400 likes | 422 Views
Explore proactive strategies for mitigating Denial-of-Service attacks using roaming honeypots, dynamically changing server locations to defend against attacks. Discover how AGN enhances network security and counters spoofed IP address threats.
E N D
Roaming Honeypots for Mitigating Service-level Denial-of-Service Attacks Sherif M. Khattab, Chatree Sangpachatanaruk, Daniel Mosse, Rami Melhem, Taieb Znati. University of Pittsburgh, PA . BY: Nikhil Mahajan Sriharsha Hammika
Denial of Service • Attempt to make a computer resource unavailable to its intended users. • Typically the targets are high-profile web servers.
Effects of DoS: • Force the victim computer(s) to reset or consume its resources such that it can no longer provide its intended service. • Obstruct the communication media between the intended users and the victim in such that they can no longer communicate adequately.
Basic Idea comes from previous Paper: Server Roaming • Proactive server roaming to mitigate the effects of Denial-of-Service (DoS) attacks. • The active server changes its location within a pool of servers to defend against unpredictable and undetectable attacks. • Only legitimate clients can follow the active server as it roams.
However: Basic reasons to shift the paradigm: • Server Bandwidth. • Clients have to keep track of active server. • Ratio of Active to idle servers.
Honeypots ? Honeypots are closely monitored network decoys serving several purposes: • Can distract adversaries from more valuable machines on a network, • Can provide early warning about new attack and exploitation trends • Allow in-depth examination of adversaries during and after exploitation of a honeypot.
Honeypots. • Upgraded method on the same lines.d • A proactive detection mechanism. • Machines that are not supposed to receive any legitimate traffic. • Any traffic destined to a honeypot is most probably an ongoing attack and can be analyzed to reveal vulnerabilities targeted by attackers.
Standard implementation • Deployed at fixed locations. • Detectable locations and on machines different than the ones they are supposed to protect. • Sophisticated attacks can avoid the honeypots.
Proposed Solution: Roaming Honeypots • A scheme for mitigating service-level DoS attacks against back-ends of private services. • The locations of honeypots are continuously and unpredictably changing disguisedly within a pool of back-end servers. • Each server alternates between providing the service and acting as a honeypot in a manner unpredictable to attackers.
On the same lines: • Honeynet: type of honeypot. • High-interaction research honeypot. • Designed to capture extensive information on threats. • The highly controlled network contains one or more honeypots for attackers to interact with, and provides some tools to collect and analyze the information.
Honeynet: Three basic jobs: • Data control • Data capture and • Data analysis
DataControl: Reduce risk, Compromised systems should not be used. • DataCapture: detect and capture attackers activities. • DataAnalysis: to analyse and thus prevent further attcks.
Back to Honeypots: • Filtering Effect. • Connection-dropping effect.
Filtering Effect: • Idle servers (honeypots) detect attacker addresses so that all their subsequent requests are filtered out Connection-Dropping Effect: • Each time a server switches from idle to active, it drops all its current (attack) connections, opening a window of opportunity for legitimate requests before the attack re-builds up.
AGN Access Gateway Network:
AGN • Keeps track of current active servers. • Clients contact AG’s to subscribe and request services. • After the request is authenticated and authorized, AG redirect the request to one of the active servers. • Also support dynamic Load balancing.
Connection Migration • At the end of each service epoch, a subset of servers change their status from “Active-to-Idle” and “Idle-to-Active”. • Sai and Sia • Sai = Sia. • For each client connection C to a server Sai, its handling AG selects a server uniformly from Sia. • Connection is established between this Active server and the client using the latest update message from C
Network Level Attacks Using Spoofed IP address. • Suppose that, attacker uses a forged source address to hide their identity. • If such a request hits a honeypot then all future correspondence from this IP address is dropped. • If this IP address is a valid address of a Client then this client is discarded automatically. !!!!!!!! ???? • Fortunately, AGN automatically takes care of this situation.
Countering Spoofed attacks: • Legitimate requests are tunneled through AGN • For this attack to be successful an attacker needs to spoof an AG’s address. • An AG can easily detect that it is under such an attack (all its requests are being dropped) and can respond by changing its IP address. • The AG then updates its address registration with the new IP address.
Attack Models • Two types of attack models • Fixed-target attacks • Follower attacks • Fixed-Target Attack: The attacker selects few servers and attacks them continuously. • Follower Attacks: The attacker tries to continuously direct the attack into active servers. Follow delay is found.
Other Attack Models • Service-Level Attack: • Usually found in public services. • Can be possible in private services with a large client population and high join/leave and service request rates. • Not possible using a spoofed source address as a three-way handshake is required for the TCP service. • Eavesdropping
Experimental Results • Simulation: • ns-2(Network Simulator) was used. • Ns is a discrete event simulator targeted at network research. • Supports simulation of TCP, routing and multicast protocols over wired or wireless networks.
Simulation Model: • Roaming: • Created a wrapper for the ns-2 built-in FullTcp agent and added a socket layer • Testbed: • Created a multi-threaded FTP server and client modules • FTP connection remains active until either the FTP request is fulfilled or roaming occurs.
Simulation Model (cntd) • What happens if roaming occurs in between a FTP transfer??? • Client module uses its socket layer to record the current FTP state (number of remaining bytes) of the connection • Drops the current TCP agent • Connect to another active agent selected at random • Send the recorded FTP state to new server in order to resume the FTP transfer
Simulation Model (cntd) • Filtering Effect • Connection-dropping: • Modeled a roaming scheme in which there is no filtering • Filter roaming (FR) – Roaming honeypots • Full replication scheme – Non roaming • No filtering – roaming (R)
Simulation Topology: • Authenticator – functionality of roaming update
ART Inferences: • Every point in the graph represents the ART issued within the previous 30 seconds • Non-roaming: • keeps on increasing during the attack (50-250s) • Roaming: • Slight increase • Filter Roaming: • Increases slightly between 50-180s and then stabilizes as all attackers are recorded
M value comparison: • There exists a critical value of M(=10,for this case) • Below Critical Value • Roaming overhead is dominant • M increases => frequency of connection re-establishment decreases resulting in a decreased ART. • Beyond Critical Value • M increases => ART increases. • Two reasons: • Connection-dropping effect occurs less frequently • More client requests are issued to attacked server
Comparison: • The attack load is 5Mbps • For small attack loads, non-roaming scheme outperforms R and FR. • Other attack loads exhibit similar behavior
Comparison: • FR: • Keeps the ART stable with increasing attack loads • Non-roaming: • ART is less for small loads • Art increases for large loads • R: • ART increases with increasing attack load
Follow Delay Comparison: • FR: • ART decreases as follow delay increases • R: • ART decreases as follow delay increases • Non-roaming: • ART is same for follower and fixed-target attacks
Limitations • Roaming honeypots scheme incurs an overhead that causes performance degradation, both in the absence of attacks and under low attack. • Reasons for Overhead: • Load is distributed over k instead of N servers. • During a switch from Active-to-idle state, all the active connections have to be re-established.
Future Work • A mechanism that adaptively changes the number of concurrent active servers depending on attack and client loads, is a subject of future work.
Conclusion • At any point of time, a subset of servers is active and providing service while rest are acting as honeypots. • All legitimate requests are directed by the AGN( from Client – server and vice-versa) • Though this scheme offers an overhead, under the circumstance of high attack loads, it shows a performance gain.
Thank you. Any Questions??? Best of luck for your Presentation and Final exam !!!!!!