Transcript SigComm Poster - Computer Science and Engineering

An Analysis of Location-Hiding Using Overlay Networks
Ju Wang and Andrew A. Chien
Department of Computer Science and Engineering, University of California San Diego
Overlay Network for Location-Hiding
Feasibility of Location-Hiding
Problems
Attacker
Proxy Network
• Communication infrastructure to allow applications to
communicate with users without disclosing IP addresses
• Protect applications from direct attacks
Location-Hiding Infeasible w/o
Sufficient Reconfiguration
Proxy Network
Resource Pool
Proxy Network
Application
(IP Network)
Resource Pool
Attacker
Time To Application Exposure (unit:  -1)
Overlay
350
Location-Hiding Feasible with
Sufficient Reconfiguration
100
Proxy Network Layered View
User
400
Theorem II Consider a proxy network with random proxy
migration rate r (r2), the expected time to application
exposure T grows exponentially with the proxy network depth d;
 r d 1
r d 2
specifically (( 2 ) )TT. ((  ) )T
Generic Framework for Location-Hiding
Proxy Network Top View
Correlated host vulnerabilities can make
location-hiding infeasible
Time to Application Exposure
where?
Correlated Vulnerability
Theorem I Without proxy network reconfiguration, the
expected time to application exposure TdT where T is the
expected time to compromise a host, d is proxy network depth.
-1
Legitimate User
90
80
60
50
No reconfiguration
30
Perfect Recovery, r=0.1
Perfect Recovery, r=0.5
0
0
10
20
30
Proxy Network Depth (d)
40
User
Edge Proxy
Proxy
Attack Model
Defense Model
 =10
r
5
10
0
5
Log scale
10
15
Proxy Network Depth (d)
• Goal: reveal application location (IP address)
• Compromise hosts and reveal (expose) location of
adjacent proxies
• Penetrate proxy network using exposed location
information
Correlated Vulnerability
• Hosts w/ similar configurations grouped as domain
– High correlation inside domain
– Low correlation across domains
• Goal: recover compromised hosts, invalidate
information attackers have
• Resource recovery
– Recover compromised hosts
– Reactive recovery: detection-triggered
– Proactive reset: periodic reload/security patch
• Proxy network reconfiguration
– Invalidate information attackers have
– e.g. proxy migration
• e.g. define domain by OS platforms
Notation Meaning
Intact
Intact
Compromised
Host state transition
Exposed
Compromised
Proxy state transition
attack
defense
0
v
s
r
Rate of new vulnerability discovery
Rate of compromise w/ known bugs
Rate of proactive resets
Examples*
Bi-weekly
~minute
d
True positive ratio of reactive
recovery
Speed of reactive recovery
0 -relative
0.80
Real time
r
Rate of proxy migration
10~100x0
* Data shown in examples are inferred from Microsoft Security Bulletin critical vulnerability data, worm propagation speed,
Lippmann et al Intrusion detection systems evaluation results, and our prototype proxy network evaluation results.
10
10
• resource recovery limited impact
5
10
proxy network depth d = 10
30
40
50
60
70
Proxy Migration Rate r (Unit: )
80
90
100
35
No Correlation ( domains)
2 domains
3 domains
4 domains
8 domains
0.9
0.8
0.7
r=10 0
s=10 0
 v=0.99
0.6
0.5
0.4
0.3
0.2
0.1
0
0
5
10
15
20
25
30
35
Proxy Network Depth
Work in Progress
Summary
• Design of a generic framework and analytic model for
proxy network approaches to location-hiding
• Using analytic modeling and simulation techniques, we
characterize key properties of proxy network and find
Stochastic Model
1
• migration rate + proxy network
depth  exponential improvement
20
30
• Proxies migrate inside domain
• migration has qualitative impact
15
10
10
25
• Interleave proxies on different domains
20
Perfect Recovery
No Recovery
0
20
Exploiting limited host diversity & intelligent
proxy placement achieves location-hiding
10
0
15
10
20
10
10
All hosts share similar vulnerabilities (single domain).
Even with high migration rates, can’t achieve location-hiding.
v the dominant attack rate, is much here than migration rate.
15
Penetration Probability (106 time steps)
Host
5
No Recovery
Perfect Recovery
Parametric Study
Time to Application Exposure (unit:  -1)
Attacker
r=0.10,  0=0.01,  v=0.90
r=0.30,  0=0.01,  v=0.90
Proxy Network Depth
0
50
Linear scale
Proxies: software components run on hosts
Proxies adjacent: iff IP addresses mutually known
Proxy Network Topology: adjacency structure
Depth: min distance (hops) from edge proxies to app
Edge proxies publish their IP addresses
Users access applications via edge proxies
100
0
0
Application
•
•
•
•
•
•
150
20
10
10
200
10
40
20
250
50
10
70
300
10
Time to Application Exposure(unit: )
Application
Uncorrelated Vulnerability
• Can proxy networks achieve location-hiding? If
so, under what circumstances? (feasibility)
• How long will it take attackers to reveal
application location? (metrics)
• How do properties of defense & proxy networks
affect location-hiding? (parametric)
– Resource recovery
– Proxy network reconfiguration
– Correlated host vulnerability
- Existing approaches employing static structure are vulnerable
to host compromise attacks
- Adding proactive defenses employing proxy network
reconfiguration and migration makes location-hiding feasible,
proxy network depth & reconfiguration rates are critical factors
• Impact of overlay topology in location-hiding (SSRS’03)
- Using a similar model, we characterize favorable and unfavorable
topologies for location-hiding from a graph theoretic perspective
- Found high connectivity, a merit in other context, may undermine
location-hiding
- Popular overlays, e.g. Chord, are unfavorable for location-hiding;
low-dimensional CAN and binary de Bruijn graphs are favorable.
• Proxy Network DoS Resilience (empirical study)
- Simulation testbed: large scale Internet simulator (MicroGrid)
- Correlated host vulnerability can make location-hiding infeasible
- Proxy network working prototype
- By exploiting limited host diversity and intelligent construction
of proxy network, negative impact of correlation can be mitigated
and location-hiding can be achieved
- Real DDoS attack tool (Trinoo) and real application (Apache)
- Study impact of attack and effectiveness of proxy network (impact
of proxy deployment as well)
This work is supported in part by the National Science Foundation under awards NSF EIA-99-75020 Grads and NSF Cooperative Agreement ANI-0225642 (OptIPuter), NSF CCR-0331645
(VGrADS), NSF NGS-0305390, and NSF Research Infrastructure Grant EIA-0303622. Support from Hewlett-Packard, BigBangwidth, Microsoft, and Intel is also gratefully acknowledged.