Design of an Autonomous Anti-DDOS Network (A2D2)

1
Design of an Autonomous Anti-DDOS Network (A2D2)

• Angela Cearns
• Thesis Defense
• Thursday October 24, 2002
• Master of Software Engineering
• Department of Computer Science
• University of Colorado, Colorado Springs

2
Design of an Autonomous Anti-DDOS Network (A2D2)

• Author Angela Cearns
• Committee Members
• Dr. C. Edward Chow
• Dr. Jugal K. Kalita
• Dr. Charles M. Shub

3
DoS DDoSProblem Domain Definition

• DoS
• Denial of Service Attack
• DDoS
• Distributed Denial of Service Attack

Yahoo Amazon CERT
Stacheldraht Trinoo Tribal Flood Network (TFN)
4
Mitigation - Commercial

• Commercial ystems

5
Mitigation Commercial
6
DDoS Target Audience

• Research by University of California at San Diego
  
• 12,805 DoS in 3-week period
• Home, small to medium sized networks

7
Mitigation A2D2 This Thesis

• Autonomous Anti-DDoS Network (A2D2)
• A2D2 Target Audience
• Home, small to medium sized networks
• Design Principles
• Affordable
• Manageable
• Configurable
• Portable

Research-Oriented
8
A2D2 Background Research

• 3 main research areas
• Intrusion Prevention
• General Security Policy
• Ingress/Engress Filtering
• Intrusion Detection
• Anomaly Detection
• Misuse Detection
• Intrusion Response
• Source Identification
• Intrusion Tolerance

Intrusion Tolerance
9
A2D2 Intrusion Tolerance

• Fault Tolerance

• Quality of Service (QoS)
• Intrusion Tolerant QoS Techniques
• Rate Limiting
• Class-Based Queuing (CBQ)
• Intrusion Tolerant QoS Systems
• XenoService
• Pushback Mechanisms
• Cooperative Intrusion Traceback and Response
  Architecture (CITRA)

10
Intrusion Tolerance Techniques- Rate Limiting
Internal Private Network
Internet
11
Intrusion Tolerance Techniques- Class-Based
Queuing (CBQ)
Internet
Internal Private Network
12
Intrusion Tolerance Systems- XenoService
13
Intrusion Tolerance Systems- Pushback Mechanism
14
Intrusion Tolerance Systems- CITRA

• Cooperative Intrusion Traceback and Response
  Architecture (CITRA)
• The Defense Advanced Research Projects Agency
  (DARPA)
• Intruder Detection and Isolation Protocol (IDIP)

15
Intrusion Tolerance Research Limitations

• Intrusion Tolerance Techniques
• Not autonomous
• Time-consuming
• Require knowledgeable staff
• Intrusion Tolerance Systems
• Expensive
• Worldwide agreements
• Extensive Collaboration

16
DDoS Defense (Macro vs Micro)
17
(No Transcript)
18
A2D2 Firewall Policy

• Set default policies to DROP
• IPTABLES"/sbin/iptables"
• IPTABLES -P INPUT DROP
• IPTABLES -P OUTPUT DROP
• IPTABLES -P FORWARD DROP
• Set up IP FORWARDing and Masquerading
• echo 1 gt /proc/sys/net/ipv4/ip_forward
• IPTABLES --table nat --append POSTROUTING
  --out-interface INTERNET -j MASQUERADE
• IPTABLES --append FORWARD --in-interface DMZ -j
  ACCEPT
• DNAT - translate incoming ftp (21), ssh (22),
  telnet (23) traffic to my internal hosts
• iptables -t nat -A PREROUTING -p tcp --dport 21
  -i INTERNET -j DNAT --to 192.168.0.221
• iptables -t nat -A PREROUTING -p tcp --dport 22
  -i INTERNET -j DNAT --to 192.168.0.222
• iptables -t nat -A PREROUTING -p tcp --dport 23
  -i INTERNET -j DNAT --to 192.168.0.223

19
Intrusion Tolerance Techniques- Class-Based
Queuing (CBQ)
Internet
Internal Private Network
20
A2D2 CBQ Implementation

• Classify icmp traffic to be queue class 1
• IPTABLES -A FORWARD -p icmp -o DMZ -t mangle -j
  MARK --set-mark 1
• Mark incoming mail traffic from smtp with mark
  value 2
• IPTABLES -A FORWARD -p tcp -o DMZ -s 0/0
  --dport smtp -d 0/0 -t mangle -j MARK --set-mark
  2
• Mark incoming ftp traffic with mark value 3
• IPTABLES -A FORWARD -p tcp -o DMZ -s 0/0
  --dport 21 -d 0/0 -t mangle -j MARK --set-mark 3
• Mark incoming www and Real Server traffic with
  mark value 4
• IPTABLES -A FORWARD -p tcp -o DMZ -s 0/0
  --dport 80 -d 0/0 -t mangle -j MARK --set-mark 4
• IPTABLES -A FORWARD -p tcp -o DMZ -s 0/0
  --dport 7070 -d 0/0 -t mangle -j MARK --set-mark
  4
• IPTABLES -A FORWARD -p tcp -o DMZ -s 0/0
  --dport 8080 -d 0/0 -t mangle -j MARK --set-mark
  4
• IPTABLES -A FORWARD -p udp -o DMZ -s 0/0
  --dport 8080 -d 0/0 -t mangle -j MARK --set-mark
  4

21
Intrusion Tolerance Techniques- Class-Based
Queuing (CBQ)
Internet
Internal Private Network
22
A2D2 CBQ Implementation

• TC"/sbin/tc
• Set up the queue with the specific network
  interface
• TC qdisc add dev DMZ root handle 10 cbq
  bandwidth 10Mbit avpkt 1000
• Create the root class and initialized it with the
  queue
• TC class add dev DMZ parent 100 classid 101
  cbq bandwidth 10Mbit rate 64kbit allot 1514
  weight 6.4kbit prio 8 maxburst 20 avpkt 1000
  bounded
• Create different classes of queus with different
  bandwidth allocation
• add_class()
• 1parent class 2classid 3hiband 4lowband
  5handle 6style
• TC class add dev DMZ parent 1 classid 2 cbq
  bandwidth 10Mbit rate 3 allot 1514 weight 4
  prio 5 maxburst 20 avpkt 1000 6
• TC qdisc add dev DMZ parent 2 cbq 1514b
• TC filter add dev DMZ protocol ip prio 3 handle
  5 fw classid 2
• First type of traffic ICMP marked '1' by the
  firewall code gets 5 of our internal bandwidth
  (102400.055120.0)
• add_class 101 10100 512kbit 51.2kbit 1 bounded

23
A2D2 IDSSnort Flood Preprocessor
Detection Engine (Rule Based)
Preprocessor (Perform logic)
24
A2D2 IDSSnort Flood Preprocessor

• Prepare the snort plugbase.h file
• include spp_flood.h
• Prepare the Snort plugbase.c file
• void InitPreprocessor()
• SetupFlood ()
• Prepare the snort.conf file
• preprocessor flood HOME_NET ltthreshold
  packetsgt ltthreshold time periodgt ltlogfilenamegt
• void InitPreprocessor()
• Create two flood-plugin files
• spp_flood.h
• spp_flood.c
• In spp_flood.h, add
• void SetupFlood()
• void FloodInit(u_char )
• The FloodInit function creates the preprocessor
  data structure
• In spp_flood.c, register the preprocessors

25
A2D2 IDSSnort Flood Preprocessor

• Additional Features
• FloodIgnoreHosts Preprocessor
• FloodRateLimiter Preprocessor

26
A2D2 Multi-Level Rate Limiting
27
(No Transcript)
28
A2D2 Results - Baseline

• 10-min Video
• Packets Received
• Around 23,000 (23,445)

QoS Experienced at A2D2 Client
29
A2D2 Results 1-min Attack

• Packets Received 17,869
• Retransmission Request 1,929
• Retransmission Received 121
• Lost 1,808

QoS Experienced at A2D2 Client
30
A2D2 Results Non-stop Attack

• Packets Received 8,039
• Retransmission Request 2,592
• Retransmission Received 35
• Lost 2,557
• Connection Timed-out

QoS Experienced at A2D2 Client
31
A2D2 Results UDP AttackMitigation Firewall
Policy

• Packets Received 23,407
• Retransmission Request 0
• Retransmission Received 0
• Lost 0

QoS Experienced at A2D2 Client
32
A2D2 Results ICMP AttackMitigation Firewall
Policy

• Packets Received 7,127
• Retransmission Request 2,105
• Retransmission Received 4
• Lost 2,101
• Connection Timed-out

QoS Experienced at A2D2 Client
33
A2D2 Results ICMP AttackMitigation Firewall
Policy CBQ

• Packets Received 23,438
• Retransmission Request 0
• Retransmission Received 0
• Lost 0

QoS Experienced at A2D2 Client
34
A2D2 Results TCP AttackMitigation PolicyCBQ

• Packets Received 22,179
• Retransmission Request 4,090
• Retransmission Received 2,641
• Lost 1,449
• Screen Quality Impact

QoS Experienced at A2D2 Client
35
A2D2 Results TCP AttackMitigation
PolicyCBQRate

• Packets Received 23,444
• Retransmission Request 49 1,376
• Retransmission Received 40 776
• Lost 9 600

QoS Experienced at A2D2 Client
36
A2D2 Future Works

• TCP SYN Attack
• Firewall Processing Speed
• Alternate Routing
• Scalability
• More Services
• Anomaly Detection
• Fault Tolerant

37
A2D2 Software Engineering Process

• ISO/IEC 12207(Software Life Cycle Processes)
• Evolutionary Model

38
A2D2 Conclusion

• Intrusion Tolerance
• A2D2 Clients Enjoy QoS
• During Various Types of Attack

39
Questions?

• References
• Please refer to Thesis Document
• http//cs.uccs.edu/chow/master/acearns/doc/angThe
  sis-1022.doc

40
Mitigation A2D2

• Checks Please.