ChowCyberSecuritySymposiumPoster

Download Report

Transcript ChowCyberSecuritySymposiumPoster 

SCOLD:
Secure Collective Internet Defense
http://cs.uccs.edu/~scold/
A NISSC Sponsored Project
C. Edward Chow
Yu Cai
Dave Wilkinson
Department of Computer Science
University of Colorado at Colorado Springs
Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreement number F49620-03-1-0207. It was sponsored by a
NISSC Summer 2002 grant.
Cybersecurity Symposium 9/19/2003
1
chow
Outline of the Talk

Network security related research projects at UCCS
Network/Protocol Research Lab

Secure Collective Internet Defense, the idea.
How should we pursue it?

Secure Collective Internet Defense, SCOLDv0.1.
A technique based Intrusion Tolerance paradigm

SCOLDv0.1 implementation and testbed

Secure DNS update with indirect routing entries

Indirect routing protocol based on IP tunnel

Performance Evaluation of SCOLDv0.1

Conclusion and Future Directions
Cybersecurity Symposium 9/19/2003
2
chow
New UCCS IA Degree/Certificate


Master of Engineering Degree in Information Assurance
Certificate in Information Assurance (First program
offered to officers of SPACECOM at Peterson AFB
through NISSC and UCCS Continue Education, 2002-3)
 It includes four courses: Computer Networks;
Fundamental of Security; Cryptography; Advanced
System Security Design
Cybersecurity Symposium 9/19/2003
3
chow
UCCS Network/System Research Lab




Director: Dr. C. Edward Chow
Network System Research Seminar: Every Tuesday EAS177 5-6pm, open to public
New CS Faculty: Dr. Xiaobo Zhou (Differential Service; QoS; Degraded DDoS Defense)
Graduate students:













John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network
Survivability (Two US Patents)
Hekki Julkunen: Dynamic Packet Filter
Chandra Prakash: High Available Linux kernel-based Content Switch
Ganesh Godavari (Ph.D.): Linux based Secure Web Switch; Secure Groupware; Wireless Sensor
Network
Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed
Longhua Li: IXP-based Content Switch
Yu Cai (Ph.D.): SCOLD: Indirect Routing, Multipath Routing
Jianhua Xie (Ph.D.): Secure Storage Networks
Frank Watson: Content Switch for Email Security
Paul Fong: Wireless AODV Routing for sensor networks
Nirmala Belusu: Wireless Network Security PEAP vs. TTLS apply to ad hoc network access control
David Wikinson: SCOLD: Secure DNS Update.
Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN; Disaster Recovery based on iSCSI.
Cybersecurity Symposium 9/19/2003
4
chow
UCCS Network Lab Setup

Gigabit fiber connection to UCCS backbone
 Router/Switch/Firewall/Wireless AP:
 8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8
Linksys/Dlink Switches.
 Sonicwall Pro 300 Firewall*, 8VPN gateway*,
 8 Intel 7112 SSL accelerators*; 4 7820 XML directors*.
 Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI
cards (both 802.11a and 802.11b cards).
 Intel IXP12EB network processor evaluation board
 Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*.
 Workstations/PCs:
 8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs (500-233Mhz)
 2 laptop PCs with Aironet 350 for mobile wireless
 OS: Linux Redhat 9.0; Window XP/2000

* Equipment donated by Intel
Cybersecurity Symposium 9/19/2003
5
chow
DDoS: Distributed Denial of Service Attack
Research by Moore et al of University of California at San
Diego, 2001.
12,805 DoS in 3-week period
Most of them are Home, small to medium sized
organizations
DDoS Victims:
Yahoo/Amazon
2000
CERT
5/2001
DNS Root Servers 10/2002
DDoS Tools:
Stacheldraht
Trinoo
Tribal Flood Network (TFN)
Cybersecurity Symposium 9/19/2003
6
chow
Secure Collective Internet Defense


Internet “attacks” community seems to be better organized.
How about Internet Secure Collective Defense?
 Report/exchange virus info and distribute anti-virus
not bad (need to pay Norton or Network Associate)
 Report/exchange spam info
not good (spambayes, spamassasin, email firewall,
remove.org)
 Report attack (to your admin or FBI?)
not good
 IP Traceback
 difficult to negotiate even the use of one bit in IP header
 Push back attack
slow call to upstream ISP hard to find IDIP spec!
 Form consortium and help each other during attacks
almost non-existent
Cybersecurity Symposium 9/19/2003
7
chow
Intrusion Related Research Areas



Intrusion Prevention
 General Security Policy
 Ingress/Egress Filtering
Intrusion Detection
 Honey pot
 Host-based IDS Tripwire;
 Anomaly Detection
 Misuse Detection
Intrusion Response
 Identification/Traceback/Pushback
 Intrusion Tolerance
Cybersecurity Symposium 9/19/2003
8
chow
Wouldn’t it be Nice to Have Alternate Routes?
net-a.com
A
A
net-b.com
A ... A
...
DNS1
R
net-c.com
A
R
R
R3
DDoS Attack Traffic
Client Traffic
Victim
Cybersecurity Symposium 9/19/2003
A ... A
DNS3
DNS2
R
DNS
A
...
R2
R1
How to reroute clients
traffic through R1-R3?
Multi-homing
Alternate
Gateways
9
chow
Secure Collective Defense

Main IdeaExplore secure alternate paths for clients to come in; Utilize
geographically separated proxy servers.

Goal:


Provide secure alternate routes

Hide IP addresses of alternate gateways
Techniques:

Multiple Path (Indirect) Routing

Secure DNS extension: how to inform client DNS servers to add alternate
new entries (Not your normal DNS name/IP address mapping entry).

Utilize a consortium of Proxy servers with IDS that hides the IP address of
alternate gateways.

How to partition clients to come at different proxy servers?
 may help identify the attacker!

How clients use the new DNS entries and route traffic through proxy
server?
 Use Sock protocol, modify resolver library
Cybersecurity Symposium 9/19/2003
10
chow
Implement Alternate Routes
net-a.com
A
A
net-b.com
A ... A
...
DNS1
R
net-c.com
A
A
A ... A
...
DNS3
DNS2
R
R
Need to Inform Clients or
Client DNS servers!
DNS
R
R3
DDoS Attack Traffic
Client Traffic
Victim
Cybersecurity Symposium 9/19/2003
R2
Alternate
Gateways
11
R1
But how to tell which Clients
are not compromised?
How to hide
IP addresses of
Alternate Gateways?
chow
net-b.com
net-a.com
net-c.com
...
A
A
A
...
...
A
SCOLD
Victim
Cybersecurity Symposium 9/19/2003
A
Proxy3
Proxy1
Attack Traffic
Client Traffic
...
R
Proxy2
block
A
DNS3
R
R1
A
DNS2
DNS1
R
A
block
R
2
R
R3
Reroute
Coordinator
1. IDS detects intrusion
Blocks Attack Traffic
Sends distress call to Reroute Coordinator
12
chow
net-b.com
net-a.com
net-c.com
...
A
A
A
...
...
A
SCOLD
A
...
A
DNS3
R
R
Proxy2
Proxy1
block
R1
A
DNS2
DNS1
R
A
R
2
R
Proxy3
2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
R3
Reroute
Coordinator
1. IDS detects intrusion
Blocks Attack Traffic
Sends distress call to Reroute Coordinator
Attack Traffic
Client Traffic
Victim
Cybersecurity Symposium 9/19/2003
13
chow
net-b.com
net-a.com
net-c.com
...
A
A
A
...
...
A
3. New route via
Proxy1 to R1
R
A
...
A
DNS3
DNS2
R
R
Proxy2
Proxy3
Proxy1
block
R1
A
3. New route via
Proxy3 to R3
3. New route via
Proxy2 to R2
DNS1
SCOLD
A
R
2
R
Attack Traffic
Client Traffic
R3
2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
Reroute
Coordinator
Victim
Cybersecurity Symposium 9/19/2003
14
chow
net-b.com
net-a.com
net-c.com
...
A
A
A
...
...
A
3. New route via
Proxy1 to R1
R
...
A
R
Proxy2
Proxy3
Proxy1
block
R1
A
DNS3
DNS2
R
4a. Attack traffic
detected by IDS
block by Firewall
A
3. New route via
Proxy3 to R3
3. New route via
Proxy2 to R2
DNS1
SCOLD
A
R
2
R
Attack Traffic
Client Traffic
R3
4. Attack traffic
detected by IDS
block by Firewall
Reroute
Coordinator
Victim
Cybersecurity Symposium 9/19/2003
15
chow
net-b.com
net-a.com
net-c.com
...
A
A
A
...
...
A
3. New route via
Proxy1 to R1
R
Proxy1
block
R
2
R
4b. Client traffic
Attack Traffic
comes in via
Client Traffic alternate route
Victim
Cybersecurity Symposium 9/19/2003
...
A
R
Proxy2
R1
A
DNS3
DNS2
R
4a. Attack traffic
detected by IDS
block by Firewall
A
3. New route via
Proxy3 to R3
3. New route via
Proxy2 to R2
DNS1
SCOLD
A
16
R3
1.distress call
Proxy3
4. Attack traffic
detected by IDS
block by Firewall
Reroute
Coordinator
2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim, Proxy Server(s))
chow
SCOLD Secure DNS Update
with New Indirect DNS Entries
Modified
Bind9
Modified
Bind9
Modified
Client
Resolve
Library
New Indirect DNS Entries:
(target.targetnet.com,
133.41.96.71, ALT 203.55.57.102
203.55.57.103
185.11.16.49
221.46.56.38
Cybersecurity Symposium 9/19/2003
17
A set of alternate proxy servers
for indirect routes
chow
SCOLD Indirect Routing
IP tunnel
Cybersecurity Symposium 9/19/2003
IP tunnel
18
chow
SCOLD Indirect Routing with Client
running SCOLD client daemon
IP tunnel
Cybersecurity Symposium 9/19/2003
IP tunnel
19
chow
Performance of SCOLD v0.1

Table 1: Ping Response Time (on 3 hop route)
No DDoS attack
direct route
DDoS attack
direct route
0.49 ms

No DDoS attack
indirect route
225 ms
0.65 ms
DDoS attack
indirect route
0.65 ms
Table 2: SCOLD FTP/HTTP download Test (from client to target)
No DDoS attack,
Doc FTP
HTTP
direct route
100k
Size 0.11 s 3.8 s
250k 0.28 s 11.3 s
500k 0.65 s 30.8 s
1000k 1.16 s 62.5 s
2000k 2.34 s 121 s
DDoS attack,
FTP
HTTP
direct route
8.6 s
9.1 s
19.5 s 13.3 s
39 s
59 s
86 s
106 s
167 s 232 s
Cybersecurity Symposium 9/19/2003
20
No DDoS attack,
FTP
HTTP
indirect route
0.14 s 4.6 s
0.31 s 11.6 s
0.66 s 31.1 s
1.15 s 59 s
2.34 s 122 s
with DDoS attack
FTP
HTTP
indirect route
0.14 s 4.6 s
0.31 s 11.6 s
0.67 s 31.1 s
1.15 s 59 s
2.34 s 123 s
chow
A2D2 Multi-Level
Adaptive Rate
Limiting For
Anti-DDos Defense
Cybersecurity Symposium 9/19/2003
21
chow
Future Directions






Modify TCP to utilize the multiple geographically diverse routes set
up with IP tunnels.
Recruit sites for wide area network SCOLD experiments. Northrop
Grumman, Air Force Academy's IA Lab, and University of Texas are
initial potential partners. Email me if you would like to be part of the
SCOLD beta test sites and members of the SCOLD consortium.
We are currently working with Northrop Grumman researchers to
beta test their new MIND network analysis tool.
The network status information collected and analyzed by the MIND
can be used for selecting proxy server sites.
Pick and choose a geographically diverse set of proxy servers for
indirect routing is a challenging research problem.
SCOLD technologies can be used as a potential solution for
bottlenecks detected by MIND.
Cybersecurity Symposium 9/19/2003
22
chow
Conclusion



Secure Collective Internet Defense needs significant
helps from community. Tremendous research and
development opportunities.
SCOLD v.01 demonstrated DDoS defense via
 use of secure DNS updates with new indirect routing
 IP-tunnel based indirect routing to let legitimate
clients come in through a set of proxy servers and
alternate gateways.
Multiple indirect routes can also be used for improving
the performance of Internet connections by using the
proxy servers of an organization as connection relay
servers.
Cybersecurity Symposium 9/19/2003
23
chow