Real Player & Real Server. Packets Received: Around 23,00

1
Security Related Research Projects at UCCS
Network Research Lab
C. Edward Chow Department of Computer
Science University of Colorado at Colorado Springs
2
Outline of the Talk

• Brief Introduction to the Network/Protocol
  Research Lab at UCCS
• Network security related research projects at
  UCCS Network/Protocol Research Lab
• Autonomous Anti-DDoS Project
• Secure Collective Defense Project
• BGP/MPLS based VPN Project
• Discussion on AFA-UCCS Joint Research/Teaching
  Projects on Information Assurance
• Penetration Analysis/Testing exercises?
• Intrusion Detection/Handling exercises?
• Other Cyberwarfare related projects?
• Security Form/Seminar Series

3
UCCS Network Research Lab

• Personnel
• Director Dr. C. Edward Chow
• Graduate students
• Chandra Prakash High Available Linux
  kernel-based Content Switch
• Ganesh Godavari Linux based Secure Web Switch
• Angela Cearns Autonomous Anti-DDoS (A2D2)
  Testbed
• Longhua Li IXP-based Content Switch
• Yu Cai (Ph.D. research assistant) Multipath
  Routing
• Jianhua Xie (Ph.D.) Secure Storage Networks
• Frank Watson Content Switch for Email Security
• Paul Fong Wireless AODV Routing for sensor
  networks
• Nirmala Belusu Wireless Network Security PEAP
  vs. TTLS
• David Wikinson/Sonali Patankar Secure Collective
  Defense
• Murthy Andukuri/Jing Wu Enhanced BGP/MPLS-based
  VPN
• Patricia Ferrao Web-based Collaborative System
  Support

4
UCCS Network Lab Setup

• Gigabit fiber connection to UCCS backbone
• Switch/Firewall/Wireless AP
• HP 4000 switch 4 Linksys/Dlink Switches.
• Sonicwall Pro 300 Firewall
• 8 Intel 7112 SSL accelerators 4 7820 XML
  directors donated by Intel.
• Cisco 1200 Aironet Dual Band Access Point and 350
  client PC/PCI cards (both 802.11a and 802.11b
  cards).
• Intel IXP12EB network processor evaluation board
• Servers Two Dell PowerEdge Servers.
• Workstations/PCs
• 8 Dell PCs (3Ghz-500Mhz) 12 HP PCs (500-233Mhz)
• 2 laptop PCs with Aironet 350 for mobile wireless
• OS Linux Redhat 8.0 Window XP/2000

5
HP4000SWGigibit Fiber to UCCS
BackboneWorkstationDell ServerIntel IXP
Network Processor
6

• Intel 7110 SSL Accelerators
• 7280 XML Director

7
DDoS Distributed Denial of Service Attack
DDoS VictimsYahoo/Amazon 2000CERT
5/2001DNS Root Servers 10/2002
DDoS ToolsStacheldrahtTrinooTribal Flood
Network (TFN)
8
How wide spread is DDoS?

• Research by Moore et al of University of
  California at San Diego, 2001.
• 12,805 DoS in 3-week period
• Most of them are Home, small to medium sized
  organizations

9
Intrusion Related Research Areas

• Intrusion Prevention
• General Security Policy
• Ingress/Egress Filtering
• Intrusion Detection
• Anomaly Detection
• Misuse Detection
• Intrusion Response
• Identification/Traceback/Pushback
• Intrusion Tolerance

10
Security Related Research Projects

• Secure Content Switch
• Autonomous Anti-DDoS Project
• Deal with Intrusion Detection and Handling
• Techniques
• IDS-Firewall Integration
• Adaptive Firewall Rules
• Easy to use/manage.
• Secure Collective Defense Project
• Deal with Intrusion Tolerance How to tolerate
  the attack
• Techniques (main idea?Explore secure alternate
  paths for clients to come in)
• Multiple Path Routing
• Secure DNS extension how to inform client DNS
  servers to add alternate new entries
• Utilize a consortium of Proxy servers with IDS
  that hides the IP address of alternate gateways.
• BGP/MPLS based VPN Project
• Content Switch for Email Security.

11
Design of an Autonomous Anti-DDOS Network (A2D2)

• Graduate Student Angela Cearns
• Goals
• Study Linux Snort IDS/Firewall system
• Develop Snort-Plug-in for Generic Flood Detection
• Investigate Rate Limiting and Class Based
  Queueing for Effective Firewall Protection
• Intrusion Detection automatically trigger
  adaptive firewall rule update.
• Study QoS impact with/without A2D2 system.
• http//cs.uccs.edu/chow/pub/master/acearns/doc/

12
(No Transcript)
13
A2D2 Multi-Level Adaptive Rate Limiting
14
A2D2 QoS Results - Baseline
Playout Buffering to Avoid Jitter

• 10-min Video Stream betweenReal Player Real
  Server
• Packets Received
• Around 23,000 (23,445)
• No DDoS Attack

QoS Experienced at A2D2 by Real Player Client
with No DDoS
15
A2D2 Results Non-stop Attack

• Packets Received 8,039
• Retransmission Request 2,592
• Retransmission Received 35
• Lost 2,557
• Connection Timed-out

Lost of Packets
QoS Experienced at A2D2 Client
16
A2D2 Results UDP AttackMitigation Firewall
Policy

• Packets Received 23,407
• Retransmission Request 0
• Retransmission Received 0
• Lost 0
• Look like we just need plainold Firewall rules,
  no fancy Rate Limiting/CBQ?

QoS Experienced at A2D2 Client
17
A2D2 Results ICMP AttackMitigation Firewall
Policy

• Packets Received 7,127
• Retransmission Request 2,105
• Retransmission Received 4
• Lost 2,101
• Connection Timed-out
• Just plain old firewall ruleis not good enough!

Packet/Connection Loss
QoS Experienced at A2D2 Client
18
A2D2 Results TCP AttackMitigation PolicyCBQ

• Turn on CBQ
• Packets Received 22,179
• Retransmission Request 4,090
• Retransmission Received 2,641
• Lost 1,449
• Screen Quality Impact!

Look OK But Quality Degrade
QoS Experienced at A2D2 Client
19
A2D2 Results TCP AttackMitigation
PolicyCBQRateLimiting

• Turn on Both CBQ Rate Limiting
• Packets Received 23,444
• Retransmission Request 49 1,376
• Retransmission Received 40 776
• Lost 9 600
• No image quality degradation

QoS Experienced at A2D2 Client
20
A2D2 Future Works

• Extend to include IDIP/Pushback
• Anomaly Detection
• Improve Firewall/IDS Processing Speed
• Scalability Issues
• Tests with More Services Types
• Tests with Heavy Client Traffic Volume
• Fault Tolerant (Multiple Firewall Devices)
• Alternate Routing

21
Wouldnt it be Nice to Have Alternate Routes?
net-a.com
net-b.com
net-c.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
How to reroute clients traffic through R1-R3?
R
DNS
DDoS Attack Traffic
Client Traffic
Victim
22
Implement Alternate Routes
net-a.com
net-b.com
net-c.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Need to Inform Clients or Client DNS
servers!But how to tell which Clients are not
compromised?How to hide IP addresses of
Alternate Gateways?
R
DNS
DDoS Attack Traffic
Client Traffic
Victim
23
Possible Solution for Alternate Routes
24
Secure Collective Defense

• Main Idea?Explore secure alternate paths for
  clients to come in Utilize geographically
  separated proxy servers.
• Goal
• Provide secure alternate routes
• Hide IP addresses of alternate gateways
• Techniques
• Multiple Path Routing
• Secure DNS extension how to inform client DNS
  servers to add alternate new entries (Not your
  normal DNS name/IP address mapping entry).
• Utilize a consortium of Proxy servers with IDS
  that hides the IP address of alternate gateways.
• How to partition clients to come at different
  proxy servers?? may help identify the attacker!
• How clients use the new DNS entries and route
  traffic through proxy server?? Use Sock
  protocol, modify resolver library?

25
New UCCS IA Degree/Certificate

• Master of Engineering Degree in Information
  Assurance
• Certificate in Information Assurance (offered to
  Peterson AFB through NISSC)
• Computer Networks Fundamental of Security
  Cryptography Advanced System Security Design

26
New CS691 Course on Advanced System Security
Design

• Use Matt Bishop new Computer Security Text
• Spring 2003 With one class at UCCS one at
  Peterson AFB.
• Potential use/cooperation with Distribute
  Security Lab of Ratheon?
• Integrate security research results into course
  material such as A2D2, Secure Collective Defense,
  MPLS-VPN projects.
• Invite speakers from Industry such as Innerwall
  and AFA?
• Looking for potential joint exercises with other
  institutions such as AFA.

27
Joint Research/Teaching Effort on Information
Assurance

• Penetration Analysis/Testing exercises?
• Intrusion Detection/Handling exercises?
• Other Cyberwarfare related projects?
• Security Forum organized by Dean Haefner/Dr.
  Ayen
• Security Seminar Series with CITTI funding
  support
• Look for Speakers (suggestion?)