1 / 40

Autonomous Anti-DDOS Network Design by Angela Cearns

Explore A2D2 - an affordable, manageable, research-oriented network design for intrusion prevention and detection. Learn about intrusion tolerance techniques and systems for robust DDoS defense.

cabrera
Download Presentation

Autonomous Anti-DDOS Network Design by Angela Cearns

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Design of an Autonomous Anti-DDOS Network (A2D2) Angela Cearns Thesis Defense Thursday October 24, 2002 Master of Software Engineering Department of Computer Science University of Colorado, Colorado Springs

  2. Design of an Autonomous Anti-DDOS Network (A2D2) Author: Angela Cearns Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr. Charles M. Shub

  3. DoS & DDoSProblem Domain Definition • DoS • Denial of Service Attack • DDoS • Distributed Denial of Service Attack Yahoo Amazon CERT Stacheldraht Trinoo Tribal Flood Network (TFN)

  4. Mitigation - Commercial • Commercial $ystems

  5. IntruVert Networks IntruShield 4000 Cisco Secure Dragon IDS iPolicy Networks IpEnforcer 6000 ISS RealSecure OneSecure Cisco IPX TippingPoint Tech Unity One Check Point Sidewinder Watchguard Friebox Primary Product Function IDS IDS IDS Firewall Firewall Firewall Firewall Primary Product Function Firewall, IDS Firewall, IDS, Anti-virus Firewall, IDS IDS, Anti-virus, Vulnerability Assess Price $ 3,500 - $6,100 $3,000 (10MB) $750 / host $8,995 / server $320 - $1300 $280 - $8,000 $4,995 - $17,495 $360 - $9,500 Price $100,000 Starts at $125,000 Starts at $16,500 $100,000 Mitigation Commercial

  6. DDoS Target Audience • Research by University of California at San Diego • 12,805 DoS in 3-week period • Home, small to medium sized networks

  7. Mitigation A2D2 – This Thesis • Autonomous Anti-DDoS Network (A2D2) • A2D2 Target Audience • Home, small to medium sized networks • Design Principles • Affordable • Manageable • Configurable • Portable Research-Oriented

  8. A2D2 Background Research • 3 main research areas: • Intrusion Prevention • General Security Policy • Ingress/Engress Filtering • Intrusion Detection • Anomaly Detection • Misuse Detection • Intrusion Response • Source Identification • Intrusion Tolerance Intrusion Tolerance

  9. A2D2 – Intrusion Tolerance • Fault Tolerance • Quality of Service (QoS) • Intrusion Tolerant QoS Techniques • Rate Limiting • Class-Based Queuing (CBQ) • Intrusion Tolerant QoS Systems • XenoService • Pushback Mechanisms • Cooperative Intrusion Traceback and Response Architecture (CITRA)

  10. 12 12 11 1 11 1 2 2 10 10 Filter 9 3 9 3 8 4 8 4 7 5 7 5 6 6 1 second 1 second packet packet packet packet packet packet packet packet packet packet Filter: iptables packet packet packet packet packet packet packet packet packet packet packet packet packet packet DROP packet packet packet packet packet packet packet packet packet packet packet packet packet packet packet packet Intrusion Tolerance Techniques- Rate Limiting Internal Private Network Internet

  11. Intrusion Tolerance Techniques- Class-Based Queuing (CBQ) Internet Internal Private Network

  12. XenoServer XenoServer Internet XenoServer XenoServer XenoServer XenoServer Intrusion Tolerance Systems- XenoService

  13. Pushback Rate Limiting Alerts ISP Router IDS Firewall Pushback Rate Limiting Internet Upstream Router Upstream Router Rate Limiting Rate Limiting Pushback Pushback Upstream Router Upstream Router Upstream Router Upstream Router Intrusion Tolerance Systems- Pushback Mechanism

  14. Intrusion Tolerance Systems- CITRA • Cooperative Intrusion Traceback and Response Architecture (CITRA) • The Defense Advanced Research Projects Agency (DARPA) • Intruder Detection and Isolation Protocol (IDIP)

  15. Intrusion Tolerance Research Limitations • Intrusion Tolerance Techniques • Not autonomous • Time-consuming • Require knowledgeable staff • Intrusion Tolerance Systems • Expensive • Worldwide agreements • Extensive Collaboration

  16. DDoS Defense (Macro vs Micro)

  17. A2D2 Firewall Policy • #Set default policies to DROP • IPTABLES="/sbin/iptables" • $IPTABLES -P INPUT DROP • $IPTABLES -P OUTPUT DROP • $IPTABLES -P FORWARD DROP • # Set up IP FORWARDing and Masquerading • echo 1 > /proc/sys/net/ipv4/ip_forward • $IPTABLES --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE • $IPTABLES --append FORWARD --in-interface $DMZ -j ACCEPT • # DNAT - translate incoming ftp (21), ssh (22), telnet (23) traffic to my internal hosts • iptables -t nat -A PREROUTING -p tcp --dport 21 -i $INTERNET -j DNAT --to 192.168.0.2:21 • iptables -t nat -A PREROUTING -p tcp --dport 22 -i $INTERNET -j DNAT --to 192.168.0.2:22 • iptables -t nat -A PREROUTING -p tcp --dport 23 -i $INTERNET -j DNAT --to 192.168.0.2:23

  18. Intrusion Tolerance Techniques- Class-Based Queuing (CBQ) Internet Internal Private Network

  19. A2D2 CBQ Implementation • # Classify icmp traffic to be queue class 1 • $IPTABLES -A FORWARD -p icmp -o $DMZ -t mangle -j MARK --set-mark 1 • # Mark incoming mail traffic from smtp with mark value 2 • $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport smtp -d 0/0 -t mangle -j MARK --set-mark 2 • # Mark incoming ftp traffic with mark value 3 • $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 21 -d 0/0 -t mangle -j MARK --set-mark 3 • # Mark incoming www and Real Server traffic with mark value 4 • $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 80 -d 0/0 -t mangle -j MARK --set-mark 4 • $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 7070 -d 0/0 -t mangle -j MARK --set-mark 4 • $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 8080 -d 0/0 -t mangle -j MARK --set-mark 4 • $IPTABLES -A FORWARD -p udp -o $DMZ -s 0/0 --dport 8080 -d 0/0 -t mangle -j MARK --set-mark 4

  20. Intrusion Tolerance Techniques- Class-Based Queuing (CBQ) Internet Internal Private Network

  21. A2D2 CBQ Implementation • TC="/sbin/tc“ • Set up the queue with the specific network interface • $TC qdisc add dev $DMZ root handle 10: cbq bandwidth 10Mbit avpkt 1000 • Create the root class and initialized it with the queue • $TC class add dev $DMZ parent 10:0 classid 10:1 cbq bandwidth 10Mbit rate 64kbit allot 1514 weight 6.4kbit prio 8 maxburst 20 avpkt 1000 bounded • Create different classes of queus with different bandwidth allocation • add_class() { # $1=parent class $2=classid $3=hiband $4=lowband $5=handle $6=style $TC class add dev $DMZ parent $1 classid $2 cbq bandwidth 10Mbit rate $3 allot 1514 weight $4 prio 5 maxburst 20 avpkt 1000 $6 $TC qdisc add dev $DMZ parent $2 cbq 1514b $TC filter add dev $DMZ protocol ip prio 3 handle $5 fw classid $2 } • # First type of traffic ICMP marked '1' by the firewall code gets 5% of our internal bandwidth (10240*0.05=5120.0) • add_class 10:1 10:100 512kbit 51.2kbit 1 bounded • # Second type of traffic SMTP marked '2' by the firewalling code gets 15% of our internal bandwidth (10240*0.15=1536.0) • add_class 10:1 10:200 1536kbit 153.6kbit 2 • # Third type of traffic ftp marked '3' by the firewalling code gets 10% of our internal bandwidth (10240*0.1=1024.0) • add_class 10:1 10:300 1024kbit 102.4kbit 3 • # Last type of traffic is interactive traffic (marked '4‘) gets 70% of our internal bandwidth (10240*0.70=7168.0) • add_class 10:1 10:400 7168kbit 716.8kbit 4

  22. A2D2 IDSSnort Flood Preprocessor Detection Engine (Rule Based) Preprocessor (Perform logic)

  23. A2D2 IDSSnort Flood Preprocessor • Prepare the snort plugbase.h file • #include “spp_flood.h” • Prepare the Snort plugbase.c file • void InitPreprocessor() { SetupFlood (); } • Prepare the snort.conf file • preprocessor flood: $HOME_NET <threshold # packets> <threshold # time period> <logfilename> • void InitPreprocessor() • Create two flood-plugin files: • spp_flood.h • spp_flood.c • In spp_flood.h, add • void SetupFlood(); • void FloodInit(u_char *); • # The FloodInit function creates the preprocessor data structure • In spp_flood.c, register the preprocessors: • void SetupFlood(void) { RegisterPreprocessor("flood", FloodInit); }

  24. A2D2 IDSSnort Flood Preprocessor • Additional Features • FloodIgnoreHosts Preprocessor • FloodRateLimiter Preprocessor

  25. A2D2 Multi-Level Rate Limiting

  26. A2D2 Results - Baseline • 10-min Video • Packets Received: • Around 23,000 (23,445) QoS Experienced at A2D2 Client

  27. A2D2 Results – 1-min Attack • Packets Received: 17,869 • Retransmission Request: 1,929 • Retransmission Received: 121 • Lost: 1,808 QoS Experienced at A2D2 Client

  28. A2D2 Results – Non-stop Attack • Packets Received: 8,039 • Retransmission Request: 2,592 • Retransmission Received: 35 • Lost: 2,557 • Connection Timed-out QoS Experienced at A2D2 Client

  29. A2D2 Results – UDP AttackMitigation: Firewall Policy • Packets Received: 23,407 • Retransmission Request: 0 • Retransmission Received: 0 • Lost: 0 QoS Experienced at A2D2 Client

  30. A2D2 Results – ICMP AttackMitigation: Firewall Policy • Packets Received: 7,127 • Retransmission Request: 2,105 • Retransmission Received: 4 • Lost: 2,101 • Connection Timed-out QoS Experienced at A2D2 Client

  31. A2D2 Results – ICMP AttackMitigation: Firewall Policy & CBQ • Packets Received: 23,438 • Retransmission Request: 0 • Retransmission Received: 0 • Lost: 0 QoS Experienced at A2D2 Client

  32. A2D2 Results – TCP AttackMitigation: Policy+CBQ • Packets Received: 22,179 • Retransmission Request: 4,090 • Retransmission Received: 2,641 • Lost: 1,449 • Screen Quality Impact QoS Experienced at A2D2 Client

  33. A2D2 Results – TCP AttackMitigation: Policy+CBQ+Rate • Packets Received: 23,444 • Retransmission Request: 49 – 1,376 • Retransmission Received: 40 – 776 • Lost: 9 – 600 QoS Experienced at A2D2 Client

  34. A2D2 Future Works • TCP – SYN Attack • Firewall Processing Speed • Alternate Routing • Scalability • More Services • Anomaly Detection • Fault Tolerant

  35. Build 1 R1 D C/T I/AS Build 2 R: Requirements D: Design C/T: Coding and Testing I/AS: Installation and Acceptance Support Build 3 Information Flow (Refinements) Build n D C/T I/AS R2 R3 D C/T I/AS Rn D C/T I/AS A2D2 Software Engineering Process • ISO/IEC 12207(Software Life Cycle Processes) • Evolutionary Model

  36. A2D2 Conclusion Intrusion Tolerance A2D2 Clients Enjoy QoS During Various Types of Attack

  37. Questions? References: Please refer to Thesis Document http://cs.uccs.edu/~chow/master/acearns/doc/angThesis-1022.doc

  38. Mitigation A2D2 Checks Please.

More Related