Title: Design of an Autonomous Anti-DDOS Network (A2D2)
1Design of an Autonomous Anti-DDOS Network (A2D2)
- Angela Cearns
- Thesis Defense
- Thursday October 24, 2002
- Master of Software Engineering
- Department of Computer Science
- University of Colorado, Colorado Springs
2Design of an Autonomous Anti-DDOS Network (A2D2)
- Author Angela Cearns
- Committee Members
- Dr. C. Edward Chow
- Dr. Jugal K. Kalita
- Dr. Charles M. Shub
3DoS DDoSProblem Domain Definition
- DoS
- Denial of Service Attack
- DDoS
- Distributed Denial of Service Attack
Yahoo Amazon CERT
Stacheldraht Trinoo Tribal Flood Network (TFN)
4Mitigation - Commercial
5Mitigation Commercial
6DDoS Target Audience
- Research by University of California at San Diego
- 12,805 DoS in 3-week period
- Home, small to medium sized networks
7Mitigation A2D2 This Thesis
- Autonomous Anti-DDoS Network (A2D2)
- A2D2 Target Audience
- Home, small to medium sized networks
- Design Principles
- Affordable
- Manageable
- Configurable
- Portable
Research-Oriented
8A2D2 Background Research
- 3 main research areas
- Intrusion Prevention
- General Security Policy
- Ingress/Engress Filtering
- Intrusion Detection
- Anomaly Detection
- Misuse Detection
- Intrusion Response
- Source Identification
- Intrusion Tolerance
Intrusion Tolerance
9A2D2 Intrusion Tolerance
- Quality of Service (QoS)
- Intrusion Tolerant QoS Techniques
- Rate Limiting
- Class-Based Queuing (CBQ)
- Intrusion Tolerant QoS Systems
- XenoService
- Pushback Mechanisms
- Cooperative Intrusion Traceback and Response
Architecture (CITRA)
10Intrusion Tolerance Techniques- Rate Limiting
Internal Private Network
Internet
11Intrusion Tolerance Techniques- Class-Based
Queuing (CBQ)
Internet
Internal Private Network
12Intrusion Tolerance Systems- XenoService
13Intrusion Tolerance Systems- Pushback Mechanism
14Intrusion Tolerance Systems- CITRA
- Cooperative Intrusion Traceback and Response
Architecture (CITRA) - The Defense Advanced Research Projects Agency
(DARPA) - Intruder Detection and Isolation Protocol (IDIP)
15Intrusion Tolerance Research Limitations
- Intrusion Tolerance Techniques
- Not autonomous
- Time-consuming
- Require knowledgeable staff
- Intrusion Tolerance Systems
- Expensive
- Worldwide agreements
- Extensive Collaboration
16 DDoS Defense (Macro vs Micro)
17(No Transcript)
18A2D2 Firewall Policy
- Set default policies to DROP
- IPTABLES"/sbin/iptables"
- IPTABLES -P INPUT DROP
- IPTABLES -P OUTPUT DROP
- IPTABLES -P FORWARD DROP
- Set up IP FORWARDing and Masquerading
- echo 1 gt /proc/sys/net/ipv4/ip_forward
- IPTABLES --table nat --append POSTROUTING
--out-interface INTERNET -j MASQUERADE - IPTABLES --append FORWARD --in-interface DMZ -j
ACCEPT - DNAT - translate incoming ftp (21), ssh (22),
telnet (23) traffic to my internal hosts - iptables -t nat -A PREROUTING -p tcp --dport 21
-i INTERNET -j DNAT --to 192.168.0.221 - iptables -t nat -A PREROUTING -p tcp --dport 22
-i INTERNET -j DNAT --to 192.168.0.222 - iptables -t nat -A PREROUTING -p tcp --dport 23
-i INTERNET -j DNAT --to 192.168.0.223
19Intrusion Tolerance Techniques- Class-Based
Queuing (CBQ)
Internet
Internal Private Network
20A2D2 CBQ Implementation
- Classify icmp traffic to be queue class 1
- IPTABLES -A FORWARD -p icmp -o DMZ -t mangle -j
MARK --set-mark 1 - Mark incoming mail traffic from smtp with mark
value 2 - IPTABLES -A FORWARD -p tcp -o DMZ -s 0/0
--dport smtp -d 0/0 -t mangle -j MARK --set-mark
2 - Mark incoming ftp traffic with mark value 3
- IPTABLES -A FORWARD -p tcp -o DMZ -s 0/0
--dport 21 -d 0/0 -t mangle -j MARK --set-mark 3 - Mark incoming www and Real Server traffic with
mark value 4 - IPTABLES -A FORWARD -p tcp -o DMZ -s 0/0
--dport 80 -d 0/0 -t mangle -j MARK --set-mark 4 - IPTABLES -A FORWARD -p tcp -o DMZ -s 0/0
--dport 7070 -d 0/0 -t mangle -j MARK --set-mark
4 - IPTABLES -A FORWARD -p tcp -o DMZ -s 0/0
--dport 8080 -d 0/0 -t mangle -j MARK --set-mark
4 - IPTABLES -A FORWARD -p udp -o DMZ -s 0/0
--dport 8080 -d 0/0 -t mangle -j MARK --set-mark
4
21Intrusion Tolerance Techniques- Class-Based
Queuing (CBQ)
Internet
Internal Private Network
22A2D2 CBQ Implementation
- TC"/sbin/tc
- Set up the queue with the specific network
interface - TC qdisc add dev DMZ root handle 10 cbq
bandwidth 10Mbit avpkt 1000 - Create the root class and initialized it with the
queue - TC class add dev DMZ parent 100 classid 101
cbq bandwidth 10Mbit rate 64kbit allot 1514
weight 6.4kbit prio 8 maxburst 20 avpkt 1000
bounded - Create different classes of queus with different
bandwidth allocation - add_class()
- 1parent class 2classid 3hiband 4lowband
5handle 6style - TC class add dev DMZ parent 1 classid 2 cbq
bandwidth 10Mbit rate 3 allot 1514 weight 4
prio 5 maxburst 20 avpkt 1000 6 - TC qdisc add dev DMZ parent 2 cbq 1514b
- TC filter add dev DMZ protocol ip prio 3 handle
5 fw classid 2 -
- First type of traffic ICMP marked '1' by the
firewall code gets 5 of our internal bandwidth
(102400.055120.0) - add_class 101 10100 512kbit 51.2kbit 1 bounded
23A2D2 IDSSnort Flood Preprocessor
Detection Engine (Rule Based)
Preprocessor (Perform logic)
24A2D2 IDSSnort Flood Preprocessor
- Prepare the snort plugbase.h file
- include spp_flood.h
- Prepare the Snort plugbase.c file
- void InitPreprocessor()
-
- SetupFlood ()
-
- Prepare the snort.conf file
- preprocessor flood HOME_NET ltthreshold
packetsgt ltthreshold time periodgt ltlogfilenamegt - void InitPreprocessor()
- Create two flood-plugin files
- spp_flood.h
- spp_flood.c
- In spp_flood.h, add
- void SetupFlood()
- void FloodInit(u_char )
- The FloodInit function creates the preprocessor
data structure - In spp_flood.c, register the preprocessors
25A2D2 IDSSnort Flood Preprocessor
- Additional Features
- FloodIgnoreHosts Preprocessor
- FloodRateLimiter Preprocessor
26A2D2 Multi-Level Rate Limiting
27(No Transcript)
28A2D2 Results - Baseline
- 10-min Video
- Packets Received
- Around 23,000 (23,445)
QoS Experienced at A2D2 Client
29A2D2 Results 1-min Attack
- Packets Received 17,869
- Retransmission Request 1,929
- Retransmission Received 121
- Lost 1,808
QoS Experienced at A2D2 Client
30A2D2 Results Non-stop Attack
- Packets Received 8,039
- Retransmission Request 2,592
- Retransmission Received 35
- Lost 2,557
- Connection Timed-out
QoS Experienced at A2D2 Client
31A2D2 Results UDP AttackMitigation Firewall
Policy
- Packets Received 23,407
- Retransmission Request 0
- Retransmission Received 0
- Lost 0
QoS Experienced at A2D2 Client
32A2D2 Results ICMP AttackMitigation Firewall
Policy
- Packets Received 7,127
- Retransmission Request 2,105
- Retransmission Received 4
- Lost 2,101
- Connection Timed-out
QoS Experienced at A2D2 Client
33A2D2 Results ICMP AttackMitigation Firewall
Policy CBQ
- Packets Received 23,438
- Retransmission Request 0
- Retransmission Received 0
- Lost 0
QoS Experienced at A2D2 Client
34A2D2 Results TCP AttackMitigation PolicyCBQ
- Packets Received 22,179
- Retransmission Request 4,090
- Retransmission Received 2,641
- Lost 1,449
- Screen Quality Impact
QoS Experienced at A2D2 Client
35A2D2 Results TCP AttackMitigation
PolicyCBQRate
- Packets Received 23,444
- Retransmission Request 49 1,376
- Retransmission Received 40 776
- Lost 9 600
QoS Experienced at A2D2 Client
36A2D2 Future Works
- TCP SYN Attack
- Firewall Processing Speed
- Alternate Routing
- Scalability
- More Services
- Anomaly Detection
- Fault Tolerant
37A2D2 Software Engineering Process
- ISO/IEC 12207(Software Life Cycle Processes)
- Evolutionary Model
38A2D2 Conclusion
- Intrusion Tolerance
- A2D2 Clients Enjoy QoS
- During Various Types of Attack
39Questions?
- References
- Please refer to Thesis Document
- http//cs.uccs.edu/chow/master/acearns/doc/angThe
sis-1022.doc
40Mitigation A2D2