SeGiHong_PBS - Columbia University

Download Report

Transcript SeGiHong_PBS - Columbia University

Permission-Based Sending (PBS)
Signaling Architecture for network traffic authorization
Se Gi Hong*, Henning Schulzrinne*, Swen Weiland**
*Columbia University, ** University of Goettingen
1
DoS attack
• Internet
– Any one can inject any IP packets into the network
– Resource are shared by all users
– Denial-of-Service (DoS) attacks are possible
• DoS attacks
– Aim to disrupt the service provided by a network or server
– Attacker might spoof the source address
– Botnets: The attacker controls the compromised computer by IRC channel
Attack
Attack
2
The largest DDoS attack size:
40 Gb/sec, 2007
Cyberweapons
Political and military conflicts
Political fight between
Estonia and Russia, 2007
Georgian-Russian war, 2008
“Internet Attacks Grow
More Potent”, NY Times,
Nov 9, 2008
The average number per day
DoS attacks
Symantec Global Internet Security
Threat Report
70000
60000
50000
40000
30000
20000
10000
0
Jan-June
2005
July-Dec Jan-June
2005
2006
Year
July-Dec
2006
The number of bot-infected computers
The number of DoS attacks
From 40,000 sensors monitoring networks in over
180 countries through Symantec products and
services and third-party sources.
3
DoS attack
Attack types
Attacks
Protocol-based attack
•Based on specific weaknesses of the Internet protocols
•TCP-SYN flood: vulnerability of the TCP three-way
handshake
•ICMP flood: ICMP echo request packets directed to IP
broadcast addresses
Application-based attack
•To force the target to execute expensive operations
•HTTP request flood to a target server
•SIP Invite packet flood with spoofed source IP address
Reflector attack
•To obscure the sources of attack
•Use third parties (reflectors) to relay attack traffic to the
victim
Infrastructure attack
•To disable the services of critical components of the
Internet
•Attack on DNS root servers
Tao Peng and Christopher Leckie and Kotagiri Ramamohanarao,
"Survey of network-based defense mechanisms countering the DoS and DDoS problems,"
ACM Computing Survey, Vol. 39, No. 1, Article 3, 2007.
4
Existing solutions
• Proactive approaches
– Source address filtering
• Ingress filtering
• Prevent source address spoofing
• Problems
– Universal deployment problem
– Cannot prevent source address spoofing in the same subnet
– Compromised router can inject and drop packets in Byzantine network
– Capability-based approaches
• SIFF and TVA
• Capabilities
– filter unauthorized flow
• Problems
– Compromised router can break the system (weak in the Byzantine
network)
– Weak at changes of states (e.g., router changes)
Existing solutions
• Proactive approaches
– Overlay-based approaches
• SOS and Mayday
• Overlay structure to verify the legitimacy of packets
• Problems
– The overlay structure can be the target of the attack
– Compromised overlay node can inject and drop packets
– Expensive media relaying through the overlay
Existing solutions
• Reactive approaches
– Filtering-based mechanism
• Pushback and StopIt
• Install filtering based on the detection of misbehavior of users
• Problems
– Suffer from false positive
– Compromised router can drop the packets
– Traceback
• Probabilistic marking by router and reconstructing the data path
• Problems
– Implementation problem
» No specific field for tracking purposes in IPv4.
– Spoofed marking field  mislead the path reconstruction
– Overwrite marking filed  reduce probability to mark
Existing solutions
Approach
es
solutions
Proactive
•Ingress
filtering
•SIFF, TVA
•SOS
Reactive
•Pushback
•Traceback
•StopIt
Benefit
Network
resources are
restricted, so
attacks are
prevented
before harming
the network.

Monitoring
attack traffic
allows the system
to react against
the attacks
dynamically.

Drawback
If the attacker
breaks the
system, the
attack is possible

Network
resources are
open to all users
including
attackers

suffer from
false positive

Possible
attacks
Onpath
attacks
are still
possible
in both
approac
hes

Implementation &
deployment problem
Traceback: No
specific field for
tracking purposes in
IPv4


TVA: only for TCP
Ingress filtering:
universal deployment
problem

StopIt: modify BGP
packets

Existing solutions
Approac
hes
Proactive
Reactive
solutions
Benefit
Drawback
Possible
attacks
Implementation &
deployment problem
•Ingress
 Network
 If the attacker
 On Traceback: No
resources
are
breaks
the be done
path
specific field for
•filtering
Prevention
of attacks
cannot
•SIFF, TVA
restricted, so
system, the
attacks
tracking purposes in
by a single
approach,
so iswe
needarehybrid
•SOS
attack
are
attack
possible
still
IPv4
possible  TVA: only for TCP
approachprevented
before harming
in both
• We needthea network.
solution to prevent on-path
 Ingress filtering:
approac attack
universal deployment
hes
• We need an integrated and practical
solution
problem
•Pushback
 Monitoring
 Network
 StopIt: modify BGP
•Traceback
attack traffic
resources are
packets
•StopIt
allows to react
open to all users
against the
including
attacks
attackers
dynamically.
 False positive
Overview of PBS
• Objective
– Preventing DoS attacks and other forms of unauthorized traffic.
• Network traffic authorization
– Permission is granted by the intended receiver.
– Permission represents the authority to send data.
• Deny-by-default
– Unauthorized traffic without permission is dropped at the first router by default.
Yes,
May
total
I send?
10 MB
DATA
10
Overview of PBS
• Hybrid approach
– Proactive approach
• Explicit permission by on-path signaling
– Reactive approach
• Monitoring traffics
• Secure mechanism
– Secure permission state setup
– Protect the authentication of data packets.
11
On-path signaling: PBS NSLP
•
Next Steps in Signaling (NSIS) protocol suite
Signaling application-specific functions
(packet filter, NAT setting, etc)
NSLP
PBS NSLP for
network traffic
authorization
NSLP for
NAT/firewall
NSLP for QoS
GIST
API
Control
plane for
signaling:
NSIS
GIST
(General Internet Signaling Transport)
Transport layer security
NTLP
UDP
TCP
SCTP
IP layer security
IP
DCCP
PBS NSLP Signaling Message
• Two-way handshake
– Query message
• Sent by a sender to request permission.
– Permission message
• Sent by a receiver.
• Set up (grant), remove (revoke) and modify permission state.
• Triggers reaction mechanism against the attacks.
• Soft-state
– Robustness of the system
– Periodic refreshing of the permission state
• Peer-to-Peer delivery
– The signaling messages are delivered in peer-to-peer fashion between the nodes
that have PBS functionality
13
PBS NSLP Signaling Message
R1
Sender
14
Query (10MB, FID)
Permission (10MB, TTL, FID)
Query (10MB, FID)
Permission (10MB, TTL, FID)
Install
permission state
T
Query
Permission
Receiver
R2
Query
Permission
FID: 5-tuple based flow identification
TTL: permission state time limit for the flow
T: Soft-state period
Query (10MB, FID)
Permission (10MB, TTL, FID)
Install
permission state
Query
Permission
Security
• What if an attacker sends bogus signaling message by
spoofing the address?
– Authentication and integrity problem of signaling message
• What if an attacker spoofs the sender’s address to send
attack data?
– Authentication problem of data packets
Security
• Security to protect permission setup (signaling message)
– Authentication and integrity for end-to-end communication
• encrypt signaling message fields by public key cryptography
– Public key distribution
• signaling message carries the public key (X.509 certificate)
• Security to protect data packet
– Authentication and integrity of data packets
• IPsec Authentication Header (AH)
• In the trustworthy network, symmetric key cryptography (HMAC)
• In the Byzantine network, public key cryptography (RSA, ECC)
– Shared key distribution for IPsec
• Permission message carries the key
• Transport layer security (TLS/DTLS) for hop-by-hop communication
– Security association and management of key
• Manual SA/Key management by Permission message
16
Basic operation of prevention
17
Sender
R1
Auth verification
success
Q (FID,PKey,Auth)
Q ( FID,Pkey,Auth)
P (10MB, FID, Pkey, Skey, Auth) P (10MB, FID,Pkey, Skey, Auth)
Data flow / IPsec
Attack flow
(w/o IPsec)
Receiver
R2
Q (FID,Pkey,Auth)
P (10MB, FID, Pkey, Skey, Auth)
Data flow / IPsec
Data flow / IPsec
IPsec verification
success
Auth verification
success
IPsec verification
failed
Pkey: public key
Auth: authentication field for the signaling message
Skey: shared key for Ipsec
PBS Detection Algorithm (PDA)
• What if a compromised router (that has the shared key
for IPsec) inject attack packets?
– Packet addition attack (on-path attack)
• What if a compromised router drops the incoming
packets?
– Black hole attack (on-path attack)
• Monitoring mechanism
– PBS Detection Algorithm (PDA)
– Detect on-path attack which breaks the permission state
– Signaling (Query) message carries the information of volume of
data that the sender has sent.
– Use soft-state mechanism to periodically monitor the data flow.
PBS Detection Algorithm (PDA)
Sender
Q
T
Spoof sender’s address,
and has the shared key
R1
Q
R3
Q
P (AV = 10MB)
P (AV = 10MB)
P (AV = 10MB)
Data (size=1MB)/
IPsec (symm key)
Data (size=1MB)/
IPsec (symm key)
Data (size=1MB)/
IPsec (symm key)
Attack (size=2MB)
IPsec (symm key)
Q (v = 1MB)
P (public key crypto)
Q (v = 1MB)
P (public key crypto)
Data (size=1MB)/
IPsec (Public key)
Data (size=1MB)/
IPsec (Public key)
Receiver
Q
P (AV = 10MB)
Data (size=1MB)/
IPsec (symm key)
Total 1MB
Attack (size=2MB)
IPsec (symm key)
Total 3MB
Q (v = 1MB)
Q (v = 1MB)
P (public key crypto) P (public key crypto)
Data (size=1MB)/
IPsec (Public key)
Data (size=1MB)/
IPsec (Public key)
Detect attack
(1MB Vs 3MB)
AV: allowed volume that is granted by the receiver
V: total volume of data that the sender has sent
19
PBS Detection Algorithm (PDA)
• Detection of black hole attack
Sender
(Attacker, Drop attack)
R1
Query
R3
Receiver
Query
T.O.
Change data
flow path
20
PBS Detection Algorithm (PDA)
• Detection of dropping data packets
Sender
(Attacker, Drop attack)
R1
Q
P (AV = 10MB)
Data (size=1MB)
Q
P (AV = 10MB)
Q
P (AV = 10MB)
Receiver
R3
Q
P (AV = 10MB)
Data (size=1MB)
T
Detect attack
(1MB Vs 0MB)
Q (v = 1MB)
P (change path)
Q (v = 1MB)
P (change path)
Q (v = 1MB)
Q (v = 1MB)
P (change path)
P (change path)
21
PBS architecture
• On-path signaling (PBS NSLP processing/ GIST processing)
–
–
–
–
Install and maintain permission state.
Monitor attacks.
Trigger reaction mechanism against the attacks.
Distribute public key (X.509 certificate) and session key
• Authorization
– Decide the granting of permission (amount of data volume) for a flow
– Detect and identify the attack.
– Decide the reaction mechanism against the attacks.
• IPsec AH
• Changing data path
• Traffic management
– Handle all incoming messages.
– IP packet filter drops the unauthorized packets.
– Monitor data flow (check the total volume of the data flow).
22
PBS implementation structure
On-path signaling
Authorization
PBS NSLP
Processing
(OpenSSL)
State table: permission state, IPsec state
(Hashtable)
Traffic management
NTLP (GIST)
Processing
Userspace IPsec module
(netfilter queue module, libiptc, OpenSSL)
User level
Kernel level
Network
device
Linux kernel
routing table
(route)
Netfilter IP packet filtering
(iptables)
Signal flow
Data flow
Network
device
Control and configuration
23
Testbed
• AMD Opteron 2.2GHz CPU and 2GB RAM
• Linux kernel version 2.6.23
24
Traffic overhead (signaling message overhead)
• Signaling message overhead ratio
Rs 
Lsignal
L  Lsignal
L : size of total data packets of the flow
Lsignal : size of total signaling messages for the flow
• BW usage and signaling overhead ratio
•
•
4GB video streaming whose running time is 90 minutes (permission state life
time is 90 minutes)
Soft-state period is 60 seconds
Parameters for public key
BW (kbits/sec)
Overhead ratio
RSA-1024
0.376
0.000062
DSA-1024
0.403
0.000066
ECC-192
0.313
0.000051
25
Traffic overhead (data packet overhead)
• Data packet overhead ratio
– Data packet carries IPsec header
Rd 
Lip sec
L  Lip sec
L : size of total packets of the flow
Lip sec : size of total ipsec header of the flow
• IPsec AH size and overhead ratio
Parameters for IPsec
authentication field
IPsec AH (bytes)
Overhead ratio
HMAC-SHA1
28
0.021
RSA-1024
32
0.085
DSA-1024
84
0.037
140
0.042
ECC-192
26
CPU usage for signaling
CPU usage of GIST
50
70
60
50
40
30
20
10
0
Q:UDP, P:UDP
Q:TCP, P:TCP
Q:UDP, P:TLS
Q:TCP, P:TLS
Q:TLS, P:TLS
CPU usage (%)
CPU usage (%)
CPU usage of PBS NSLP
Q:UDP, P:UDP
40
Q:TCP, P:TCP
30
Q:UDP, P:TLS
20
Q:TCP, P:TLS
10
Q:TLS, P:TLS
0
400
500
600
700
400
800
500
600
700
800
Rate: # of (Q, P) messages/sec
Rate: # of (Q, P) messages/sec
CPU usage (%)
CPU usage of PBS (GIST and PBS NSLP)
90
80
70
60
50
40
30
20
10
0
Q:UDP, P:UDP
Q:TCP, P:TCP
Q:UDP, P:TLS
Q:TCP, P:TLS
400
500
600
700
800
• Number of concurrent sessions
that can be handled
 600 (Q, P) messages /sec
 36,000 concurrent flows with 60
sec refresh period with fair queue
Q:TLS, P:TLS
Rate: # of (Q, P) messages/sec
27
Memory overhead
• Session key storage
– (Session key size) x (number of concurrent sessions N)
Parameters
HMAC-SHA1
Key size
Key storage size
(when N = 10,000)
RSA-1024
DSA-1024
ECC-192
20 bytes
128 bytes
128 bytes
24 bytes
0.2 MB
1.28 MB
1.28 MB
0.24 MB
• State table recording
– (size of state record per flow) x (number of concurrent sessions N)
– 100 bytes x 10,000 = 1 MB
28
Signaling message processing delay
• Signaling message processing delay based on public key
cryptography
Parameters
Query message (msec)
Permission message (msec)
NULL
0.131
0.134
RSA-1024
0.423
0.436
DSA-1024
1.674
1.701
ECC-192
1.868
1.892
NULL: no cryptography algorithm is applied to signaling messages
• GIST handshake delay
UDP
GIST handshake (msec)
0.411
TCP
10.057
TLS
23.383
29
IPsec processing delay
• Data packet (with and without IPsec) processing delay
Parameters
IPsec processing delay (msec)
Without userspace IPsec module
0.010
NULL encryption
0.057
HMAC-SHA1
0.067
RSA-1024
0.198
DSA-1024
1.411
ECC-192
1.649
• Userspace IPsec module: capture packet from kernel to user level to
process the IPsec, and then sends back the packet to the kernel
• Null encryption: No IPsec verification
30
Deployment and application
• At the edge routers
– Edge routers at the sender’s area
• Drop the attack packets from the off-path attacker
– Edge routers at the receiver’s area
• Drop the attack packets that are generated in the backbone
• Close-network
– All end-users have PBS functionality
– Deny-by-default
– Short stream flows, such as DNS and ICMP
• Flow state setup delay and signaling message overhead
• Rate limited
• Open-networks
– Some end users do not have PBS functionality
• The packets from the sender which does not have PBS functionality will be
rate-limited.
31
Conclusion
• Signaling architecture for network traffic authorization
• Hybrid approach
– Proactive approach: Explicit permission by signaling
– Reactive approach: PBS detection algorithm (PDA)
• Secure system
– The authentication and integrity of signaling message: Public key
cryptography algorithm
– The authentication and integrity of data packets: IPsec AH
• Practical and deployable system
• DoS defense mechanism
– Off-path/on-path attacks
32
Backup slides
33
Existing solutions
•
Proactive approaches
– Source address filtering
• Ingress filtering
• Allow packets whose IP address in the expected IP address range
• Prevent source address spoofing
• Deployment problem
– Universal deployment problem
• Attack that cannot be prevented
– IP address spoofing in the same subnet
– Compromised router can inject and drop packets (on-path attack)
– Capability-based approaches
• SIFF and TVA
• Permission (capability): filter unauthorized flow
• Breakable system
– Compromised router gives bogus capability
– Compromised router announces the capability to the upstream nodes
• Attack that cannot be prevented: on-path attack
– Compromised router can use the capability to inject attack flow.
– Compromised router can drop packets  Not guaranteed for delivery
Existing solutions
• Proactive approaches
– Overlay-based approaches
• SOS and Mayday
• Overlay structure to verify the legitimacy of packets
• Breakable system
– The overlay structure can be the target of the attack
• Attack that cannot be prevented
– Compromised overlay node can inject and drop packets
• Expensive media relaying.
Existing solutions
• Reactive approaches
– Filtering-based mechanism
•
•
•
•
Pushback and StopIt
Detection of misbehavior of users  request filtering
Suffer from false positive
Attack that cannot be prevented: on-path attack
– cannot guarantee the delivery of legitimate packet
– Traceback
• Probabilistic marking by router / reconstruct the path
• Implementation problem
– No specific field for tracking purposes in IPv4.
• Breakable system
– Spoofed marking field  mislead the path reconstruction
• Attack that cannot be prevented: on-path attack
– Overwrite marking filed  reduce probability to mark
Delay
• Round-trip delay of signaling message before sending data packets
– Measure signaling message processing delay
– Measure GIST handshake delay
Sender
R1
Receiver
GIST handshake
Query
Query processing delay
GIST delay
GIST handshake
Query
RTT
Permission
Permission
Permission processing delay
37
FSM: Sender
1
Send Q
Recv P & P(AV=0)
TTL=0 OR recv P(AV = 0) ||
remove permission state
2
T.O. ||
change route
& send Q
Recv P & P(AV!=N)
|| apply crypto for data
based on S value of P
Send Q
3
SV< AV
Recv P (new security algorithm) ||
Change the security algorithm for IPsec
Send Data
4
SV > AV || remove permission state
Event || Action
Q: Query message, P: Permission message, T.O.: Time out
AV: The number of bytes that the receiver allows
SV: The number of bytes that the sender has been sent
State - 1: Idle, 2: wait for P, 3: Permission state, 4: compare SV and AV
38
FSM: Receiver
1
TTL =0 OR
No refresh ||
remove state and SA &
send P(AV=0)
Decline ||
Send P(AV=0)
Recv Q
2
Grant || setup permission state & install SA
& send P(AV!=0, shared key)
3
IPsec verification failed
|| Drop
4
Recv Data
SV = RV ||
Send P
IPsec verification success
|| calculate RV
RV > AV || remove state and SA
& send P(AV=0)
5
RV < AV
Recv Q (SV)
Increase security||
send P(new security algorithm)
6
SV != RV
7
Revoke permission||
Remove state and SA
& Send P(AV=0)
Event || Action
RV: The number of bytes that the receiver has been received
State - 1: IDLE, 2: Permission decision, 3: Permission state, 4: IPsec verification,
5: compare RV and AV, 6: compare RV and SV, 7: Policy decision
39
FSM: Router
1
TTL=0 OR recv P (AV = 0)
OR No refresh ||
remove state and SA
Recv Q || forward Q
Recv P(AV=0)
2
Recv P (AV!=0)
|| setup permission state and SA
Recv Q
3
Recv P (new security algorithm)
|| Change the security
algorithm for IPsec
Recv Data
IPsec verification failed
|| Drop Data
4
IPsec verification success
|| calculate RV
RV > AV || Drop Data
5
RV < AV || forward Data
Event || Action
RV: The number of bytes that the receiver has been received
State - 1: Idle, 2: Wait for P, 3: Permission state,
4: IPsec verification, 5: compare RV and AV
40
Implementation structure
• Signaling (PBS NSLP / GIST)
– PBS NSLP on GIST implementation using FreeNSIS implementation
• http://user.informatik.uni-goettingen.de/~nsis/
– Finite state machine
• FSM controls the state of each node.
– Message creation and parsing
• Signaling messages are created and parsed at each node that has a PBS NSLP
functionality.
– Public key distribution
• OpenSSL: X.509 certificate
– Signaling message authentication
• OpenSSL: The public key cryptography for the message authentication
– GIST API
• Unix socket: Communication between GIST and PBS NSLP
• Selection of UDP/TCP/TLS: channel reliability and security
41
Implementation structure
• Authorization
– State table
• hashtable: permission state, IPsec state
• Traffic management
– Userspace IPsec module: A modular IPsec stack which relies on user space
• netfilter queue module: get the packets (if a rule matches) to user space
• OpenSSL: public key cryptography of IPsec authentication field
– Netfilter/IPtables
• libiptc: interface filter tables in the kernel space
• iptables: filter IP packets
– Linux kernel routing table
• route: set up the data path; Linux kernel routing table is used.
42
Security analysis of PBS
• Trustworthy networks
– Attack without spoofing address
• 5-tuple based IP packet filtering
– Attack with spoofing source address
• PDA can detect
• IPsec: Symmetric key cryptography
• Byzantine networks
– Off-path attacks
• 5-tuple / PDA
• IPsec: Symmetric key cryptography
– On-path attack: packet addition
• PDA can detect the attack
• IPsec: public key cryptography
– On-path attack: packet dropping
• Signaling message and PDA can detect the attack
• Change the path
• Sender attack
– Black and white list
– Permission request gives the precise behavior profile of a sender
43
Detection delay and number of attack flows
• Detection delay
– As attack flows are detected quickly, the number of attack flows decreases
– Detection delay depends on the soft-state period of signaling messages
• Assumption
– Legitimate flow arrival rate and attack flows arrival rate follow Poisson distribution
  a  l
– Expected lifetime of all the flows
E[TL ] 
•
a

E[Ta ]  l E[Tl ]


Attack flow lifetime:
– Attack flow ratio
R
Ta
legitimate flow lifetime: Tl
E[ N a ] a E[Ta ]
r


E[ N ] E[TL ] r  (1  r )2
•
Ratio of attack flow arrival rate over total flow arrival rate,
•
Soft-state period,
TP 
Tl
r
a


44
Detection delay and number of attack flows
Attack flow arrival rate is 0.8,
but actual number of attack flows are reduced
since detection shortens the attack flow’s lifetime
45