Roaming Honeypots for Mitigating Servicelevel DenialofService Attacks - PowerPoint PPT Presentation

1 / 40
About This Presentation
Title:

Roaming Honeypots for Mitigating Servicelevel DenialofService Attacks

Description:

... window of opportunity for legitimate requests before the attack re ... overhead, under the circumstance of high attack loads, it shows a performance gain. ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 41
Provided by: nikhilm
Category:

less

Transcript and Presenter's Notes

Title: Roaming Honeypots for Mitigating Servicelevel DenialofService Attacks


1
Roaming Honeypots for Mitigating Service-level
Denial-of-Service Attacks
  • Sherif M. Khattab, Chatree Sangpachatanaruk,
    Daniel Mosse, Rami Melhem, Taieb Znati.
  • University of Pittsburgh, PA .
  • BY Nikhil Mahajan
  • Sriharsha Hammika

2
Denial of Service
  • Attempt to make a computer resource unavailable
    to its intended users.
  • Typically the targets are high-profile web
    servers.

3
Effects of DoS
  • Force the victim computer(s) to reset or consume
    its resources such that it can no longer provide
    its intended service.
  • Obstruct the communication media between the
    intended users and the victim in such that they
    can no longer communicate adequately.

4
Basic Idea comes from previous Paper
  • Server Roaming
  • Proactive server roaming to mitigate the effects
    of Denial-of-Service (DoS) attacks.
  • The active server changes its location within a
    pool of servers to defend against unpredictable
    and undetectable attacks.
  • Only legitimate clients can follow the active
    server as it roams.

5
However
  • Basic reasons to shift the paradigm
  • Server Bandwidth.
  • Clients have to keep track of active server.
  • Ratio of Active to idle servers.

6
Honeypots ?
  • Honeypots are closely monitored network decoys
    serving several purposes
  • Can distract adversaries from more valuable
    machines on a network,
  • Can provide early warning about new attack and
    exploitation trends
  • Allow in-depth examination of adversaries during
    and after exploitation of a honeypot.

7
Honeypots.
  • Upgraded method on the same lines.d
  • A proactive detection mechanism.
  • Machines that are not supposed to receive any
    legitimate traffic.
  • Any traffic destined to a honeypot is most
    probably an ongoing attack and can be analyzed to
    reveal vulnerabilities targeted by attackers.

8
Standard implementation
  • Deployed at fixed locations.
  • Detectable locations and on machines different
    than the ones they are supposed to protect.
  • Sophisticated attacks can avoid the honeypots.

9
Proposed Solution
  • Roaming Honeypots
  • A scheme for mitigating service-level DoS attacks
    against back-ends of private services.
  • The locations of honeypots are continuously and
    unpredictably changing disguisedly within a pool
    of back-end servers.
  • Each server alternates between providing the
    service and acting as a honeypot in a manner
    unpredictable to attackers.

10
On the same lines
  • Honeynet type of honeypot.
  • High-interaction research honeypot.
  • Designed to capture extensive information on
    threats.
  • The highly controlled network contains one or
    more honeypots for attackers to interact with,
    and provides some tools to collect and analyze
    the information.

11
Honeynet
  • Three basic jobs
  • Data control
  • Data capture and
  • Data analysis

12
  • DataControl Reduce risk, Compromised systems
    should not be used.
  • DataCapture detect and capture attackers
    activities.
  • DataAnalysis to analyse and thus prevent further
    attcks.

13
Back to Honeypots
  • Filtering Effect.
  • Connection-dropping effect.

14
  • Filtering Effect
  • Idle servers (honeypots) detect attacker
    addresses so that all their subsequent requests
    are filtered out
  • Connection-Dropping Effect
  • Each time a server switches from idle to active,
    it drops all its current (attack) connections,
    opening a window of opportunity for legitimate
    requests before the attack re-builds up.

15
AGN
Access Gateway Network
16
AGN
  • Keeps track of current active servers.
  • Clients contact AGs to subscribe and request
    services.
  • After the request is authenticated and
    authorized, AG redirect the request to one of the
    active servers.
  • Also support dynamic Load balancing.

17
Connection Migration
  • At the end of each service epoch, a subset of
    servers change their status from Active-to-Idle
    and Idle-to-Active.
  • Sai and Sia
  • Sai Sia.
  • For each client connection C to a server Sai, its
    handling AG selects a server uniformly from Sia.
  • Connection is established between this Active
    server and the client using the latest update
    message from C

18
Network Level Attacks
  • Using Spoofed IP address.
  • Suppose that, attacker uses a forged source
    address to hide their identity.
  • If such a request hits a honeypot then all future
    correspondence from this IP address is dropped.
  • If this IP address is a valid address of a Client
    then this client is discarded automatically.
  • !!!!!!!! ????
  • Fortunately, AGN automatically takes care of this
    situation.

19
Countering Spoofed attacks
  • Legitimate requests are tunneled through AGN
  • For this attack to be successful an attacker
    needs to spoof an AGs address.
  • An AG can easily detect that it is under such an
    attack (all its requests are being dropped) and
    can respond by changing its IP address.
  • The AG then updates its address registration with
    the new IP address.

20
Attack Models
  • Two types of attack models
  • Fixed-target attacks
  • Follower attacks
  • Fixed-Target Attack
  • The attacker selects few servers and
    attacks them continuously.
  • Follower Attacks
  • The attacker tries to continuously
    direct the attack into active servers.
  • Follow delay is found.

21
Other Attack Models
  • Service-Level Attack
  • Usually found in public services.
  • Can be possible in private services with a large
    client population and high join/leave and service
    request rates.
  • Not possible using a spoofed source address as a
    three-way handshake is required for the TCP
    service.
  • Eavesdropping

22
Experimental Results
  • Simulation
  • ns-2(Network Simulator) was used.
  • Ns is a discrete event simulator targeted at
    network research.
  • Supports simulation of TCP, routing and multicast
    protocols over wired or wireless networks.

23
Simulation Model
  • Roaming
  • Created a wrapper for the ns-2 built-in FullTcp
    agent and added a socket layer
  • Testbed
  • Created a multi-threaded FTP server and client
    modules
  • FTP connection remains active until either the
    FTP request is fulfilled or roaming occurs.

24
Simulation Model (cntd)
  • What happens if roaming occurs in between a FTP
    transfer???
  • Client module uses its socket layer to record the
    current FTP state (number of remaining bytes) of
    the connection
  • Drops the current TCP agent
  • Connect to another active agent selected at
    random
  • Send the recorded FTP state to new server in
    order to resume the FTP transfer

25
Simulation Model (cntd)
  • Filtering Effect
  • Connection-dropping
  • Modeled a roaming scheme in which there is no
    filtering
  • Filter roaming (FR) Roaming honeypots
  • Full replication scheme Non roaming
  • No filtering roaming (R)

26
Simulation Topology
  • Authenticator functionality of roaming update

27
Simulation Result
28
ART Inferences
  • Every point in the graph represents the ART
    issued within the previous 30 seconds
  • Non-roaming
  • keeps on increasing during the attack (50-250s)
  • Roaming
  • Slight increase
  • Filter Roaming
  • Increases slightly between 50-180s and then
    stabilizes as all attackers are recorded

29
Effect of Migration Interval
30
M value comparison
  • There exists a critical value of M(10,for this
    case)
  • Below Critical Value
  • Roaming overhead is dominant
  • M increases gt frequency of connection
    re-establishment decreases resulting in a
    decreased ART.
  • Beyond Critical Value
  • M increases gt ART increases.
  • Two reasons
  • Connection-dropping effect occurs less frequently
  • More client requests are issued to attacked server

31
Effect of Client Load
32
Comparison
  • The attack load is 5Mbps
  • For small attack loads, non-roaming scheme
    outperforms R and FR.
  • Other attack loads exhibit similar behavior

33
Effect of Attack Load
34
Comparison
  • FR
  • Keeps the ART stable with increasing attack loads
  • Non-roaming
  • ART is less for small loads
  • Art increases for large loads
  • R
  • ART increases with increasing attack load

35
Effect of Follow Delay
36
Follow Delay Comparison
  • FR
  • ART decreases as follow delay increases
  • R
  • ART decreases as follow delay increases
  • Non-roaming
  • ART is same for follower and fixed-target attacks

37
Limitations
  • Roaming honeypots scheme incurs an overhead that
    causes performance degradation, both in the
    absence of attacks and under low attack.
  • Reasons for Overhead
  • Load is distributed over k instead of N servers.
  • During a switch from Active-to-idle state, all
    the active connections have to be re-established.

38
Future Work
  • A mechanism that adaptively changes the number of
    concurrent active servers depending on attack and
    client loads, is a subject of future work.

39
Conclusion
  • At any point of time, a subset of servers is
    active and providing service while rest are
    acting as honeypots.
  • All legitimate requests are directed by the AGN(
    from Client server and vice-versa)
  • Though this scheme offers an overhead, under the
    circumstance of high attack loads, it shows a
    performance gain.

40
  • Thank you.
  • Any Questions???
  • Best of luck for your Presentation and Final exam
    !!!!!!
Write a Comment
User Comments (0)
About PowerShow.com