Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Network tap wikipedia , lookup
Deep packet inspection wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Wireless security wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Computer security wikipedia , lookup
Distributed firewall wikipedia , lookup
SCOLD: Secure Collective Internet Defense http://cs.uccs.edu/~scold/ A NISSC Sponsored Project C. Edward Chow Yu Cai Dave Wilkinson Department of Computer Science University of Colorado at Colorado Springs Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreement number F49620-03-1-0207. It was sponsored by a NISSC Summer 2002 grant. Cybersecurity Symposium 9/19/2003 1 chow Outline of the Talk Network security related research projects at UCCS Network/Protocol Research Lab Secure Collective Internet Defense, the idea. How should we pursue it? Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm SCOLDv0.1 implementation and testbed Secure DNS update with indirect routing entries Indirect routing protocol based on IP tunnel Performance Evaluation of SCOLDv0.1 Conclusion and Future Directions Cybersecurity Symposium 9/19/2003 2 chow New UCCS IA Degree/Certificate Master of Engineering Degree in Information Assurance Certificate in Information Assurance (First program offered to officers of SPACECOM at Peterson AFB through NISSC and UCCS Continue Education, 2002-3) It includes four courses: Computer Networks; Fundamental of Security; Cryptography; Advanced System Security Design Cybersecurity Symposium 9/19/2003 3 chow UCCS Network/System Research Lab Director: Dr. C. Edward Chow Network System Research Seminar: Every Tuesday EAS177 5-6pm, open to public New CS Faculty: Dr. Xiaobo Zhou (Differential Service; QoS; Degraded DDoS Defense) Graduate students: John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability (Two US Patents) Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari (Ph.D.): Linux based Secure Web Switch; Secure Groupware; Wireless Sensor Network Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch Yu Cai (Ph.D.): SCOLD: Indirect Routing, Multipath Routing Jianhua Xie (Ph.D.): Secure Storage Networks Frank Watson: Content Switch for Email Security Paul Fong: Wireless AODV Routing for sensor networks Nirmala Belusu: Wireless Network Security PEAP vs. TTLS apply to ad hoc network access control David Wikinson: SCOLD: Secure DNS Update. Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN; Disaster Recovery based on iSCSI. Cybersecurity Symposium 9/19/2003 4 chow UCCS Network Lab Setup Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP: 8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall*, 8VPN gateway*, 8 Intel 7112 SSL accelerators*; 4 7820 XML directors*. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*. Workstations/PCs: 8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 9.0; Window XP/2000 * Equipment donated by Intel Cybersecurity Symposium 9/19/2003 5 chow DDoS: Distributed Denial of Service Attack Research by Moore et al of University of California at San Diego, 2001. 12,805 DoS in 3-week period Most of them are Home, small to medium sized organizations DDoS Victims: Yahoo/Amazon 2000 CERT 5/2001 DNS Root Servers 10/2002 DDoS Tools: Stacheldraht Trinoo Tribal Flood Network (TFN) Cybersecurity Symposium 9/19/2003 6 chow Secure Collective Internet Defense Internet “attacks” community seems to be better organized. How about Internet Secure Collective Defense? Report/exchange virus info and distribute anti-virus not bad (need to pay Norton or Network Associate) Report/exchange spam info not good (spambayes, spamassasin, email firewall, remove.org) Report attack (to your admin or FBI?) not good IP Traceback difficult to negotiate even the use of one bit in IP header Push back attack slow call to upstream ISP hard to find IDIP spec! Form consortium and help each other during attacks almost non-existent Cybersecurity Symposium 9/19/2003 7 chow Intrusion Related Research Areas Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Honey pot Host-based IDS Tripwire; Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance Cybersecurity Symposium 9/19/2003 8 chow Wouldn’t it be Nice to Have Alternate Routes? net-a.com A A net-b.com A ... A ... DNS1 R net-c.com A R R R3 DDoS Attack Traffic Client Traffic Victim Cybersecurity Symposium 9/19/2003 A ... A DNS3 DNS2 R DNS A ... R2 R1 How to reroute clients traffic through R1-R3? Multi-homing Alternate Gateways 9 chow Secure Collective Defense Main IdeaExplore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path (Indirect) Routing Secure DNS extension: how to inform client DNS servers to add alternate new entries (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. How to partition clients to come at different proxy servers? may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server? Use Sock protocol, modify resolver library Cybersecurity Symposium 9/19/2003 10 chow Implement Alternate Routes net-a.com A A net-b.com A ... A ... DNS1 R net-c.com A A A ... A ... DNS3 DNS2 R R Need to Inform Clients or Client DNS servers! DNS R R3 DDoS Attack Traffic Client Traffic Victim Cybersecurity Symposium 9/19/2003 R2 Alternate Gateways 11 R1 But how to tell which Clients are not compromised? How to hide IP addresses of Alternate Gateways? chow net-b.com net-a.com net-c.com ... A A A ... ... A SCOLD Victim Cybersecurity Symposium 9/19/2003 A Proxy3 Proxy1 Attack Traffic Client Traffic ... R Proxy2 block A DNS3 R R1 A DNS2 DNS1 R A block R 2 R R3 Reroute Coordinator 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator 12 chow net-b.com net-a.com net-c.com ... A A A ... ... A SCOLD A ... A DNS3 R R Proxy2 Proxy1 block R1 A DNS2 DNS1 R A R 2 R Proxy3 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS R3 Reroute Coordinator 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator Attack Traffic Client Traffic Victim Cybersecurity Symposium 9/19/2003 13 chow net-b.com net-a.com net-c.com ... A A A ... ... A 3. New route via Proxy1 to R1 R A ... A DNS3 DNS2 R R Proxy2 Proxy3 Proxy1 block R1 A 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 DNS1 SCOLD A R 2 R Attack Traffic Client Traffic R3 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS Reroute Coordinator Victim Cybersecurity Symposium 9/19/2003 14 chow net-b.com net-a.com net-c.com ... A A A ... ... A 3. New route via Proxy1 to R1 R ... A R Proxy2 Proxy3 Proxy1 block R1 A DNS3 DNS2 R 4a. Attack traffic detected by IDS block by Firewall A 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 DNS1 SCOLD A R 2 R Attack Traffic Client Traffic R3 4. Attack traffic detected by IDS block by Firewall Reroute Coordinator Victim Cybersecurity Symposium 9/19/2003 15 chow net-b.com net-a.com net-c.com ... A A A ... ... A 3. New route via Proxy1 to R1 R Proxy1 block R 2 R 4b. Client traffic Attack Traffic comes in via Client Traffic alternate route Victim Cybersecurity Symposium 9/19/2003 ... A R Proxy2 R1 A DNS3 DNS2 R 4a. Attack traffic detected by IDS block by Firewall A 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 DNS1 SCOLD A 16 R3 1.distress call Proxy3 4. Attack traffic detected by IDS block by Firewall Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) chow SCOLD Secure DNS Update with New Indirect DNS Entries Modified Bind9 Modified Bind9 Modified Client Resolve Library New Indirect DNS Entries: (target.targetnet.com, 133.41.96.71, ALT 203.55.57.102 203.55.57.103 185.11.16.49 221.46.56.38 Cybersecurity Symposium 9/19/2003 17 A set of alternate proxy servers for indirect routes chow SCOLD Indirect Routing IP tunnel Cybersecurity Symposium 9/19/2003 IP tunnel 18 chow SCOLD Indirect Routing with Client running SCOLD client daemon IP tunnel Cybersecurity Symposium 9/19/2003 IP tunnel 19 chow Performance of SCOLD v0.1 Table 1: Ping Response Time (on 3 hop route) No DDoS attack direct route DDoS attack direct route 0.49 ms No DDoS attack indirect route 225 ms 0.65 ms DDoS attack indirect route 0.65 ms Table 2: SCOLD FTP/HTTP download Test (from client to target) No DDoS attack, Doc FTP HTTP direct route 100k Size 0.11 s 3.8 s 250k 0.28 s 11.3 s 500k 0.65 s 30.8 s 1000k 1.16 s 62.5 s 2000k 2.34 s 121 s DDoS attack, FTP HTTP direct route 8.6 s 9.1 s 19.5 s 13.3 s 39 s 59 s 86 s 106 s 167 s 232 s Cybersecurity Symposium 9/19/2003 20 No DDoS attack, FTP HTTP indirect route 0.14 s 4.6 s 0.31 s 11.6 s 0.66 s 31.1 s 1.15 s 59 s 2.34 s 122 s with DDoS attack FTP HTTP indirect route 0.14 s 4.6 s 0.31 s 11.6 s 0.67 s 31.1 s 1.15 s 59 s 2.34 s 123 s chow A2D2 Multi-Level Adaptive Rate Limiting For Anti-DDos Defense Cybersecurity Symposium 9/19/2003 21 chow Future Directions Modify TCP to utilize the multiple geographically diverse routes set up with IP tunnels. Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. Email me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium. We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool. The network status information collected and analyzed by the MIND can be used for selecting proxy server sites. Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem. SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND. Cybersecurity Symposium 9/19/2003 22 chow Conclusion Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities. SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate clients come in through a set of proxy servers and alternate gateways. Multiple indirect routes can also be used for improving the performance of Internet connections by using the proxy servers of an organization as connection relay servers. Cybersecurity Symposium 9/19/2003 23 chow