1 / 30

SCOLD: Secure Collective Internet Defense cs.uccs/~scold/

SCOLD: Secure Collective Internet Defense http://cs.uccs.edu/~scold/. C. Edward Chow, Yu Cai, Ganesh Godavari Department of Computer Science University of Colorado at Colorado Springs.

hinda
Download Presentation

SCOLD: Secure Collective Internet Defense cs.uccs/~scold/

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SCOLD: Secure Collective Internet Defensehttp://cs.uccs.edu/~scold/ C. Edward Chow, Yu Cai, Ganesh Godavari Department of Computer Science University of Colorado at Colorado Springs Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreement number F49620-03-1-0207. It was sponsored by a NISSC Summer 2002 grant.

  2. Outline of the Talk • Secure Collective Internet Defense, the idea. How should we pursue it? • Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm • SCOLDv0.1 implementation and testbed • Secure DNS update with indirect routing entries • Indirect routing protocol based on IP tunnel • Performance Evaluation of SCOLDv0.1 • SCOLD v0.2: multipath connection • Conclusion and Future Directions

  3. DDoS: Distributed Denial of Service Attack • Research by Moore et al of University of California at San Diego, 2001. • 12,805 DoS in 3-week period • Most of them are Home, small to medium sized organizations DDoS Victims:Yahoo/Amazon 2000CERT 5/2001DNS Root Servers 10/2002(4up 7 cripple 80Mbps) Akamai DDNS 5/2004 DDoS Tools:StacheldrahtTrinooTribal Flood Network (TFN)

  4. DDoS Attack on Akamai? “So today an outage of some sort at Akamai's distributed DNS service brought down access to some major sites from various parts of the world, including Google, Yahoo, and Microsoft. Pretty quickly, as evidenced by this slashdot thread the questions over how the days of "no single point of failure" are over started to pop up.Akamai problems. Quiet, well kinda quiet, day on the Internet”--- Diego Doval, CTO of Clevercactus “Update (Mon. May 24th 9 am EST, 13:00 UTC, 15:00 CEST ) It appears that websites that use Akamai's distribution system are currently not reachable. Security related web sites effected are symantec.com and trendmicro.com. Virus updates may fail as a result. Further details are currently not available and updates will be posted here as they become available. Thanks to Vidar Wilkens for alerting us of this problem.” --- infoworld 7/4/2004

  5. Secure Collective Internet Defense • Internet “attacks” community seems to be better organized. • How about Internet Secure Collective Defense? • Report/exchange virus info and distribute anti-virus not bad (need to pay Norton or Network Associate) • Report/exchange spam infonot good (spambayes, spamassasin, email firewall, remove.org) • Report attack (to your admin or FBI?)not good • IP Traceback difficult to negotiate even the use of one bit in IP header • Push back attackslow call to upstream ISP hard to find IDIP spec! • Form consortium and help each other during attacksalmost non-existent

  6. An Enterprise Cyber-Defense System

  7. Intrusion Related Research Areas • Intrusion Prevention • General Security Policy • Ingress/Egress Filtering • Intrusion Detection • Honey pot • Host-based IDS Tripwire; • Anomaly Detection • Misuse Detection • Intrusion Response • Identification/Traceback/Pushback • Intrusion Tolerance

  8. Secure Collective Defense • Main IdeaExplore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. • Goal: • Provide secure alternate routes • Hide IP addresses of alternate gateways • Techniques: • Multiple Path (Indirect) Routing • Secure DNS extension: how to inform client DNS servers to add alternate new entries (Not your normal DNS name/IP address mapping entry). • Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. • How to partition clients to come at different proxy servers? may help identify the attacker! • How clients use the new DNS entries and route traffic through proxy server? Use Sock protocol, modify resolver library

  9. R2 R1 R3 Alternate Gateways Wouldn’t it be Nice to Have Alternate Routes? net-a.com net-b.com net-c.com ... ... ... ... A A A A A A A A DNS3 DNS1 DNS2 R R R How to reroute clients traffic through R1-R3?Multi-homing R DNS DDoS Attack Traffic Client Traffic Victim A: Compromised Agent

  10. Possible Solution for Alternate Routes net-a.com net-b.mil net-c.mil ... ... ... ... A A A A A A A A DNS3 DNS1 DNS2 R R R New route via Proxy3 to R3 Proxy2 Proxy1 Proxy3 Attacked blocked Attack msgs blocked block R2 R R1 R3 Sends Reroute Command with DNS/IP Addr. Of Proxy and Victim Victim Distress Call

  11. net-b.com net-c.com net-a.com SCOLD ... ... ... ... A A A A A A A A DNS3 DNS1 DNS2 R R R Proxy2 Proxy3 Proxy1 block block R R1 R2 R3 RerouteCoordinator 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator Attack Traffic Client Traffic Victim

  12. Proxy3 net-b.com net-c.com net-a.com SCOLD ... ... ... ... A A A A A A A A DNS3 DNS1 DNS2 R R R Proxy2 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS Proxy1 block R R1 R2 R3 RerouteCoordinator 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator Attack Traffic Client Traffic Victim

  13. Proxy3 net-b.com net-c.com net-a.com SCOLD ... ... ... ... A A A A A A A A 3. New route via Proxy3 to R3 3. New route via Proxy1 to R1 3. New route via Proxy2 to R2 DNS3 DNS1 DNS2 R R R Proxy2 Proxy1 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS block R R1 R2 R3 RerouteCoordinator Attack Traffic Client Traffic Victim

  14. Proxy3 net-b.com net-c.com net-a.com SCOLD ... ... ... ... A A A A A A A A 3. New route via Proxy3 to R3 3. New route via Proxy1 to R1 3. New route via Proxy2 to R2 DNS3 DNS1 DNS2 R R R Proxy2 Proxy1 4. Attack traffic detected by IDSblock by Firewall block 4a. Attack traffic detected by IDSblock by Firewall R R1 R2 R3 RerouteCoordinator Attack Traffic Client Traffic Victim

  15. net-b.com net-c.com net-a.com SCOLD ... ... ... ... A A A A A A A A 3. New route via Proxy3 to R3 3. New route via Proxy1 to R1 3. New route via Proxy2 to R2 DNS3 DNS1 DNS2 R R R Proxy2 Proxy3 Proxy1 4. Attack traffic detected by IDSblock by Firewall block 4a. Attack traffic detected by IDSblock by Firewall R R1 R2 R3 RerouteCoordinator 4b. Client traffic comes in via alternate route Attack Traffic 1.distress call Client Traffic 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) Victim

  16. SCOLD Secure DNS Updatewith New Indirect DNS Entries Modified Bind9 Modified Bind9 Modified ClientResolveLibrary (target.targetnet.com, 133.41.96.71, ALT 203.55.57.102                               203.55.57.103                               185.11.16.49                               221.46.56.38 New Indirect DNS Entries: A set of alternate proxy servers for indirect routes

  17. SCOLD Indirect Routing IP tunnel IP tunnel

  18. SCOLD Indirect Routing with Client running SCOLD client daemon IP tunnel IP tunnel

  19. Performance of SCOLD v0.1 • Table 1: Ping Response Time (on 3 hop route) • Table 2: SCOLD FTP/HTTP download Test (from client to target) With direct Route With Single Indirect Route

  20. Benefit of SCOLD v0.1 • Capability to perform Secure Peer-to-Peer DNS update (with enhanced DNS indirect routing entries) through indirect routes. • Capability to establish multiple indirect routes in today’s Internet via designated proxy servers and alternate gateway. • Improved performance: larger aggregated bandwidth (Can provide bandwidth on-demand service.) • Improved reliability: • Send redundant critical info over geographical diverse paths. • Avoid network congestion • Improved security: • Dynamically establish alternate paths against DDoS • Enable peer-to-peer indirect DNS query/update • Spread traffic over multiple paths to avoid traffic analysis

  21. SCOLD 0.2: Multipath Connection

  22. Proxy Server based Multipath Connection (PSMC) • How to set up multiple routes between two end hosts? via a set of intermediate connection relay proxy servers by using IP tunneling. • How to stripe packets across multiple routes? IP layer, weighted round robin manner. Both TCP and UDP can benefit from . • TCP persistent reordering problem. TCP packets over multiple routes are likely to reach destination out of sequence order. Our experimental results show that it can seriously degrade the overall system performance. In PSMC, we use double buffer at TCP layer on receiver side to solve the problem. • TCP high loss rate problem. The loss rate of a multipath connection is usually higher than that of single path connection. Traditional TCP blindly cuts the congestion control window size in half upon fast retransmit, which may slow down the TCP performance in multipath scenario. In PSMC, we set the congestion window size to a more appropriate value upon fast retransmit.

  23. Proxy Server based Multipath Connection (PSMC) • Path selection. To achieve maximum aggregate bandwidth, a labeling algorithm is proposed in PSMC. • “Bad” path detection. Experimental results show that a failed path, a “bad” path, or paths with “shared congestion links” can seriously affect the system performance. In PSMC, by passively monitoring on end hosts and periodically exchanging network information through communication channel, we can quickly detect the unwanted paths. • Path management. Path addition and path deletion need to be finished dynamically with low cost in a timely manner. • Failure recovery. A multipath system should recover quickly from sub-path failure.

  24. PSMC Performance result: without double buffer

  25. PSMC Performance result:with double buffer

  26. processing overhead of PSMC on single path

  27. the impact of bad path

  28. Selected related works • RON network, MIT • Detour project, U of Washington • Westwood project, UCLA • mTCP project, Princeton • TCP-PR, UC • Multihoming and overlay, SIGCOMM 2004 • Internet Indirection Infrastructure, TON 2004

  29. Future Directions • Add thin layer between TCP and IP to utilize the multiple geographically diverse routes set up with IP tunnels. • Scold Proxy Server Selection Problem • Porting DNS/Indirect Routing Protocol to Windows. • Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. Email me if you would like to be part of the SCOLD beta test sites and form a SCOLD consortium. • SCOLD technologies can be used as a potential solution for bottlenecks detected by network analysis tool.

  30. Conclusion • Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities. • SCOLD v.01 demonstrated DDoS defense via • use of secure DNS updates with new indirect routing • IP-tunnel based indirect routing to let legitimate clients come in through a set of proxy servers and alternate gateways. • Multiple indirect routes can also be used for improving the performance of Internet connections by using the proxy servers of an organization as connection relay servers.

More Related