220 likes | 308 Views
Pervasive Random Beacon in the Internet for Covert Coordination. Hui-Huang Lee, Ee-Chien Chang and Mun Choon Chan School of Computing National University of Singapore. Pervasive Random Beacon in the Internet for Covert Coordination and its role in DDoS attacks. DDoS attacks.
E N D
Pervasive Random Beacon in the Internet for Covert Coordination Hui-Huang Lee, Ee-Chien Chang and Mun Choon Chan School of Computing National University of Singapore
Pervasive Random Beacon in theInternet for Covert Coordination and its role in DDoS attacks
DDoS attacks • Distributed Denial of Service attacks: An attacker employs multiple agents to attack a victim, preventing it from providing services to legitimate clients. Attacker Agent Agent Agent Agent victim
DDoS Communication modes • Manual: Attacker directly sends attack parameters to the agents and activates the attack. • Semi-automatic: Attacker communicates with the agents through the handlers. • Automatic: Attack parameters are preprogrammed into the agents.
DDoS Communication modes • Manual, Semi-automatic: Communication may lead to detection. • Automatic: No communication at all. However, if an agent is captured and analyzed, the attack parameters will be revealed. E.g. Blaster worm attack Microsoft’s Window Update website starting from 16th Aug 2003.
Covert Co-ordination • A large collections of agents want to coordinate a common action. • Communications should be hidden. • The capture of one agent will not expose the identity of others. • The capture of one agent will not reveal the actual common action, before the action is carried out.
DDoS Covert Co-ordination Agent Agent Agent covertly identify the victim, and the time and types of DDoS attack. Agent Agent
DDoS Covert Co-ordination Agent pervasive random beacon Agent Agent Based on the random bits, carry out the common action. Agent Agent
Random Beacon • Introduced by Rabin to secure remote transaction. • A random beacon periodically outputs random bits. • The outputs are randomand unpredictable.
Pervasive Random Beacon • High Availability: The random bits are extensively replicated and available everywhere. • Blended Access: Access to the random bits can evade detection.
A pervasive random beacon in Internet • We look in the WWW for content-based random sources. • The stock closing indices are good choice. A stock market index is calculated using a certain number of stocks from its market. During trading period, value fluctuates and reported value can be inconsistent among different service providers. However, the daily closing index is static and consistent.
High Availability: Closing indices can be found in many online newspapers. • Blended access: Getting the stock closing indices is a “normal” web activity. Difficult to identify accesses to the random beacon among normal activities. • Random and unpredictable: Well-accepted.
Implementation issues • Entropy of closing indices: Applied random tester ent on 15 least significant bits of DJIA closing index for the past 30 years. ent indicates that the entropy is about 13 bits. • Robustness: The access program visits multiple web-pages. • Mimic web-surfing behavior: To further make detection difficult, we can mimic web-surfing behavior, for e.g. add randomness in the time of access, favor a particular web-page, but will switch to others with certain probability.
DDoS Covert Co-ordination • A large collections of agents want to coordinate and decide the victim, time of • attack and attack type. • Communication/activities are hidden. • The capture of one agent will not expose the identity of others. • The capture of one agent will not reveal the actual attack parameters, before the attack is carried out.
DDoS Covert co-ordination with Pervasive Random Beacon Agent pervasive random beacon Agent Agent Based on the random bits, carry out the common action. Agent Agent
Periodically, each agents obtain 2 random random r1, r2, from the beacon. • From r1 and possibly other parameters like date, decide whether to commence attack. • If so, from r2 and a lookup table, decide the attack parameters: actual time of attack, attack type, victim. The lookup table is preprogrammed.
Probabilistic parameters • If an agent is captured, the actual algorithm that determine the attack parameters, and the lookup table will be revealed. However, actual attack still remain unknown. • Such uncertainty places the defenders in a stressful situation. • Even if the probability that a successful attack is low, the defender (who is listed in the lookup table) still has to prepare for the attacks.
Compare to Manual & Automatic attack • In contrast to manual and semi-automatic attack, there is no communication among the agents and the attacker. • Compare to automatic attack, the actual attack parameters remain unknown.
Disrupting and Influencing the Beacon • Target at the reporting services: It is difficult to manipulate or to predict the exact stock indices. However, it may be possible to influence the reporting service. With good incentive, some reporting service providers maymigrate it service to other servers.
Misleading the parser : The access program can be analyzed for weakness. It is possible that its parser can’t handle slight changes in the reporting format. • for e.g. • a) change from • “DJIA 10427.20” to “DJIA 10, 427.20”. • b) having wrong information in the commented section of the html page.
Using hard AI (graphical Turing test): The indices are displayed as a distorted image. However, in the competitive business environment, little incentive for the service providers to implement the above.
Conclusion • Introduce covert coordination, and argue why it can be realized by a pervasive random beacon. • Give a pervasive random beacon in the Internet, and study a scenario of DDoS. Also give some limited ways to disrupt the beacon. • Are there other e.g. of covert coordination? Covert Counting: A group of agents want to covertly count their population. • Is it possible to make use of the web-search engines to enhance covert coordination? For e.g., can the lookup table derived from the web?