uccsSecurityResearch

Download Report

Transcript uccsSecurityResearch

Security Related Research Projects
at UCCS Network Research Lab
C. Edward Chow
Department of Computer Science
University of Colorado at Colorado Springs
Security Research 1/10/2003
1
chow
Outline of the Talk

Brief Introduction to the Network/Protocol Research Lab at
UCCS

Network security related research projects at UCCS
Network/Protocol Research Lab


Autonomous Anti-DDoS Project

Secure Collective Defense Project

BGP/MPLS based VPN Project
Discussion on AFA-UCCS Joint Research/Teaching Projects
on Information Assurance

Penetration Analysis/Testing exercises?

Intrusion Detection/Handling exercises?

Other Cyberwarfare related projects?

Security Form/Seminar Series
Security Research 1/10/2003
2
chow
UCCS Network Research Lab

Personnel:
 Director: Dr. C. Edward Chow
 Graduate students:
– Chandra Prakash: High Available Linux kernel-based Content
Switch
– Ganesh Godavari: Linux based Secure Web Switch
– Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed
– Longhua Li: IXP-based Content Switch
– Yu Cai (Ph.D. research assistant): Multipath Routing
– Jianhua Xie (Ph.D.): Secure Storage Networks
– Frank Watson: Content Switch for Email Security
– Paul Fong: Wireless AODV Routing for sensor networks
– Nirmala Belusu: Wireless Network Security PEAP vs. TTLS
– David Wikinson/Sonali Patankar: Secure Collective Defense
– Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN
– Patricia Ferrao: Web-based Collaborative System Support
Security Research 1/10/2003
3
chow
UCCS Network Lab Setup




Gigabit fiber connection to UCCS backbone
Switch/Firewall/Wireless AP:
 HP 4000 switch; 4 Linksys/Dlink Switches.
 Sonicwall Pro 300 Firewall
 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated
by Intel.
 Cisco 1200 Aironet Dual Band Access Point and 350 client
PC/PCI cards (both 802.11a and 802.11b cards).
 Intel IXP12EB network processor evaluation board
Servers: Two Dell PowerEdge Servers.
Workstations/PCs:
 8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz)
 2 laptop PCs with Aironet 350 for mobile wireless
 OS: Linux Redhat 8.0; Window XP/2000
Security Research 1/10/2003
4
chow
HP4000SW
Gigibit Fiber to
UCCS Backbone&
Workstation
Dell Server
Intel IXP
Network Processor
Security Research 1/10/2003
5
chow


Intel 7110 SSL Accelerators
7280 XML Director
Security Research 1/10/2003
6
chow
DDoS: Distributed Denial of Service Attack
DDoS Victims:
Yahoo/Amazon
2000
CERT
5/2001
DNS Root Servers 10/2002
DDoS Tools:
Stacheldraht
Trinoo
Tribal Flood Network (TFN)
Security Research 1/10/2003
7
chow
How wide spread is DDoS?

Research by Moore et al of University of California at
San Diego, 2001.
 12,805 DoS in 3-week period
 Most of them are Home, small to medium sized
organizations
Security Research 1/10/2003
8
chow
Intrusion Related Research Areas



Intrusion Prevention
 General Security Policy
 Ingress/Egress Filtering
Intrusion Detection
 Anomaly Detection
 Misuse Detection
Intrusion Response
 Identification/Traceback/Pushback
 Intrusion Tolerance
Security Research 1/10/2003
9
chow
Security Related Research Projects

Secure Content Switch

Autonomous Anti-DDoS Project

Deal with Intrusion Detection and Handling;

Techniques:
– IDS-Firewall Integration
– Adaptive Firewall Rules
– Easy to use/manage.

Secure Collective Defense Project

Deal with Intrusion Tolerance; How to tolerate the attack

Techniques (main ideaExplore secure alternate paths for clients to come in)
– Multiple Path Routing
– Secure DNS extension: how to inform client DNS servers to add alternate new entries
– Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate
gateways.

BGP/MPLS based VPN Project

Content Switch for Email Security.
Security Research 1/10/2003
10
chow
Design of an Autonomous Anti-DDOS
Network (A2D2)



Graduate Student: Angela Cearns
Goals:
 Study Linux Snort IDS/Firewall system
 Develop Snort-Plug-in for Generic Flood Detection
 Investigate Rate Limiting and Class Based Queueing
for Effective Firewall Protection
 Intrusion Detection automatically trigger adaptive
firewall rule update.
 Study QoS impact with/without A2D2 system.
http://cs.uccs.edu/~chow/pub/master/acearns/doc/
Security Research 1/10/2003
11
chow
RealServer
DMZ
Client1
128.198.a.195
Client2
128.198.b.82
Client3
128.198.c.31
Public Network
128.198
eth0
Pluto
DDoS
Agent
Internet
Autonomous
Anti-DDoS
Network (A2D2)
Alpha
128.198.61.15
Firewall
(iptables)
Security Policy
Attack
100Mpbs Switch
Simulated
Internet
DDoS
Agent
Attack
Attack
Gamma
128.198.61.17
Master Client
& Handler
DDoS
DDoS
Agent
Beta
128.198.61.16
100Mpbs Switch
IDS
IP: 192.168.0.2
NM: 255.255.0.0
GW: 192.168.0.1
Private Subnet
192.168.0
10 Mbps Hub
Multi-Level
Rate Limiting
Class-Based
Queuing
(CBQ)
eth0
eth1
IP: 128.198.61.12
NM: 255.255.255.128
GW: 128.198.61.1
IP: 192.168.0.1
NM: 255.255.0.0
GW: 128.198.61.12
HTTP, RealPlayer
SMTP, POP3
SSH, SFTP
SYN, ICMP, DNS
Real Player Client
70%
15%
10%
5%
Real Player Client
RealServer Traffic
IDS Alerts 
trigger Multi-Level
Rate-Limiting
Real Player Client
DDoS
Agent
Delta
128.198.61.18
Titan
Saturn
128.198.61.11
NM: 255.255.255.128
GW: 128.198.61.1
Attack Network
128.198.61
Security Research 1/10/2003
as Linux Router
12
chow
A2D2 Multi-Level
Adaptive Rate
Limiting
Security Research 1/10/2003
13
chow
A2D2 QoS Results - Baseline
Playout Buffering to Avoid Jitter

10-min Video
Stream between
Real Player &
Real Server

Packets Received:
 Around 23,000
(23,445)

No DDoS Attack
QoS Experienced at A2D2 by Real
Player Client with No DDoS
Security Research 1/10/2003
14
chow
A2D2 Results – Non-stop Attack

Packets Received: 8,039

Retransmission Request:
2,592
 Retransmission Received:
35
 Lost: 2,557

Lost of Packets
Connection
Timed-out
QoS Experienced at A2D2 Client
Security Research 1/10/2003
15
chow
A2D2 Results – UDP Attack
Mitigation: Firewall Policy

Packets Received: 23,407

Retransmission Request: 0
 Retransmission Received: 0
 Lost: 0

Look like we just need plain
old Firewall rules, no fancy
Rate Limiting/CBQ?
QoS Experienced at A2D2 Client
Security Research 1/10/2003
16
chow
A2D2 Results – ICMP Attack
Mitigation: Firewall Policy

Packets Received: 7,127

Retransmission Request:
2,105
 Retransmission Received:
4
 Lost: 2,101

Connection
Timed-out

Just plain old firewall rule
is not good enough!
Packet/Connection Loss
QoS Experienced at A2D2 Client
Security Research 1/10/2003
17
chow
A2D2 Results – TCP Attack
Mitigation: Policy+CBQ

Turn on CBQ
 Packets Received: 22,179

Retransmission Request:
4,090
 Retransmission Received:
2,641
 Lost: 1,449

Look OK But Quality Degrade
Screen Quality Impact!
QoS Experienced at A2D2 Client
Security Research 1/10/2003
18
chow
A2D2 Results – TCP Attack
Mitigation: Policy+CBQ+RateLimiting

Turn on Both CBQ & Rate
Limiting

Packets Received: 23,444

Retransmission Request:
49 – 1,376
 Retransmission Received:
40 – 776
 Lost: 9 – 600

No image quality
degradation
QoS Experienced at A2D2 Client
Security Research 1/10/2003
19
chow
A2D2 Future Works






Extend to include IDIP/Pushback
Anomaly Detection
Improve Firewall/IDS Processing Speed
Scalability Issues
 Tests with More Services Types
 Tests with Heavy Client Traffic Volume
Fault Tolerant (Multiple Firewall Devices)
Alternate Routing
Security Research 1/10/2003
20
chow
Wouldn’t it be Nice to Have Alternate Routes?
net-a.com
A
A
net-b.com
A ... A
...
DNS1
R
net-c.com
A
R
How to reroute clients
traffic through R1-R3?
R
R3
DDoS Attack Traffic
Client Traffic
Victim
Security Research 1/10/2003
A ... A
DNS3
DNS2
R
DNS
A
...
R2
R1
Alternate
Gateways
21
chow
Implement Alternate Routes
net-a.com
A
A
net-b.com
A ... A
...
DNS1
R
net-c.com
A
A
A ... A
...
DNS3
DNS2
R
R
Need to Inform Clients or
Client DNS servers!
DNS
R
R3
DDoS Attack Traffic
Client Traffic
Victim
Security Research 1/10/2003
R2
Alternate
Gateways
22
R1
But how to tell which Clients
are not compromised?
How to hide
IP addresses of
Alternate Gateways?
chow
Possible Solution for Alternate Routes
net-a.com
A
A
net-b.com
A ... A
...
DNS1
R
net-c.com
A
A
A ... A
...
DNS3
DNS2
R
R
New route via Proxy3 to R3
Proxy2
Proxy1
Blocked by IDS
block
R
R1
Victim
Security Research 1/10/2003
Proxy3
Attack msgs blocked by IDS
R2
R3
distress
call
23
Sends Reroute
Command with DNS/IP Addr. Of
Proxy and Victim
chow
Secure Collective Defense

Main IdeaExplore secure alternate paths for clients to come in; Utilize
geographically separated proxy servers.

Goal:


Provide secure alternate routes

Hide IP addresses of alternate gateways
Techniques:

Multiple Path Routing

Secure DNS extension: how to inform client DNS servers to add alternate new
entries (Not your normal DNS name/IP address mapping entry).

Utilize a consortium of Proxy servers with IDS that hides the IP address of
alternate gateways.

How to partition clients to come at different proxy servers?
 may help identify the attacker!

How clients use the new DNS entries and route traffic through proxy server?
 Use Sock protocol, modify resolver library?
Security Research 1/10/2003
24
chow
New UCCS IA Degree/Certificate


Master of Engineering Degree in Information Assurance
Certificate in Information Assurance (offered to Peterson
AFB through NISSC)
 Computer Networks; Fundamental of Security;
Cryptography; Advanced System Security Design
Security Research 1/10/2003
25
chow
New CS691 Course on Advanced
System Security Design

Use Matt Bishop new Computer Security Text
 Spring 2003: With one class at UCCS; one at Peterson
AFB.
 Potential use/cooperation with Distribute Security Lab of
Ratheon?
 Integrate security research results into course material
such as A2D2, Secure Collective Defense, MPLS-VPN
projects.
 Invite speakers from Industry such as Innerwall and
AFA?
 Looking for potential joint exercises with other
institutions such as AFA.
Security Research 1/10/2003
26
chow
Joint Research/Teaching Effort on
Information Assurance

Penetration Analysis/Testing exercises?

Intrusion Detection/Handling exercises?

Other Cyberwarfare related projects?

Security Forum organized by Dean Haefner/Dr. Ayen

Security Seminar Series with CITTI funding support

Look for Speakers (suggestion?)
Security Research 1/10/2003
27
chow