Transcript SOS: Secure Overlay Services

.
SOS: Secure Overlay Service (+Mayday)
A. D. Keromytis, V. Misra, D. Runbenstein
Columbia University
Presented by Yingfei Dong
1
Motivations
 Goal: Proactively Prevent DOS attacks to allow legitimate users to
communicate with a critical target
 DOS attacks try to stop the communication
 The target is difficult to replicate
– e.g., high security or dynamic contents
 Legitimate users are mobile ( IP addresses are not fixed )
 Motivation Applications: Emergency Response Teams (ERTs)
 Phone Networks are easy to be crashed
 FBI/Police/Fire dept contacts with a center database
Bank users / stock brokers access their accounts
On-line transactions
 Application Requirements
– Protect private communications on top of public networks
– Authenticated Mobile Users
2
Denial Of Service (DOS) Attacks
 DOS
 Select a target to degrade its performance
 Generate “high volume” traffic to the target
– Use up network resources bandwidth, buffers
* Packet flooding: for a 10Mbps-link, 830 1500-byte packets
– Overload CPU with security-checking or kernel resources
* Security Handshaking
* TCP SYN flooding: holding all TCP control blocks
* Force to a server fork many processes
 SOS is not for general DOS attacks
 Not for global traffic analysis
 A number of authenticated users to communicate with a selected
target on a public network
3
Related Work
Participation
Global Routers changes
Local filters at
end-systems or routers
Detect/Prevent
Spoofing
Router-based filtering,
Ingress filtering
IP traceback
Identify/shutdown
ongoing attacks
IP pushback
Rate-limiting
Pattern matching and
filtering
Proactively Prevent
attacks
IPsec (in each step)
SOS
More
Secure
Less implementation costs
4
Players in SOS
 Target
 Node / Server protected by SOS from DOS
 Fixed IP address, non-duplicable
 Legitimate User
 Authenticated Users communicate with the target
 Mobile IP address
 Attacker
 Try to stop users to communicate with the target
 Limited Capability: not draging down core routers
5
Basic Idea
 Why DOS is effective? many-to-one
 Solution:
hiding paths to the target through a largescale distributed filter
 Difficult to do because
– The Internet is an open architecture and will keep open
– IP spoofing is easy and Ingress filters are not broadly
deployed, …
 Idea: Forwarding secure packets on a virtual overlay
network on top of the Internet
– Secure packets are forwarded between overlay nodes
– Using a larger number of overlay nodes
– Overlay network adapts to attacks quickly
 Attackers must attack many nodes to be successful !
6
SOS Functionalities
 Goals
 Allow legitimate users to communicate with target
 Prevent packets from illegitimate attackers to reach
the target
 Ideal Solution
 No changes required in intermediate routers
 No high-cost security checking near/at the target
 Assumptions
 Attackers have a limited number of resources
 Attackers cannot drag down core routers
– Does NOT solve the general DoS problem
7
Method 1: Source-Address Filtering
 Routers near the target do simple filtering based on source
IP addresses
 Only packets from legitimate nodes can reach the target
 Packets from other sources
are dropped
 Fast Light-weight authenticator
 Routers are difficult to hack
 Problems
 Attackers obtain an account on a legitimate node
 Attackers spoof packets with a legitimate src IP
 Legitimate users are mobile and don’t have fixed IPs
8
Method 2: Filters + Proxy Servers
 Idea:
 A proxy server between a legitimate user and the target
 The proxy only forwards authenticated packets
 Only packets from the proxy can reach the target
 Problems
 Once attackers know the IP of a proxy, x.x.x.x
they can spoof packets with x.x.x.x and reach the target
 Attackers directly attack on the proxy to drag it down
9
Method 3: Filters + Secret Proxy Servers
 Hiding the identity (IP address) of a proxy to prevent IP
spoofing or attacks aiming at a proxy
 Secret Servlet is a hidden proxy is chosen by the target
 A filter only allows packets whose source address matches
n  Ns, a set of nodes selected
 Only the target, secret servelets, and other few trusted
nodes know the IP address of secret servlets
 Attacker is not sure which node is a proxy for the target
10
Method 4: Filter + Secret Proxy + Overlay Routing + SOAP
 Question: How to forward packets to a Secret Servlet
without knowing its IP address?
 Virtual Overlay Network
 Each node is an end host
 Only some nodes how to reach a proxy (Servlet)
 Indirect Assumption:
large number of nodes 
attackers couldn’t monitor all overlay nodes
 Service Overlay Access Points (SOAP’s)
 Everyone knows a set of SOAP’s
 An SOAP is an entry node to the overlay network
 Receive and verify traffic via IPSec/TLS
 A large number of SOAPs as a distributed firewall
User  SOAP  across overlay  Secret Servlet  Target
11
Overlay Routing: SOAP  Servlet  Target
 A Path from a SOAP to a Servlet must be hard to find
 Random Walk: O(N/Ns) time,
N is total # of overlay nodes, Ns is the # of Servlet
 Chord: O( log N )
 A path must be resilient to attacks, fast recovery
12
Dynamic Hash Table (DHT)
 Examples: Chord, CAN, PASTRY, Tapestry, …
 Chord
 A distributed protocol with N homogenous overlay nodes
 Each node has a node identifier
 Each object has an object key
 Distribute all object keys to N nodes:
the object with key T is mapped to node B, if H(T) = B,
where object T is managed by node B
 Chord Property:
To find key T from any node to B is O(logN) steps
13
A Beacon Connects a SOAP and a Servlet
 An object key in SOS is the IP address of a target
 Beacon B for IP address T is an overly node with an
identifier B = H(T)
 Secret Servlet S finds Beacon B by B = H(T), and
tells it to forward packets with DST T from B to S
 SOAP A also finds Beacon B by B = H(T), and
forwards secure packets with DST T to B
 Multiple hash functions produce different Beacons, i.e.,
different paths to the target.
14
Routing Summary
 Target T randomly selects Secret Servlet S
 Secret Servlet S informs Beacon B to forward packets with DST T
to S
 SOAP A forwards authenticated packets with DST T to B
 Overlay nodes are known to the public but their roles are secret
 Communications between overlay nodes are secure/authenticated
15
 Packets are authenticated by SOAP before the overlay
Against the DoS attacks
 Redundancy in SOS
 Every overlay node can be SOAP, Beacon or Servlet
 A target can select multiple Servlets
 Multiple beacons can be used by using different hashes
 Many SOAP’s
User  SOAP  Beacon  Servlet  Target
 Attacks on an overlay node
Chord self-heals by removing the node from Chord
 Attacks on all SOAP’s, otherwise an alternative SOAP exists
 Attacks on all Beacons: remove the nodes and change hash functions
 Attacks on all Servlets
The target can real-time change the set of Servlets
 Target is protected by filters
16
Static Attack Analysis
 N nodes in the overlay
 For a given target T
 S is the number of Servlets
 B is the number of Beacons
 A is the number of SOAPs
 Static Attacks: attackers randomly shutdown M out of N nodes
 Pstatic = P(N, M, S, B, A) = P{stop communications with T}
 P(n,b,c) = P{set of b nodes chosen randomly from set of n
nodes, and set of b nodes contains set of c nodes}
Cnbcc Cbc
P(n, b, c)  b  c
Cn
Cn
17
Successfully Attack all Servlets or all Beacons or all SOAPs
Pstatic = P(N, M, S, B, A)= 1 – (1-P(N,M,S))(1-P(N,M,B))(1-P(N,M,A))
Prob Of Attack
Success
Number of nodes attacked
18
Dynamic Attacks
 Attack/Repair Battle
 The Overlay removes attacked nodes, taking time TR
 Attackers shifts attacking traffic from removed nodes
to active nodes, taking time TA
 Assume TR and TA are exponential distributed R.V.,
modeled as a birth-death process
 Attacking rate 
 Repairing rate 
 Attack Load Ratio  =  / 
19
Centralized Attacks and Centralized Recovery
M/M/1/K
• 1000 nodes, 10 SOAP, 10 Beacons, 10 Servlets
• If repairing is faster then attacking, SOS can
survive under large scale attacks
20
Distributed Attacks and Distributed Recovery, M/M///K
23
Conclusions
 SOS protects a target from DOS
 Only legitimate traffic will reach the target
 Approach
 Ingress Filtering
 Hidden Proxies
 Self-healing overlay networks to defeat attacks
 Preliminary Analysis
 Static Attacks
 Dynamic Attacks
24
Mayday
 Goal: protect critical servers
 Components
 A Server: centralized resource
 A Filter Ring: around the server to protect it
– Edge routers of a domain
 An Overlay network
– An Overlay node can be
* an ingress point of the overlay network (SOAP)
* an egress point from the overlay network to the filter
ring (Servlet)
* a forwarding node of the overlay network
 A Client is authenticated by an overlay node but not
trusted
25
Mayday Architecture
26
Generalizing the Idea of SOS
 Packet Authenticators at a filter (mostly in IP header)
 Egress Sources IP Address (SOS)
 Server Destination Port: 1 to 65,536, large search space
 Server Destination Address: 1 out of N reserved IP
addresses, (like VPN shield)
 Application-defined: ok with firewall, not core routers
 Overlay routing schemes





Proximity Routing: proxies close to client, filter is known
Singly-Indirect Routing: egress address is known
Double-Indirect Routing (SOS)
Random Walk
Mix Routing: each node only know next step
27
Summary
 SOS provides formal analysis
 Mayday discusses potential practical solutions
 Discussion of Advanced attacking approaches
 Questions:
 Long Delay in overlay routing
 Trust of overlay nodes
 Repair Speed v.s. Attacking Rate
28