1 / 40

Roaming Honeypots for Mitigating Service-level Denial-of-Service Attacks

Roaming Honeypots for Mitigating Service-level Denial-of-Service Attacks. Sherif M. Khattab, Chatree Sangpachatanaruk, Daniel Mosse, Rami Melhem, Taieb Znati. University of Pittsburgh, PA . BY: Nikhil Mahajan Sriharsha Hammika. Denial of Service .

wyolanda
Download Presentation

Roaming Honeypots for Mitigating Service-level Denial-of-Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Roaming Honeypots for Mitigating Service-level Denial-of-Service Attacks Sherif M. Khattab, Chatree Sangpachatanaruk, Daniel Mosse, Rami Melhem, Taieb Znati. University of Pittsburgh, PA . BY: Nikhil Mahajan Sriharsha Hammika

  2. Denial of Service • Attempt to make a computer resource unavailable to its intended users. • Typically the targets are high-profile web servers.

  3. Effects of DoS: • Force the victim computer(s) to reset or consume its resources such that it can no longer provide its intended service. • Obstruct the communication media between the intended users and the victim in such that they can no longer communicate adequately.

  4. Basic Idea comes from previous Paper: Server Roaming • Proactive server roaming to mitigate the effects of Denial-of-Service (DoS) attacks. • The active server changes its location within a pool of servers to defend against unpredictable and undetectable attacks. • Only legitimate clients can follow the active server as it roams.

  5. However: Basic reasons to shift the paradigm: • Server Bandwidth. • Clients have to keep track of active server. • Ratio of Active to idle servers.

  6. Honeypots ? Honeypots are closely monitored network decoys serving several purposes: • Can distract adversaries from more valuable machines on a network, • Can provide early warning about new attack and exploitation trends • Allow in-depth examination of adversaries during and after exploitation of a honeypot.

  7. Honeypots. • Upgraded method on the same lines.d • A proactive detection mechanism. • Machines that are not supposed to receive any legitimate traffic. • Any traffic destined to a honeypot is most probably an ongoing attack and can be analyzed to reveal vulnerabilities targeted by attackers.

  8. Standard implementation • Deployed at fixed locations. • Detectable locations and on machines different than the ones they are supposed to protect. • Sophisticated attacks can avoid the honeypots.

  9. Proposed Solution: Roaming Honeypots • A scheme for mitigating service-level DoS attacks against back-ends of private services. • The locations of honeypots are continuously and unpredictably changing disguisedly within a pool of back-end servers. • Each server alternates between providing the service and acting as a honeypot in a manner unpredictable to attackers.

  10. On the same lines: • Honeynet: type of honeypot. • High-interaction research honeypot. • Designed to capture extensive information on threats. • The highly controlled network contains one or more honeypots for attackers to interact with, and provides some tools to collect and analyze the information.

  11. Honeynet: Three basic jobs: • Data control • Data capture and • Data analysis

  12. DataControl: Reduce risk, Compromised systems should not be used. • DataCapture: detect and capture attackers activities. • DataAnalysis: to analyse and thus prevent further attcks.

  13. Back to Honeypots: • Filtering Effect. • Connection-dropping effect.

  14. Filtering Effect: • Idle servers (honeypots) detect attacker addresses so that all their subsequent requests are filtered out Connection-Dropping Effect: • Each time a server switches from idle to active, it drops all its current (attack) connections, opening a window of opportunity for legitimate requests before the attack re-builds up.

  15. AGN Access Gateway Network:

  16. AGN • Keeps track of current active servers. • Clients contact AG’s to subscribe and request services. • After the request is authenticated and authorized, AG redirect the request to one of the active servers. • Also support dynamic Load balancing.

  17. Connection Migration • At the end of each service epoch, a subset of servers change their status from “Active-to-Idle” and “Idle-to-Active”. • Sai and Sia • Sai = Sia. • For each client connection C to a server Sai, its handling AG selects a server uniformly from Sia. • Connection is established between this Active server and the client using the latest update message from C

  18. Network Level Attacks Using Spoofed IP address. • Suppose that, attacker uses a forged source address to hide their identity. • If such a request hits a honeypot then all future correspondence from this IP address is dropped. • If this IP address is a valid address of a Client then this client is discarded automatically. !!!!!!!! ???? • Fortunately, AGN automatically takes care of this situation.

  19. Countering Spoofed attacks: • Legitimate requests are tunneled through AGN • For this attack to be successful an attacker needs to spoof an AG’s address. • An AG can easily detect that it is under such an attack (all its requests are being dropped) and can respond by changing its IP address. • The AG then updates its address registration with the new IP address.

  20. Attack Models • Two types of attack models • Fixed-target attacks • Follower attacks • Fixed-Target Attack: The attacker selects few servers and attacks them continuously. • Follower Attacks: The attacker tries to continuously direct the attack into active servers. Follow delay is found.

  21. Other Attack Models • Service-Level Attack: • Usually found in public services. • Can be possible in private services with a large client population and high join/leave and service request rates. • Not possible using a spoofed source address as a three-way handshake is required for the TCP service. • Eavesdropping

  22. Experimental Results • Simulation: • ns-2(Network Simulator) was used. • Ns is a discrete event simulator targeted at network research. • Supports simulation of TCP, routing and multicast protocols over wired or wireless networks.

  23. Simulation Model: • Roaming: • Created a wrapper for the ns-2 built-in FullTcp agent and added a socket layer • Testbed: • Created a multi-threaded FTP server and client modules • FTP connection remains active until either the FTP request is fulfilled or roaming occurs.

  24. Simulation Model (cntd) • What happens if roaming occurs in between a FTP transfer??? • Client module uses its socket layer to record the current FTP state (number of remaining bytes) of the connection • Drops the current TCP agent • Connect to another active agent selected at random • Send the recorded FTP state to new server in order to resume the FTP transfer

  25. Simulation Model (cntd) • Filtering Effect • Connection-dropping: • Modeled a roaming scheme in which there is no filtering • Filter roaming (FR) – Roaming honeypots • Full replication scheme – Non roaming • No filtering – roaming (R)

  26. Simulation Topology: • Authenticator – functionality of roaming update

  27. Simulation Result:

  28. ART Inferences: • Every point in the graph represents the ART issued within the previous 30 seconds • Non-roaming: • keeps on increasing during the attack (50-250s) • Roaming: • Slight increase • Filter Roaming: • Increases slightly between 50-180s and then stabilizes as all attackers are recorded

  29. Effect of Migration Interval

  30. M value comparison: • There exists a critical value of M(=10,for this case) • Below Critical Value • Roaming overhead is dominant • M increases => frequency of connection re-establishment decreases resulting in a decreased ART. • Beyond Critical Value • M increases => ART increases. • Two reasons: • Connection-dropping effect occurs less frequently • More client requests are issued to attacked server

  31. Effect of Client Load

  32. Comparison: • The attack load is 5Mbps • For small attack loads, non-roaming scheme outperforms R and FR. • Other attack loads exhibit similar behavior

  33. Effect of Attack Load

  34. Comparison: • FR: • Keeps the ART stable with increasing attack loads • Non-roaming: • ART is less for small loads • Art increases for large loads • R: • ART increases with increasing attack load

  35. Effect of Follow Delay

  36. Follow Delay Comparison: • FR: • ART decreases as follow delay increases • R: • ART decreases as follow delay increases • Non-roaming: • ART is same for follower and fixed-target attacks

  37. Limitations • Roaming honeypots scheme incurs an overhead that causes performance degradation, both in the absence of attacks and under low attack. • Reasons for Overhead: • Load is distributed over k instead of N servers. • During a switch from Active-to-idle state, all the active connections have to be re-established.

  38. Future Work • A mechanism that adaptively changes the number of concurrent active servers depending on attack and client loads, is a subject of future work.

  39. Conclusion • At any point of time, a subset of servers is active and providing service while rest are acting as honeypots. • All legitimate requests are directed by the AGN( from Client – server and vice-versa) • Though this scheme offers an overhead, under the circumstance of high attack loads, it shows a performance gain.

  40. Thank you. Any Questions??? Best of luck for your Presentation and Final exam !!!!!!

More Related