410 likes | 420 Views
Explore A2D2 - an affordable, manageable, research-oriented network design for intrusion prevention and detection. Learn about intrusion tolerance techniques and systems for robust DDoS defense.
E N D
Design of an Autonomous Anti-DDOS Network (A2D2) Angela Cearns Thesis Defense Thursday October 24, 2002 Master of Software Engineering Department of Computer Science University of Colorado, Colorado Springs
Design of an Autonomous Anti-DDOS Network (A2D2) Author: Angela Cearns Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr. Charles M. Shub
DoS & DDoSProblem Domain Definition • DoS • Denial of Service Attack • DDoS • Distributed Denial of Service Attack Yahoo Amazon CERT Stacheldraht Trinoo Tribal Flood Network (TFN)
Mitigation - Commercial • Commercial $ystems
IntruVert Networks IntruShield 4000 Cisco Secure Dragon IDS iPolicy Networks IpEnforcer 6000 ISS RealSecure OneSecure Cisco IPX TippingPoint Tech Unity One Check Point Sidewinder Watchguard Friebox Primary Product Function IDS IDS IDS Firewall Firewall Firewall Firewall Primary Product Function Firewall, IDS Firewall, IDS, Anti-virus Firewall, IDS IDS, Anti-virus, Vulnerability Assess Price $ 3,500 - $6,100 $3,000 (10MB) $750 / host $8,995 / server $320 - $1300 $280 - $8,000 $4,995 - $17,495 $360 - $9,500 Price $100,000 Starts at $125,000 Starts at $16,500 $100,000 Mitigation Commercial
DDoS Target Audience • Research by University of California at San Diego • 12,805 DoS in 3-week period • Home, small to medium sized networks
Mitigation A2D2 – This Thesis • Autonomous Anti-DDoS Network (A2D2) • A2D2 Target Audience • Home, small to medium sized networks • Design Principles • Affordable • Manageable • Configurable • Portable Research-Oriented
A2D2 Background Research • 3 main research areas: • Intrusion Prevention • General Security Policy • Ingress/Engress Filtering • Intrusion Detection • Anomaly Detection • Misuse Detection • Intrusion Response • Source Identification • Intrusion Tolerance Intrusion Tolerance
A2D2 – Intrusion Tolerance • Fault Tolerance • Quality of Service (QoS) • Intrusion Tolerant QoS Techniques • Rate Limiting • Class-Based Queuing (CBQ) • Intrusion Tolerant QoS Systems • XenoService • Pushback Mechanisms • Cooperative Intrusion Traceback and Response Architecture (CITRA)
12 12 11 1 11 1 2 2 10 10 Filter 9 3 9 3 8 4 8 4 7 5 7 5 6 6 1 second 1 second packet packet packet packet packet packet packet packet packet packet Filter: iptables packet packet packet packet packet packet packet packet packet packet packet packet packet packet DROP packet packet packet packet packet packet packet packet packet packet packet packet packet packet packet packet Intrusion Tolerance Techniques- Rate Limiting Internal Private Network Internet
Intrusion Tolerance Techniques- Class-Based Queuing (CBQ) Internet Internal Private Network
XenoServer XenoServer Internet XenoServer XenoServer XenoServer XenoServer Intrusion Tolerance Systems- XenoService
Pushback Rate Limiting Alerts ISP Router IDS Firewall Pushback Rate Limiting Internet Upstream Router Upstream Router Rate Limiting Rate Limiting Pushback Pushback Upstream Router Upstream Router Upstream Router Upstream Router Intrusion Tolerance Systems- Pushback Mechanism
Intrusion Tolerance Systems- CITRA • Cooperative Intrusion Traceback and Response Architecture (CITRA) • The Defense Advanced Research Projects Agency (DARPA) • Intruder Detection and Isolation Protocol (IDIP)
Intrusion Tolerance Research Limitations • Intrusion Tolerance Techniques • Not autonomous • Time-consuming • Require knowledgeable staff • Intrusion Tolerance Systems • Expensive • Worldwide agreements • Extensive Collaboration
A2D2 Firewall Policy • #Set default policies to DROP • IPTABLES="/sbin/iptables" • $IPTABLES -P INPUT DROP • $IPTABLES -P OUTPUT DROP • $IPTABLES -P FORWARD DROP • # Set up IP FORWARDing and Masquerading • echo 1 > /proc/sys/net/ipv4/ip_forward • $IPTABLES --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE • $IPTABLES --append FORWARD --in-interface $DMZ -j ACCEPT • # DNAT - translate incoming ftp (21), ssh (22), telnet (23) traffic to my internal hosts • iptables -t nat -A PREROUTING -p tcp --dport 21 -i $INTERNET -j DNAT --to 192.168.0.2:21 • iptables -t nat -A PREROUTING -p tcp --dport 22 -i $INTERNET -j DNAT --to 192.168.0.2:22 • iptables -t nat -A PREROUTING -p tcp --dport 23 -i $INTERNET -j DNAT --to 192.168.0.2:23
Intrusion Tolerance Techniques- Class-Based Queuing (CBQ) Internet Internal Private Network
A2D2 CBQ Implementation • # Classify icmp traffic to be queue class 1 • $IPTABLES -A FORWARD -p icmp -o $DMZ -t mangle -j MARK --set-mark 1 • # Mark incoming mail traffic from smtp with mark value 2 • $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport smtp -d 0/0 -t mangle -j MARK --set-mark 2 • # Mark incoming ftp traffic with mark value 3 • $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 21 -d 0/0 -t mangle -j MARK --set-mark 3 • # Mark incoming www and Real Server traffic with mark value 4 • $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 80 -d 0/0 -t mangle -j MARK --set-mark 4 • $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 7070 -d 0/0 -t mangle -j MARK --set-mark 4 • $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 8080 -d 0/0 -t mangle -j MARK --set-mark 4 • $IPTABLES -A FORWARD -p udp -o $DMZ -s 0/0 --dport 8080 -d 0/0 -t mangle -j MARK --set-mark 4
Intrusion Tolerance Techniques- Class-Based Queuing (CBQ) Internet Internal Private Network
A2D2 CBQ Implementation • TC="/sbin/tc“ • Set up the queue with the specific network interface • $TC qdisc add dev $DMZ root handle 10: cbq bandwidth 10Mbit avpkt 1000 • Create the root class and initialized it with the queue • $TC class add dev $DMZ parent 10:0 classid 10:1 cbq bandwidth 10Mbit rate 64kbit allot 1514 weight 6.4kbit prio 8 maxburst 20 avpkt 1000 bounded • Create different classes of queus with different bandwidth allocation • add_class() { # $1=parent class $2=classid $3=hiband $4=lowband $5=handle $6=style $TC class add dev $DMZ parent $1 classid $2 cbq bandwidth 10Mbit rate $3 allot 1514 weight $4 prio 5 maxburst 20 avpkt 1000 $6 $TC qdisc add dev $DMZ parent $2 cbq 1514b $TC filter add dev $DMZ protocol ip prio 3 handle $5 fw classid $2 } • # First type of traffic ICMP marked '1' by the firewall code gets 5% of our internal bandwidth (10240*0.05=5120.0) • add_class 10:1 10:100 512kbit 51.2kbit 1 bounded • # Second type of traffic SMTP marked '2' by the firewalling code gets 15% of our internal bandwidth (10240*0.15=1536.0) • add_class 10:1 10:200 1536kbit 153.6kbit 2 • # Third type of traffic ftp marked '3' by the firewalling code gets 10% of our internal bandwidth (10240*0.1=1024.0) • add_class 10:1 10:300 1024kbit 102.4kbit 3 • # Last type of traffic is interactive traffic (marked '4‘) gets 70% of our internal bandwidth (10240*0.70=7168.0) • add_class 10:1 10:400 7168kbit 716.8kbit 4
A2D2 IDSSnort Flood Preprocessor Detection Engine (Rule Based) Preprocessor (Perform logic)
A2D2 IDSSnort Flood Preprocessor • Prepare the snort plugbase.h file • #include “spp_flood.h” • Prepare the Snort plugbase.c file • void InitPreprocessor() { SetupFlood (); } • Prepare the snort.conf file • preprocessor flood: $HOME_NET <threshold # packets> <threshold # time period> <logfilename> • void InitPreprocessor() • Create two flood-plugin files: • spp_flood.h • spp_flood.c • In spp_flood.h, add • void SetupFlood(); • void FloodInit(u_char *); • # The FloodInit function creates the preprocessor data structure • In spp_flood.c, register the preprocessors: • void SetupFlood(void) { RegisterPreprocessor("flood", FloodInit); }
A2D2 IDSSnort Flood Preprocessor • Additional Features • FloodIgnoreHosts Preprocessor • FloodRateLimiter Preprocessor
A2D2 Results - Baseline • 10-min Video • Packets Received: • Around 23,000 (23,445) QoS Experienced at A2D2 Client
A2D2 Results – 1-min Attack • Packets Received: 17,869 • Retransmission Request: 1,929 • Retransmission Received: 121 • Lost: 1,808 QoS Experienced at A2D2 Client
A2D2 Results – Non-stop Attack • Packets Received: 8,039 • Retransmission Request: 2,592 • Retransmission Received: 35 • Lost: 2,557 • Connection Timed-out QoS Experienced at A2D2 Client
A2D2 Results – UDP AttackMitigation: Firewall Policy • Packets Received: 23,407 • Retransmission Request: 0 • Retransmission Received: 0 • Lost: 0 QoS Experienced at A2D2 Client
A2D2 Results – ICMP AttackMitigation: Firewall Policy • Packets Received: 7,127 • Retransmission Request: 2,105 • Retransmission Received: 4 • Lost: 2,101 • Connection Timed-out QoS Experienced at A2D2 Client
A2D2 Results – ICMP AttackMitigation: Firewall Policy & CBQ • Packets Received: 23,438 • Retransmission Request: 0 • Retransmission Received: 0 • Lost: 0 QoS Experienced at A2D2 Client
A2D2 Results – TCP AttackMitigation: Policy+CBQ • Packets Received: 22,179 • Retransmission Request: 4,090 • Retransmission Received: 2,641 • Lost: 1,449 • Screen Quality Impact QoS Experienced at A2D2 Client
A2D2 Results – TCP AttackMitigation: Policy+CBQ+Rate • Packets Received: 23,444 • Retransmission Request: 49 – 1,376 • Retransmission Received: 40 – 776 • Lost: 9 – 600 QoS Experienced at A2D2 Client
A2D2 Future Works • TCP – SYN Attack • Firewall Processing Speed • Alternate Routing • Scalability • More Services • Anomaly Detection • Fault Tolerant
Build 1 R1 D C/T I/AS Build 2 R: Requirements D: Design C/T: Coding and Testing I/AS: Installation and Acceptance Support Build 3 Information Flow (Refinements) Build n D C/T I/AS R2 R3 D C/T I/AS Rn D C/T I/AS A2D2 Software Engineering Process • ISO/IEC 12207(Software Life Cycle Processes) • Evolutionary Model
A2D2 Conclusion Intrusion Tolerance A2D2 Clients Enjoy QoS During Various Types of Attack
Questions? References: Please refer to Thesis Document http://cs.uccs.edu/~chow/master/acearns/doc/angThesis-1022.doc
Mitigation A2D2 Checks Please.