 802.11w
 To develop a queuing model to explain the
attacking scenarios.

 The
queuing model is to be validated by the
empirical results and also the ns-2 simulation
model.
08/31/09
DePaul University
14
Voice Traffic Engineering





Goal: Design the network with sufficient capacity to
meet the traffic demand with satisfactory performance
Demand (A) - Traffic Intensity
number of calls × duration of average calls
Erlang
Resources (N) – Number of Trunks
Grade of Service (GoS) – blocking probability
Erlang B Model
08/31/09
DePaul University
15
VoIP Network
SS7
SS7
PSTN
Switch
SoftSwitch
SoftSwitch
Carrier VoIP
Network
Trunk MG
PSTN
Switch
IP (internal)
Trunk MG
Call Manager
(SIP Proxy)
Q.931
Access MG
V
IP (public)
IP (private)
Call Manager
(Enterprise)
MG: Media Gateway
08/31/09
DePaul University
16
Call Admission Control (CAC)


The network (call manager or softswitch) accepts a call
request only if it could guarantee the quality of service
(QoS) of the call.
In a network with dedicated bandwidth for VoIP, we
can calculate the max number of simultaneous calls
based on the allocated bandwidth.



This is the parameter N of the Erlang-B model
Maximum Call Load
When there are N calls in the network, any new call
request will be rejected –

08/31/09
Same as no trunks are available to route the call.
DePaul University
17
Experimental Results
(Bandwidth Utilization)
100%
G.711
G.729A
G.723.1
80%
Problem!
60%
40%
20%
0%
Switched
(10M)
768K
(Serial)
2M
(Serial)
4M
(Serial)
10BaseT
(HD)
100M
(FD)
Bandwidth Utilization = observed max call load ÷ expected max call load
08/31/09
DePaul University
18
Analysis – Limiting Resource


Most studies consider the bandwidth (bps) as
the limiting resource for the VoIP network.
In our experiment, the device (router) is the
limiting resource.

Packet Throughput of Cisco 2600 router: 15,000 pps
15,000 ÷ (1000 ÷ 20) ÷ 4 = 75 calls/sec
Packet sampling rate: 20 ms
08/31/09
DePaul University
19
Current Research



Establish a research project with Neutral Tandem – a
Telecommunications Service Provider which has an
IP-code network for voice traffic.
Collect and analyze the real traffic data
Build a traffic engineering model


08/31/09
Model development
Model validation
DePaul University
20
Netconf
for
Network Management
08/31/09
DePaul University
21
Network Management Requirements






Easy to use
Ability to manipulate complete device
configuration rather than individual entities
Support multiple configurations
Configuration transactions across multiple
devices simultaneously
Human-readable format
Integration with existing security infrastructure
08/31/09
DePaul University
22
Evolution of Network Management
CommandOriented
Vendor specific
Variable-Oriented
SNMP/MIB
Object-Oriented
CORBA
08/31/09
DocumentOriented
XML-Based
TransactionOriented
NETCONF
DePaul University
23
NETCONF Transport
SSH
NETCONF
Manager


Mandatory for NETCONF implementation
Secured
Simple Object Access Protocol (SOAP)



BEEP
NETCONF
Agent
Secure Shell (SSH)


SOAP
SOAP over HTTP(s)
Web Services support
Blocks Extensible Exchange Protocol (BEEP)

08/31/09
peers on the transport level
DePaul University
24
Netconf-based Validation System
08/31/09
DePaul University
25
Data Model for Netconf
Validation
08/31/09
DePaul University
26
Current Research



Joint Research work with Tail-f which provides
the Netconf manager and Netconf agent.
Developing a formal language (based on Yang)
to specify the data requirements.
Software Modules
Parsers (requirements)
 Data aggregator (device configuration data)
 Validation


2nd phase: automation of configuration.
08/31/09
DePaul University
27
Position-based Routing
Background



The cost of collecting and maintaining routing
information in MANET is high.
On demand routing solves the problem partially,
but still costly when mobility is involved.
Location Based Routing (using geographical
information) became feasible with the spread of
location-aware devices
MANET: Mobile Ad Hoc Network
08/31/09
DePaul University
28
Location-Based Routing

Greedy Forwarding: move the packet to the
node closer to destination.

Pros:
No topology information is required
 No routing loops
 used by many location-based routing protocols


Cons:
Cannot recover dead ends (when the node holding the
packet is closer to the destination than its neighbors)
 Difficult to get the destination location

08/31/09
DePaul University
29


HMRP Approach
Integration of both location-based routing and
on demand routing
Two forwarding modes

Default is Greedy Forwarding

Location information is required for first hop only


Obtained by exchanging a periodic hello message
On Demand shortest-path
Used to recover greedy dead-ends
 Controlled broadcast mechanism to obtain route and
geographical information in one request/reply pair
 Shortest path will be cached and served as a backup route

08/31/09
DePaul University
30
HMRP Approach (cont’d)

HMRP optionally utilizes a Minimum Connected
Dominating Set (MCDS)





08/31/09
Limit location and route requests to MCDS
HMRP can automatically detect and adopt to MCDS if exist
HMRP adopts the concept of clustering in a loose manner
where a child node can accept replies from any neighboring
Dominating nodes if they provide better route information
When a child node needs to send information requests, it
forwards the request to its dominator which invokes the
broadcast mechanism
 Improved scalability and less overhead
DePaul University
31
Performance Evaluation
AODV
GPSR
HMRP
18
16
AODV
GPSR
300
Average Latency (ms)
Percentage of packets lost (%)
HMRP
14
12
10
8
6
4
2
0
250
200
150
100
50
0
0
5
10
15
20
25
30
0
5
10
15
20
25
30
Speed (m/s)
Speed (m/s)
Packet loss
End-to-End Latency
Performance results are from the ns2 simulator.
08/31/09
DePaul University
32
Performance Evaluation
AODV
HMRP
GPSR
3.5
3.3
3.1
2.9
2.7
2.5
2.3
2.1
1.9
1.7
1.5
AODV
GPSR
3
control to data packet ratio
Average Path Length (hops)
HMRP
2.5
2
1.5
1
0.5
0
0
5
10
15
20
25
30
5
10
15
20
25
30
speed (m/s)
Speed (m/s)
Path Length
08/31/09
0
Overhead
DePaul University
33
HMRP Summary

A new approach that combines on demand and
location based routing:
HMRP has the benefits of both approaches
 Performance improvement over both Location-Based and
On-Demand
 Provide a new metric (routing capability) which is
exchanged in the hello message. This metric is used to
improve routing decisions. It is calculated based on
several factors such as available node power, and number
of packets forwarded

08/31/09
DePaul University
34