1 / 26

SOS: Secure Overlay Service (+Mayday) A. D. Keromytis, V. Misra, D. Runbenstein

. SOS: Secure Overlay Service (+Mayday) A. D. Keromytis, V. Misra, D. Runbenstein Columbia University Presented by Yingfei Dong. Motivations. Goal: Proactively Prevent DOS attacks to allow legitimate users to communicate with a critical target DOS attacks try to stop the communication

rasha
Download Presentation

SOS: Secure Overlay Service (+Mayday) A. D. Keromytis, V. Misra, D. Runbenstein

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. . SOS: Secure Overlay Service (+Mayday) A. D. Keromytis, V. Misra, D. Runbenstein Columbia University Presented by Yingfei Dong

  2. Motivations • Goal: Proactively Prevent DOS attacks to allow legitimate users to communicate with a critical target • DOS attacks try to stop the communication • The target is difficult to replicate • e.g., high security or dynamic contents • Legitimate users are mobile ( IP addresses are not fixed ) • Motivation Applications: Emergency Response Teams (ERTs) • Phone Networks are easy to be crashed • FBI/Police/Fire dept contacts with a center database Bank users / stock brokers access their accounts On-line transactions • Application Requirements • Protect private communications on top of public networks • Authenticated Mobile Users

  3. Denial Of Service (DOS) Attacks • DOS • Select a target to degrade its performance • Generate “high volume” traffic to the target • Use up network resources bandwidth, buffers • Packet flooding: for a 10Mbps-link, 830 1500-byte packets • Overload CPU with security-checking or kernel resources • Security Handshaking • TCP SYN flooding: holding all TCP control blocks • Force to a server fork many processes • SOS is not for general DOS attacks • Not for global traffic analysis • A number of authenticated users to communicate with a selected target on a public network

  4. Related Work More Secure Less implementation costs

  5. Players in SOS • Target • Node / Server protected by SOS from DOS • Fixed IP address, non-duplicable • Legitimate User • Authenticated Users communicate with the target • Mobile IP address • Attacker • Try to stop users to communicate with the target • Limited Capability: not draging down core routers

  6. Basic Idea • Why DOS is effective? many-to-one • Solution: hiding paths to the target through a large- scale distributed filter • Difficult to do because • The Internet is an open architecture and will keep open • IP spoofing is easy and Ingress filters are not broadly deployed, … • Idea: Forwarding secure packets on a virtual overlay network on top of the Internet • Secure packets are forwarded between overlay nodes • Using a larger number of overlay nodes • Overlay network adapts to attacks quickly • Attackers must attack many nodes to be successful !

  7. SOS Functionalities • Goals • Allow legitimate users to communicate with target • Prevent packets from illegitimate attackers to reach the target • Ideal Solution • No changes required in intermediate routers • No high-cost security checking near/at the target • Assumptions • Attackers have a limited number of resources • Attackers cannot drag down core routers • Does NOT solve the general DoS problem

  8. Method 1: Source-Address Filtering • Routers near the target do simple filtering based onsource IP addresses • Only packets from legitimate nodes can reach the target • Packets from other sources are dropped • Fast Light-weight authenticator • Routers are difficult to hack • Problems • Attackers obtain an account on a legitimate node • Attackers spoof packets with a legitimate src IP • Legitimate users are mobile and don’t have fixed IPs

  9. Method 2: Filters + Proxy Servers • Idea: • A proxy server between a legitimate user and the target • The proxy only forwards authenticated packets • Only packets from the proxy can reach the target • Problems • Once attackers know the IP of a proxy, x.x.x.x they can spoof packets with x.x.x.x and reach the target • Attackers directly attack on the proxy to drag it down

  10. Method 3: Filters + Secret Proxy Servers • Hiding the identity (IP address) of a proxy to prevent IP spoofing or attacks aiming at a proxy • Secret Servlet is a hidden proxy is chosen by the target • A filter only allows packets whose source address matches n  Ns,a set of nodes selected • Only the target, secret servelets, and other few trusted nodes know the IP address of secret servlets • Attacker is not sure which node is a proxy for the target

  11. Method 4: Filter + Secret Proxy + Overlay Routing + SOAP • Question: How to forward packets to a Secret Servlet without knowing its IP address? • Virtual Overlay Network • Each node is an end host • Only some nodes how to reach a proxy (Servlet) • Indirect Assumption: large number of nodes  attackers couldn’t monitor all overlay nodes • Service Overlay Access Points (SOAP’s) • Everyone knows a set of SOAP’s • An SOAP is an entry node to the overlay network • Receive and verify traffic via IPSec/TLS • A large number of SOAPs as a distributed firewall User  SOAP  across overlay  Secret Servlet  Target

  12. Overlay Routing: SOAP  Servlet  Target • A Path from a SOAP to a Servlet must be hard to find • Random Walk: O(N/Ns) time, N is total # of overlay nodes, Ns is the # of Servlet • Chord: O( log N ) • A path must be resilient to attacks, fast recovery

  13. Dynamic Hash Table (DHT) • Examples: Chord, CAN, PASTRY, Tapestry, … • Chord • A distributed protocol with N homogenous overlay nodes • Each node has a node identifier • Each object has an object key • Distribute all object keys to N nodes: the object with key T is mapped to node B, if H(T) = B, where object T is managed by node B • Chord Property: To find key T from any node to B is O(logN) steps

  14. A Beacon Connects a SOAP and a Servlet • An object key in SOS is the IP address of a target • Beacon B for IP address T is an overly node with an identifier B = H(T) • Secret Servlet S finds Beacon B by B = H(T), and tells it to forward packets with DST T from B to S • SOAP A also finds Beacon B by B = H(T), and forwards secure packets with DST T to B • Multiple hash functions produce different Beacons, i.e., different paths to the target.

  15. Routing Summary • Target T randomly selects Secret Servlet S • Secret Servlet S informs Beacon B to forward packets with DST T to S • SOAP A forwards authenticated packets with DST T to B • Overlay nodes are known to the public but their roles are secret • Communications between overlay nodes are secure/authenticated • Packets are authenticated by SOAP before the overlay

  16. Against the DoS attacks • Redundancy in SOS • Every overlay node can be SOAP, Beacon or Servlet • A target can select multiple Servlets • Multiple beacons can be used by using different hashes • Many SOAP’s User  SOAP  Beacon  Servlet  Target • Attacks on an overlay node Chord self-heals by removing the node from Chord • Attacks on all SOAP’s, otherwise an alternative SOAP exists • Attacks on all Beacons: remove the nodes and change hash functions • Attacks on all Servlets The target can real-time change the set of Servlets • Target is protected by filters

  17. Static Attack Analysis • N nodes in the overlay • For a given target T • S is the number of Servlets • B is the number of Beacons • A is the number of SOAPs • Static Attacks: attackers randomly shutdown M out of N nodes • Pstatic = P(N, M, S, B, A) = P{stop communications with T} • P(n,b,c) = P{set of b nodes chosen randomly from set of n nodes, and set of b nodes contains set of c nodes}

  18. Successfully Attack all Servlets or all Beacons or all SOAPs Pstatic = P(N, M, S, B, A)= 1 – (1-P(N,M,S))(1-P(N,M,B))(1-P(N,M,A)) Prob Of Attack Success Number of nodes attacked

  19. Dynamic Attacks • Attack/Repair Battle • The Overlay removes attacked nodes, taking time TR • Attackers shifts attacking traffic from removed nodes to active nodes, taking time TA • Assume TR and TA are exponential distributed R.V., modeled as a birth-death process • Attacking rate  • Repairing rate  • Attack Load Ratio  =  / 

  20. Centralized Attacks and Centralized Recovery M/M/1/K • 1000 nodes, 10 SOAP, 10 Beacons, 10 Servlets • If repairing is faster then attacking, SOS can survive under large scale attacks

  21. Distributed Attacks and Distributed Recovery, M/M///K

  22. Conclusions • SOS protects a target from DOS • Only legitimate traffic will reach the target • Approach • Ingress Filtering • Hidden Proxies • Self-healing overlay networks to defeat attacks • Preliminary Analysis • Static Attacks • Dynamic Attacks

  23. Mayday • Goal: protect critical servers • Components • A Server: centralized resource • A Filter Ring: around the server to protect it • Edge routers of a domain • An Overlay network • An Overlay node can be • an ingress point of the overlay network (SOAP) • an egress point from the overlay network to the filter ring (Servlet) • a forwarding node of the overlay network • A Client is authenticated by an overlay node but not trusted

  24. Mayday Architecture

  25. Generalizing the Idea of SOS • Packet Authenticators at a filter (mostly in IP header) • Egress Sources IP Address (SOS) • Server Destination Port: 1 to 65,536, large search space • Server Destination Address: 1 out of N reserved IP addresses, (like VPN shield) • Application-defined: ok with firewall, not core routers • Overlay routing schemes • Proximity Routing: proxies close to client, filter is known • Singly-Indirect Routing: egress address is known • Double-Indirect Routing (SOS) • Random Walk • Mix Routing: each node only know next step

  26. Summary • SOS provides formal analysis • Mayday discusses potential practical solutions • Discussion of Advanced attacking approaches • Questions: • Long Delay in overlay routing • Trust of overlay nodes • Repair Speed v.s. Attacking Rate

More Related