Transcript sjelinekcs691semesterproject

Autonomous Anti-DDoS
Network V2.0
(A2D2-2)
Sarah Jelinek
University Of Colorado, Colo. Spgs.
[email protected]
Spring Semester 2003, CS691 Project
Project Goals
• Ultimate goal of project
– To make DDoS technology more robust
• Relationship to other projects
– Enhancements of existing A2D2 architecture to
incorporate IDIP and Alternate Proxy Servers
• High-level timing goals
– Research and new architecture, now
– Project completion planned for 9/03
Description - A2D2
• Developed by Angela Cearns, UCCS Masters
Thesis
• DDoS Intrusion Detection and Response
• Uses freeware as main detection component
• Modifications made to affect better response
FOR MORE INFO...
http://cs.uccs.edu/~chow/pub/master/acearns/doc/angThesisfinal.pdf
A2D2, cont..
A2D2, cont..
• Strengths
– Uses open source components
– Portable
– Configurable
• Weaknesses
–
–
–
–
–
Host Based
Local Network response
No attempt made to actively trace intruder
Possible bottleneck at firewall
Static thresholds
A2D2-2 Technology
• New technology being used
– Intrusion Detection and Isolation Protocol
(IDIP)
– Alternate Proxy Servers
• Standards being adopted
– IDIP
• Will work with other IDIP enabled Intrusion
Detection Networks
– Service Location Protocol (SLP)
• Allows discovery of registered IDIP Nodes
A2D2-2 What It Solves
• Host Based
– Now a dynamic, network wide solution
• Will work with other IDIP enabled Intrusion
Detection Networks utilizing CITRA
• Active Tracing of Intruder
– SLP is used to discover other network IDIP
services
A2D2-2 What It Solves, cont..
• Local Response
– SLP used for location of alternate proxy servers
for more global response
• Firewall Bottleneck
– Response Coordination Centralized
A2D2-2 & IDIP
• IDIP
– Developed by Boeing and NAI Labs
– Supports real-time tracking and containment of
DDoS attacks
– Three layers:
• Application Layer
• Message Layer
• Discovery Coordinator
A2D2-2 - Discovery Coordinator
• IDIP Discovery Coordinator
– Bulk of the work done here
– Network wide response coordinator
– Will notify clients and client dns of alternate
routes available
– Standardized language used for messages and
topology (CISL)
– Local attack response still active if down
IDIP Nodes
Intrusion Det ection
Sys tem
Fi rewal l
Net work Manag er
(Di scovery Coordinator)
Rout ers
Intrusion Det ection
Sys tem
Fi rewal l
Server
Fi rewal l
Cl ien t
FOR MORE INFO...
http://zen.ece.ohiou.edu/~inbounds/DOCS/reldocs/IDIP_Architecture
.doc
A2D2-2 Proposed Architecture
Alternate Routes
Implement Alternate Routes
net-a.com
A
A
A
net-b.com
... A
net-c.com
...
DNS1
A
A
...
DNS3
DNS2
R
A
... A
R
R
Need to I nfor m Clients or
Client DNS ser vers!
R
DNS
R3
DDoS Attack Traffic
Client Traffic
Victim
Security Research 1/ 10/ 2003
R2
R1
Alter nate
Gateways
22
But how to tell which Clients
are not compr omised?
How to hide
I P addr esses of
Alter nate Gateways?
chow
FOR MORE INFO...
http://cs.uccs.edu/%7Echow/research/security/uccsSecurityResearch.ppt
Alternate Routes, cont..
Possible Solution for Alternate Routes
net-a.com
A
A
A
net-b.com
... A
...
DNS1
R
net-c.com
A
A
A
... A
...
DNS3
DNS2
R
R
New route via Proxy3 to R3
Proxy2
Proxy1
Blocked by IDS
block
R
R1
Victim
Security Research 1/ 10/ 2003
Proxy3
Attack msgs blocked by IDS
R2
R3
distress
call
23
Sends Reroute
Command with DNS/IP Addr. Of
Proxy and Victim
chow
A2D2-2 & SLP -> Alternate Routes
net-a.com
A
A
net-b.com
A ... A
...
DNS1
R
net-c.com
A
R
R
New route via Proxy3 to R3
IDIP Node
Proxy3
IDIP Node
Attack msgs blocked by IDS
Proxy1
Block and traceback
R1
Local Netw ork
Local IDS Response
R
IDIP
Node
A2D2-2
Network IDS
A ... A
DNS3
DNS2
Proxy2
IDIP Node
A
...
R2
R3
A2D2-2 IDIP DC
SLP Discovery and
communication
A2D2-2 Futures
• IDIP Redundant/Cooperative Discovery
Coordinators
• Discovery Coordinator Response
Optimization Enhancements
• Updates To Snort
• Secure DNS (already started?)