uccsSecurityResearch3
Download
Report
Transcript uccsSecurityResearch3
Security Related Research Projects
at UCCS Network Research Lab
C. Edward Chow
Department of Computer Science
University of Colorado at Colorado Springs
Security Research 2/7/2003
1
chow
Outline of the Talk
Brief Introduction to the Network/Protocol Research
Lab at UCCS
Network security related research projects at UCCS
Network/Protocol Research Lab
Autonomous Anti-DDoS Project
Secure Collective Defense Project
BGP/MPLS based VPN Project
Discussion on Innerwall-UCCS Joint Research
Project
STTR N03-T010
TITLE: Intrusion
Monitoring, Detection and Reporting
Security Research 2/7/2003
2
chow
UCCS Network Research Lab
Director: Dr. C. Edward Chow
Graduate students:
– John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network
Restoration/Network Survivability
– Hekki Julkunen: Dynamic Packet Filter
– Chandra Prakash: High Available Linux kernel-based Content Switch
– Ganesh Godavari: Linux based Secure Web Switch
– Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed
– Longhua Li: IXP-based Content Switch
– Yu Cai (Ph.D. research assistant): Multipath Routing
– Jianhua Xie (Ph.D.): Secure Storage Networks
– Frank Watson: Content Switch for Email Security
– Paul Fong: Wireless AODV Routing for sensor networks
– Nirmala Belusu: Wireless Network Security PEAP vs. TTLS
– David Wikinson/Sonali Patankar: Secure Collective Defense
– Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN
– Patricia Ferrao/Merlin Vincent: Web-based Collaborative System Support
Security Research 2/7/2003
3
chow
UCCS Network Lab Setup
Gigabit fiber connection to UCCS backbone
Switch/Firewall/Wireless AP:
HP 4000 switch; 4 Linksys/Dlink Switches.
Sonicwall Pro 300 Firewall
8 Intel 7112 SSL accelerators; 4 7820 XML directors donated
by Intel.
Cisco 1200 Aironet Dual Band Access Point and 350 client
PC/PCI cards (both 802.11a and 802.11b cards).
Intel IXP12EB network processor evaluation board
Servers: Two Dell PowerEdge Servers.
Workstations/PCs:
8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz)
2 laptop PCs with Aironet 350 for mobile wireless
OS: Linux Redhat 8.0; Window XP/2000
Security Research 2/7/2003
4
chow
HP4000SW
Gigibit Fiber to
UCCS Backbone&
Workstation
Dell Server
Intel IXP
Network Processor
Security Research 2/7/2003
5
chow
Intel 7110 SSL Accelerators
7280 XML Director
Security Research 2/7/2003
6
chow
DDoS: Distributed Denial of Service Attack
Agent
(Attacker)
Agent
(Attacker)
Handler
(Middleman)
Agent
(Attacker)
Agent
(Attacker)
Client
(Attack
Commander)
Agent
(Attacker) Agent
(Attacker)
Handler
(Middleman)
Agent
(Attacker)
DDoS Tools:
Agent
Stacheldraht
(Attacker)
Trinoo
Tribal Flood Network (TFN)
DDoS Victims:
Yahoo/Amazon
2000
CERT
5/2001
DNS Root Servers 10/2002
Mastermind
Intruder
Security Research 2/7/2003
7
chow
How wide spread is DDoS?
Research by Moore et al of University of California at
San Diego, 2001.
12,805 DoS in 3-week period
Most of them are Home, small to medium sized
organizations
Security Research 2/7/2003
8
chow
Intrusion Related Research Areas
Intrusion Prevention
General Security Policy
Ingress/Egress Filtering
Intrusion Detection
Anomaly Detection
Misuse Detection
Intrusion Response
Identification/Traceback/Pushback
Intrusion Tolerance
Security Research 2/7/2003
9
chow
Security Related Research Projects
Secure Content Switch
Autonomous Anti-DDoS Project
Deal with Intrusion Detection and Handling;
Techniques:
– IDS-Firewall Integration
– Adaptive Firewall Rules
– Easy to use/manage.
Secure Collective Defense Project
Deal with Intrusion Tolerance; How to tolerate the attack
Techniques (main ideaExplore secure alternate paths for clients to come in)
– Multiple Path Routing
– Secure DNS extension: how to inform client DNS servers to add alternate new entries
– Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate
gateways.
BGP/MPLS based VPN Project
Content Switch for Email Security.
Security Research 2/7/2003
10
chow
Design of an Autonomous Anti-DDOS
Network (A2D2)
Graduate Student: Angela Cearns
Goals:
Study Linux Snort IDS/Firewall system
Develop Snort-Plug-in for Generic Flood Detection
Investigate Rate Limiting and Class Based Queueing
for Effective Firewall Protection
Intrusion Detection automatically triggers adaptive
firewall rule update.
Study QoS impact with/without A2D2 system.
http://cs.uccs.edu/~chow/pub/master/acearns/doc/
Security Research 2/7/2003
11
chow
RealServer
DMZ
Client1
128.198.a.195
Client2
128.198.b.82
Client3
128.198.c.31
Public Network
128.198
eth0
Pluto
DDoS
Agent
Internet
Autonomous
Anti-DDoS
Network (A2D2)
Alpha
128.198.61.15
Firewall
(iptables)
Security Policy
Attack
100Mpbs Switch
Simulated
Internet
DDoS
Agent
Attack
Attack
Gamma
128.198.61.17
Master Client
& Handler
DDoS
DDoS
Agent
Beta
128.198.61.16
100Mpbs Switch
IDS
IP: 192.168.0.2
NM: 255.255.0.0
GW: 192.168.0.1
Private Subnet
192.168.0
10 Mbps Hub
Multi-Level
Rate Limiting
Class-Based
Queuing
(CBQ)
eth0
eth1
IP: 128.198.61.12
NM: 255.255.255.128
GW: 128.198.61.1
IP: 192.168.0.1
NM: 255.255.0.0
GW: 128.198.61.12
HTTP, RealPlayer
SMTP, POP3
SSH, SFTP
SYN, ICMP, DNS
Real Player Client
70%
15%
10%
5%
Real Player Client
RealServer Traffic
IDS Alerts
trigger Multi-Level
Rate-Limiting
Real Player Client
DDoS
Agent
Delta
128.198.61.18
Titan
Saturn
128.198.61.11
NM: 255.255.255.128
GW: 128.198.61.1
Attack Network
128.198.61
Security Research 2/7/2003
as Linux Router
12
chow
A2D2 Multi-Level
Adaptive Rate
Limiting
Security Research 2/7/2003
13
chow
A2D2 QoS Results - Baseline
Playout Buffering to Avoid Jitter
10-min Video
Stream between
Real Player &
Real Server
Packets Received:
Around 23,000
(23,445)
No DDoS Attack
QoS Experienced at A2D2 by Real
Player Client with No DDoS
Security Research 2/7/2003
14
chow
A2D2 Results – Non-stop Attack
Packets Received: 8,039
Retransmission Request:
2,592
Retransmission Received:
35
Lost: 2,557
Lost of Packets
Connection
Timed-out
QoS Experienced at A2D2 Client
Security Research 2/7/2003
15
chow
A2D2 Results – UDP Attack
Mitigation: Firewall Policy
Packets Received: 23,407
Retransmission Request: 0
Retransmission Received: 0
Lost: 0
Look like we just need plain
old Firewall rules, no fancy
Rate Limiting/CBQ?
QoS Experienced at A2D2 Client
Security Research 2/7/2003
16
chow
A2D2 Results – ICMP Attack
Mitigation: Firewall Policy
Packets Received: 7,127
Retransmission Request:
2,105
Retransmission Received:
4
Lost: 2,101
Connection
Timed-out
Just plain old firewall rule
is not good enough!
Packet/Connection Loss
QoS Experienced at A2D2 Client
Security Research 2/7/2003
17
chow
A2D2 Results – TCP Attack
Mitigation: Policy+CBQ
Turn on CBQ
Packets Received: 22,179
Retransmission Request:
4,090
Retransmission Received:
2,641
Lost: 1,449
Look OK But Quality Degrade
Screen Quality Impact!
QoS Experienced at A2D2 Client
Security Research 2/7/2003
18
chow
A2D2 Results – TCP Attack
Mitigation: Policy+CBQ+RateLimiting
Turn on Both CBQ & Rate
Limiting
Packets Received: 23,444
Retransmission Request:
49 – 1,376
Retransmission Received:
40 – 776
Lost: 9 – 600
No image quality
degradation
QoS Experienced at A2D2 Client
Security Research 2/7/2003
19
chow
A2D2 Future Works
Extend to include IDIP/Pushback
Precise Anomaly Detection
Improve Firewall/IDS Processing Speed
Scalability Issues
Tests with More Services Types
Tests with Heavy Client Traffic Volume
Fault Tolerant (Multiple Firewall Devices)
Alternate Routing
Security Research 2/7/2003
20
chow
Wouldn’t it be Nice to Have Alternate Routes?
net-a.com
A
A
net-b.com
A ... A
...
DNS1
R
net-c.com
A
R
How to reroute clients
traffic through R1-R3?
R
R3
DDoS Attack Traffic
Client Traffic
Victim
Security Research 2/7/2003
A ... A
DNS3
DNS2
R
DNS
A
...
R2
R1
Alternate
Gateways
21
chow
Implement Alternate Routes
net-a.com
A
A
net-b.com
A ... A
...
DNS1
R
net-c.com
A
A
A ... A
...
DNS3
DNS2
R
R
Need to Inform Clients or
Client DNS servers!
DNS
R
R3
DDoS Attack Traffic
Client Traffic
Victim
Security Research 2/7/2003
R2
Alternate
Gateways
22
R1
But how to tell which Clients
are not compromised?
How to hide
IP addresses of
Alternate Gateways?
chow
net-b.com
net-a.com
net-c.com
...
A
A
A
...
...
A
SCOD
Victim
Security Research 2/7/2003
A
Proxy3
Proxy1
Attack Traffic
Client Traffic
...
R
Proxy2
block
A
DNS3
R
R1
A
DNS2
DNS1
R
A
block
R
2
R
R3
Reroute
Coordinator
1. IDS detects intrusion
Blocks Attack Traffic
Sends distress call to Reroute Coordinator
23
chow
net-b.com
net-a.com
net-c.com
...
A
A
A
...
...
A
SCOD
A
...
A
DNS3
R
R
Proxy2
Proxy1
block
R1
A
DNS2
DNS1
R
A
R
2
R
Proxy3
2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
R3
Reroute
Coordinator
1. IDS detects intrusion
Blocks Attack Traffic
Sends distress call to Reroute Coordinator
Attack Traffic
Client Traffic
Victim
Security Research 2/7/2003
24
chow
net-b.com
net-a.com
net-c.com
...
A
A
A
...
...
A
3. New route via
Proxy1 to R1
R
A
...
A
DNS3
DNS2
R
R
Proxy2
Proxy3
Proxy1
block
R1
A
3. New route via
Proxy3 to R3
3. New route via
Proxy2 to R2
DNS1
SCOD
A
R
2
R
Attack Traffic
Client Traffic
R3
2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
Reroute
Coordinator
Victim
Security Research 2/7/2003
25
chow
net-b.com
net-a.com
net-c.com
...
A
A
A
...
...
A
3. New route via
Proxy1 to R1
R
...
A
R
Proxy2
Proxy3
Proxy1
block
R1
A
DNS3
DNS2
R
4a. Attack traffic
detected by IDS
block by Firewall
A
3. New route via
Proxy3 to R3
3. New route via
Proxy2 to R2
DNS1
SCOD
A
R
2
R
Attack Traffic
Client Traffic
R3
4. Attack traffic
detected by IDS
block by Firewall
Reroute
Coordinator
Victim
Security Research 2/7/2003
26
chow
net-b.com
net-a.com
net-c.com
...
A
A
A
...
...
A
3. New route via
Proxy1 to R1
R
Proxy1
block
R
2
R
4b. Client traffic
Attack Traffic
comes in via
Client Traffic alternate route
Victim
Security Research 2/7/2003
...
A
R
Proxy2
R1
A
DNS3
DNS2
R
4a. Attack traffic
detected by IDS
block by Firewall
A
3. New route via
Proxy3 to R3
3. New route via
Proxy2 to R2
DNS1
SCOD
A
27
R3
1.distress call
Proxy3
4. Attack traffic
detected by IDS
block by Firewall
Reroute
Coordinator
2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim, Proxy Server(s))
chow
Secure Collective Defense
Main IdeaExplore secure alternate paths for clients to come in; Utilize
geographically separated proxy servers.
Goal:
Provide secure alternate routes
Hide IP addresses of alternate gateways
Techniques:
Multiple Path Routing
Secure DNS extension: how to inform client DNS servers to add alternate
new entries (Not your normal DNS name/IP address mapping entry).
Utilize a consortium of Proxy servers with IDS that hides the IP address of
alternate gateways.
How to partition clients to come at different proxy servers?
may help identify the attacker!
How clients use the new DNS entries and route traffic through proxy
server?
Use Sock protocol, modify resolver library?
Security Research 2/7/2003
28
chow
New UCCS IA Degree/Certificate
Master of Engineering Degree in Information Assurance
Certificate in Information Assurance (offered to Peterson
AFB through NISSC)
Computer Networks; Fundamental of Security;
Cryptography; Advanced System Security Design
Security Research 2/7/2003
29
chow
New CS691 Course on Advanced
System Security Design
Use Matt Bishop new Computer Security Text
Spring 2003: With one class at UCCS; one at Peterson
AFB.
Enhanced by Demo/Hand-on exercises at Distribute
Security Lab of Northorp Grumman.
Integrate security research results into course material
such as A2D2, Secure Collective Defense, MPLS-VPN
projects.
Invite speakers from Industry such as Innerwall and
AFA?
Looking for potential joint exercises with other
institutions such as AFA, Northorp Grumman, Innerwall.
Security Research 2/7/2003
30
chow
Joint Research/Development Effort
STTR N03-T010
TITLE: Intrusion Monitoring,
Detection and Reporting
Penetration Analysis/Testing projects?
Intrusion Detection/Handling projects?
Other Cyberwarfare related projects?
Security Forum organized by Dean Haefner/Dr. Ayen
Security Seminar Series with CITTI funding support
Look for Speakers (suggestion?)
Security Research 2/7/2003
31
chow