Transcript SOS: Secure Overlay Services

SOS: Secure Overlay Services
A. D. Keromytis
V. Misra
D. Runbenstein
Columbia University
1
Outline





Introduction
Architecture
Performance Analysis
Implementation
Discussion
2
Introduction/Motivation

9/11 events



The Internet vs. Phone Network
Communication paths between the
“important” sites and Emergency Response
Teams
Trends of DDoS Attacks


Previous Reactive Approaches
Proactive Mechanisms
3
Attack Trends [CERT’01]


Trend 6 - Increasing threat from infrastructure
attacks, type 1 Distributed denial of service, ….
The degree of automation




Manual Attacks - early DDoS attacks
Semi-Automatic Attacks - Attacks with communications
between masters and slaves
Automatic Attacks - Just issue a single command
High-impact, low-effort
4
Distributed Denial of Service Attacks
(DDOS)


Attacker logs into Master
and signals slaves to
launch an attack on a
specific target address
(victim).
Slaves then respond by
initiating TCP, UDP, ICMP
or Smurf attack on
victim.
5
What makes DDoS attacks possible?




Internet security is highly
interdependent
Internet resources are limited
Power of many is greater that power
few
Intelligence and resources are not
collocated
6
What to Do About DDoS?

Detection


Traceback (unfortunately, not to the attacks)





Intrusion detection systems
Link Testing
ICMP Traceback
Hash-based Traceback
Probabilistic Marking
Prevention



Traffic monitoring e.g., ICMP packets, SYN packets
Ingress filtering on the routers
GovNet – A separate network
7
Objective of Secure Overlay Services




Motivated by ERT scenario
Focus on protecting a site that stores
information that is difficult to replicate
Secure communication on top of today’s
existing IP infrastructure from DDoS
attacks
Does NOT solve the general DoS
problems
8
Assumptions
1. Pre-determined subset of clients scattered
through the wide-area network(WAN)
2. A set of users want to prevent access to this info
and will launch DoS attack upon any network
points whose jamming will archive this goal
3. The attacker does not have unobstructed
access to the network core
4. The attacker can not acquire sufficient resources
to severely disrupt large portions pf the backbone
9
Basic SOS Architecture
10
Architecture Descriptions




SOS is a network overlay
Nodes are known to the public
Communications between overlay nodes
are assumed to remain secure
The user’s packets must be
authenticated and authorized by SOS
before traffic is allowed to flow though
the overlay
11
Filtered region



Establish filters at the ISP’s POP routers
attaching to the ISP backbone
Distinguish and drop illegitimate
packets
Issues


IP address changes and user roles
changes
IP spoofing
12
Secret Servlets





A subset of nods, Ns, selected by the target
to act as forwarding proxies
The filters only allow packets whose source
address matches n  Ns
Hide the identities of the proxies to prevent
IP spoofing or attacks aiming at proxies
Activated by the target’s message
Challenge: reach a secret servlet without
revealing the servlet’s ID to the nodes that
wish to reach it. Random next hop
O(N/Ns)
13
SOAP: Secure Overlay Access Point





Receive and verify traffic
Authentication tools: IPSec/TLS
A large number of SOAPs make a
distributed firewall
Effects on DoS – increase the amount
of resources/bandwidth to deny
connectivity to legitimate clients
How to map SOAPs to different users?
14
Routing through the Overlay





Chord service (www.cs.umn.edu/~he/iss/)
Each Overlay node contains O(logN)
identifiers
Chord delivers the packet to one of several
beacons, which knows the secret servlet’s
identity.
Beacon’s identifier is mapped by hashing the
target’s IP address
Multiple hash functions produce different
paths.
15
Against the DoS attacks



An access point is attacked.
The source point can choose an alternative
access point
A node within the overlay is attacked
Chord service self-heals
A secret servlet’s identifier is discovered and
the servlet is targeted as an attack point
The target chooses an alternative set of
secret servlets
16
Performance Analysis (1)
Varying number of Attacks and nodes in
the overlay
P
(Attack
Success)
# of nodes attacked
17
Performance Analysis (2)
Blocking probability for legitimate traffic
as a function of attack traffic load
Blocking
probability
for
legitimate
traffic
Load of attack traffic
18
Performance Analysis (3)
Performance gains of increasing the
capacity of the attacked node
Bandwidth
Gain
Bandwidth increase factor
19
Performance Analysis (4)
Performance gains of increasing the
anonymity of the attacked node
Randomization
Gain
Size of the overlay
20
Implementation

Filtering



Authentication and authorization of sources



high and medium routers(performance & cost)
high-speed packet classification
IPSec
Public Key Infrastructure/Certificate
Tunneling



IP-in-IP encapsulation
GRE encapsulation
IPSec in tunnel mode
21
Discussions

Attacks from inside the overlay




A shared overlay



security management oversights
development bugs
potential damage from inside
multiple organizations utilize a shared overlay
A breach in one org. security would not lead to
breaches in other networks
Timely delivery


Latency (10 times lager, preliminary simulations)
Trade security with performance
22
Thanks!
23
24
25
26
27
28
29