Secure Group Communications in Wireless Sensor Networks

Download Report

Transcript Secure Group Communications in Wireless Sensor Networks 

Evaluation of Network
Security
May 13, 2004
Moshe Golan
Everett Anderson
Agenda
 Introduction
 Measuring – a general problem
 Network Security Evaluation
 Discussion
 References
Introduction
The problem – Bell-Lab/Lumeta
Internet Mapping Project
Lumena – IPSonar
The Internet Mapping Project was started at Bell
Labs in the summer of 1998.
Its long-term goal is to acquire and save Internet
topological data over a long period of time.
This data has been used in the study of routing
problems and changes, DDoS attacks, and graph
theory.
IPSonar inject small non-intrusive measurement
packets
Some Security Questions
 What fraction of all IP packets have spoofed
addresses?
 How many DDoS attacks occur each day?
 How many compromised machines are
there on the Internet?
 If I installed Secure BGP at 200 chosen
locations, how much better would things
be?
How do we answer?
 Deduce based on the evidence available
 Obtain snapshots from some points in the
network
 Use simulation techniques
 Use honeypots/honeynets to attract attacks
for measurement and analysis
 Install serious measurement infrastructure
in the network
Measuring – a General
Problem
Network Measurements
 LAN
– We can perform measurements of traffic for
local optimization and economics
 Internet
– Poorly measured
– Poorly Understood
– Use of sampling and statistical method
– Simplified assumptions
SCAN - ISI
 network fault isolation
– refer to the problem of pinpointing the origin of
a particular application-perceived dynamic
 Usage of Multicast based announce-listen
techniques for network measurements
 Distributed Infrastructure of Active
Instrumentation
 Visualization
 Trace back using historical views
SCAN – Mercator Program
Small LAN
WAN
Oregon – Route View
 Originally conceived as a tool for Internet operators to
obtain real-time information about the global routing
system from the perspectives of several different
backbones and locations around the Internet.
 The Route Views router, router uses multi-hop BGP
peering sessions with backbones at interesting locations.
Route Views uses AS6447 in its peering sessions, and
routes received from neighbors are never passed on nor
used to forward traffic nor announce any prefixes.
 Now a basis for many research facilities:
Contributors
 Dozens of big players
 AOL, APAN, ATT, Abilene, Accretive,
Accretive, Army Research Lab, Broadwing,
Broadwing, Broadwing, C&W USA,
COMindico, Carrier1, EBONE, ELI .......
TouchAmerica, Verio, WCI Cable, X0,
Zocalo, blackrose.org, netINS
 Many sponsors are commercial
CAIDA
 The Cooperative Association for Internet
Data Analysis, provides tools and analyses
promoting the engineering and maintenance
of a robust, scalable global Internet
infrastructure
 Provides Human interaction in addition to
automated systems – Use the phone
Evaluating Network security
Techniques
Backscatter – Basic Idea
 DoS consists of a stream of packets to a
specific destination
 The victim answers them normally
 Often, the attacker spoofs the source
address of attack packets
 Responses go to the real machines whose
addresses were spoofed
An Example – Prof Reiher
IP spoofing
 Usually uses random IP selection (2^32)
 Every machine has equal chance 1/(2^32) to
receive a response to a spoofed packet
 If enough spoof packets are sent, every
machine will receive some spoof packets
Assumptions
CAIDA Experiment
 3 times 1 week-long periods in 2001
 Using /8 network – Sample 1/256th of all
addresses or 2^24 IP addresses
 Monitored all traffic arriving for any of
these addresses
 Expectations = n/2^24
Results
 During one week, saw 12,805 attacks
 Over three weeks observed 200 million
backscatter packets
 Presumably out of around 50 billion such
packets
 More than 5000 victim addresses in more
than 2000 domains
Closer Look – Types of Attack
Closer Look – Attack Duration
 90% less than an hour
 2% more than 5 hours
 1% over 10 hours
 Only dozens over a
day
Closer Look – Top level domains
 30% not resolved
 .net .com
 Romania and Brazil
Closer Look – Number of Attacks



65% only once
18% twice
95% less than 5 times

90% were 10,000 pkts/sec or
less
500 SYNs per second
overwhelms unprotected
server
46% of attacks were that
strong
14,000 SYNs overwhelms
anti-DoS firewall

2.4% of attacks were that strong
Network Jails & Honeypots
 Lure hackers in and keep them busy
 Provide "real" system
 Save root kits
 Learn latest tricks and vulnerabilities
 Report findings to CERT, alert intermediate
hosts
Planet Lab
 Overlay network with globally dispersed
nodes
 Design, deploy, test “planetary-scale”
services
 Large test best for monitoring, measurement
 Many viewpoints into the Internet
Planet Lab Infrastructure
ScriptRoute
 Provide a way to aggregate traceroute-like
information
 Reverse routes
 Sand boxing of script code, scheduler, rate
limiting
NetBait
 Distributed query service for conventional
IDS information
 Identify attacks and index/store events
locally
 Multiple query sources
 Pull approach
 Currently still CodeRed focused
SANS
 SysAdmin, Audit, Network, Security
Institute
 Early warning
 Training
 Internet Storm Center
CERT Coordination Center
 Traditional human level coordination
 Careful advisories
 Federal funding (DoD, DHS) but non-
government
 US-CERT
– Additional public and private sector content
– Faster advisories?
McAfee SecurityCenter
 End node IDS reporting from PCs
 Similar to seti@home
 Grid or centralized?
 Bundled with personal firewall, risk
analyzer
Symantec DeepSight Analyzer
 Parses a variety of firewall and IDS system logs
 Console view of multiple systems
 Helps admin selectively contact attacking machine
owners
 Reports back to central Symantec service
 Early alert services ($)
 Aimed at network admins/larger business systems
Discussion
Open Questions
 Internet Wide evaluation Vs Local
– Secure every component Vs Global Security
 Is the current approach to finding security problems in the
Internet adequate?
–
–
–
–




Human Involvement
Centralized Solution
Delay in Reporting
Placement of monitoring infrastructure
Do we need a global authority?
Who should run?
How would they do it?
Privacy issues with jailing
References










http://www.lumeta.com/
http://www.isi.edu/scan/
http://antc.uoregon.edu/route-views/
http://www.caida.org/
http://us.mcafee.com/
http://analyzer.securityfocus.com/
http://netbait.planet-lab.org/
Netbait: A Distributed Worm Detection Service, Chun and Witherspoon,ntel Research
Berkeley Technical Report IRB-TR-03-033, September 2003. A Planetlab experiment
designed to detect worm activity by scattering observation points at Planetlab nodes.
Inferring Internet Denial-of-Service Activity, David Moore, Geoffrey Voelker, and
Stefan Savage , 10th Usenex Security Symposium, 2001. A CAIDA paper describing the
basic backscatter technique of determining various properties of DDoS attacks.
An Evening With Berferd In Which a Cracker is Lured, Endured, and Studied, Bill
Cheswick, Usenex , 1992. The grandfather of all research on honeypots and honeynets.