Transcript contra - Tolerant Systems

Aegis Research Corporation
CONTRA
Camouflage of Network Traffic to Resist Attack
(Intrusion Tolerance Using Masking, Redundancy and Dispersion)
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
Janet Lepanto
William Weinstein
The Charles Stark Draper Laboratory, Inc.
Aegis Research Corporation®
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
Aegis Research Corporation
Slide 1
DDoS Flooding Attacks
Aegis Research Corporation
DDoS Flooding Attack is Analogous to Jamming
Jamming
DDoS Flood
Jammer concentrates energy at a
particular frequency and location
Attacker directs traffic against
a particular IP address
Jamming Defenses
Flooding Defenses
Frequency Hopping
IP Address Masking
IP Address Hopping
Energy Dispersion
IP Identity Dispersion
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
Slide 2
Key Ideas
Aegis Research Corporation
•
Spread the identity of a server across multiple IP addresses
•
Add redundancy to each message, and send a portion of each
message to each of the IP addresses of the server
– If some of the addresses are flooded, that traffic can be dropped
– The messages can be reconstructed from the remaining traffic
•
Prevent an attacker from associating a set of addresses with a
particular server
– Force the attacker to dilute the attack by spreading the flood across
randomly chosen sets of IP addresses
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
Slide 3
Assumptions
Aegis Research Corporation
•
CONTRA system comprises a set of cooperating hosts
– Communicate among themselves over the Internet
– Servers could be made available to outsiders by designating some of the
clients as gateways
•
Attacker attempts to determine address(es) of high value target
– By monitoring traffic at one or more accessible points of the Internet
– By analyzing communication patterns
•
Attacker can use public data to determine IP block assignments
– Attacker knows the organization that is communicating
•
Pipes have sufficient capacity to accommodate the total traffic
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
Slide 4
Approach
Aegis Research Corporation
•
Leverage selected aspects of
– VPNs
– Anonymity systems
– Fault-tolerant communications
•
Consider ease of deployment
– Implement as a communications proxy on top of UDP
– Redundancy in messages provides reliability
– Real source IP addresses can be masked
•
Structure protocols to support
–
–
–
–
Continuous operation through attack
Distribution of reconfiguration information
Monitoring of attack progress
Extension to mitigate “insider” attacks
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
Slide 5
Implementation
Aegis Research Corporation
•
Messages are sent from a source to a destination host as follows:
– Messages are encoded with redundancy and divided into N parts, any
K<N of which can be used to recover the message
– The N parts are sent over different paths, each of which contains at least
one relay host that functions as a mix
– The N parts of the message are dispersed across all of the IP addresses
that define the destination host
•
The “real” IP addresses of the source and destination, and the
message content, are encrypted
– Only the IP addresses of individual hops are exposed
– A virtual network topology can be chosen that exposes only a portion of
the system’s IP address to an attacker sniffing at a single point
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
Slide 6
Message Encoding
Aegis Research Corporation
Predetermined
Transformatio
n
Origin Host
MESSAGE
Relay Host
NETWORK
T11
T12
T13
T21
T22
T23
T31
T32
T33
T41
T42
T43
T51
T52
T53
T11
T12
T13
T21
T22
T23
T31
T32
T33
T41
T42
T43
T51
T52
T53
Z1
M1
X
M2
Z1
?
Z2
=
M3
Z3
Z3
Z4
Z4
Z5
Z5
Destination
Host
w/ Multiple
IP
Addresses
-1
SELEC
T
1, 3, 4
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
T11
T12
T13
T31
T32
T33
T41
T42
T43
Z1
X
Z3
Z4
M1
=
M2
MESSAGE
M3
Slide 7
CONTRA Packet Structure
Aegis Research Corporation
Encrypted
Between Hops
IP Header
Transport
Header
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
Encrypted Source-toDestination
CONTRA
Header
Payload
Contains:
Real SourceIP/port
Real Destination IP/port
K-of-N Encoding
Msg Segment Number
Padding
Source/relay host status
Vnet configuration status
Slide 8
Message Relay
Aegis Research Corporation
Source
Host
Destination
Host
Relay
Host
Relay
Host
Relay
Host
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
Slide 9
Relay Operations
Aegis Research Corporation
•
•
•
•
Decrypt CONTRA header
Extract real destination
Change padding
Reencrypt with key of next hop
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
Mix
Slide 10
Server IP Address Assignments
Aegis Research Corporation
Internet
Server listens on M >= N addresses
K<N parts needed to rebuild message
Site Router
Server
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
Client
Server
Client
Client
Client
Client
Slide 11
Challenges
Aegis Research Corporation
•
Robustness of traffic mixing
– Minimum level of traffic
•
“Insider” attacks
– Clients are users as well as relays
– The CONTRA proxy on the client needs to know the real addresses of
CONTRA destinations
– Need to protect this information
DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002
Slide 12