SOS: Secure Overlay Service Mayday

1
.

• SOS Secure Overlay Service (Mayday)
• A. D. Keromytis, V. Misra, D. Runbenstein
• Columbia University
• Presented by Yingfei Dong

2
Motivations

• Goal Proactively Prevent DOS attacks to allow
  legitimate users to communicate with a critical
  target
• DOS attacks try to stop the communication
• The target is difficult to replicate
• e.g., high security or dynamic contents
• Legitimate users are mobile ( IP addresses are
  not fixed )
• Motivation Applications Emergency Response Teams
  (ERTs)
• Phone Networks are easy to be crashed
• FBI/Police/Fire dept contacts with a center
  database
• Bank users / stock brokers access their accounts
• On-line transactions
• Application Requirements
• Protect private communications on top of public
  networks
• Authenticated Mobile Users

3
Denial Of Service (DOS) Attacks

• DOS
• Select a target to degrade its performance
• Generate high volume traffic to the target
• Use up network resources bandwidth, buffers
• Packet flooding for a 10Mbps-link, 830
  1500-byte packets
• Overload CPU with security-checking or kernel
  resources
• Security Handshaking
• TCP SYN flooding holding all TCP control blocks
• Force to a server fork many processes
• SOS is not for general DOS attacks
• Not for global traffic analysis
• A number of authenticated users to communicate
  with a selected target on a public network

4
Related Work

More Secure
Less implementation costs
5
Players in SOS

• Target
• Node / Server protected by SOS from DOS
• Fixed IP address, non-duplicable
• Legitimate User
• Authenticated Users communicate with the target
• Mobile IP address
• Attacker
• Try to stop users to communicate with the target
• Limited Capability not draging down core routers

6
Basic Idea

• Why DOS is effective? many-to-one
• Solution hiding paths to the target through a
  large- scale distributed filter
• Difficult to do because
• The Internet is an open architecture and will
  keep open
• IP spoofing is easy and Ingress filters are not
  broadly deployed,
• Idea Forwarding secure packets on a virtual
  overlay network on top of the Internet
• Secure packets are forwarded between overlay
  nodes
• Using a larger number of overlay nodes
• Overlay network adapts to attacks quickly
• Attackers must attack many nodes to be successful
  !

7
SOS Functionalities

• Goals
• Allow legitimate users to communicate with target
• Prevent packets from illegitimate attackers to
  reach the target
• Ideal Solution
• No changes required in intermediate routers
• No high-cost security checking near/at the target
• Assumptions
• Attackers have a limited number of resources
• Attackers cannot drag down core routers
• Does NOT solve the general DoS problem

8
Method 1 Source-Address Filtering

• Routers near the target do simple filtering based
  on source IP addresses
• Only packets from legitimate nodes can reach the
  target
• Packets from other sources
• are dropped
• Fast Light-weight authenticator
• Routers are difficult to hack
• Problems
• Attackers obtain an account on a legitimate node
• Attackers spoof packets with a legitimate src IP
• Legitimate users are mobile and dont have fixed
  IPs

9
Method 2 Filters Proxy Servers

• Idea
• A proxy server between a legitimate user and the
  target
• The proxy only forwards authenticated packets
• Only packets from the proxy can reach the
  target
• Problems
• Once attackers know the IP of a proxy, x.x.x.x
• they can spoof packets with x.x.x.x and reach
  the target
• Attackers directly attack on the proxy to drag it
  down

10
Method 3 Filters Secret Proxy Servers

• Hiding the identity (IP address) of a proxy to
  prevent IP spoofing or attacks aiming at a proxy
• Secret Servlet is a hidden proxy is chosen by the
  target
• A filter only allows packets whose source address
  matches n ? Ns, a set of nodes selected
• Only the target, secret servelets, and other few
  trusted nodes know the IP address of secret
  servlets
• Attacker is not sure which node is a proxy for
  the target

11
Method 4 Filter Secret Proxy Overlay Routing
SOAP

• Question How to forward packets to a Secret
  Servlet without knowing its IP address?
• Virtual Overlay Network
• Each node is an end host
• Only some nodes how to reach a proxy (Servlet)
• Indirect Assumption large number of nodes ?
  attackers couldnt monitor all overlay nodes
• Service Overlay Access Points (SOAPs)
• Everyone knows a set of SOAPs
• An SOAP is an entry node to the overlay network
• Receive and verify traffic via IPSec/TLS
• A large number of SOAPs as a distributed firewall
• User ? SOAP ? across overlay ? Secret Servlet ?
  Target

12
Overlay Routing SOAP ? Servlet ? Target

• A Path from a SOAP to a Servlet must be hard to
  find
• Random Walk O(N/Ns) time, N is total of
  overlay nodes, Ns is the of Servlet
• Chord O( log N )
• A path must be resilient to attacks, fast
  recovery

13
Dynamic Hash Table (DHT)

• Examples Chord, CAN, PASTRY, Tapestry,
• Chord
• A distributed protocol with N homogenous overlay
  nodes
• Each node has a node identifier
• Each object has an object key
• Distribute all object keys to N nodes
• the object with key T is mapped to node B, if
  H(T) B,
• where object T is managed by node B
• Chord Property
• To find key T from any node to B is O(logN)
  steps

14
A Beacon Connects a SOAP and a Servlet

• An object key in SOS is the IP address of a
  target
• Beacon B for IP address T is an overly node with
  an identifier B H(T)
• Secret Servlet S finds Beacon B by B H(T), and
• tells it to forward packets with DST T from B to
  S
• SOAP A also finds Beacon B by B H(T), and
  forwards secure packets with DST T to B
• Multiple hash functions produce different
  Beacons, i.e., different paths to the target.

15
Routing Summary

• Target T randomly selects Secret Servlet S
• Secret Servlet S informs Beacon B to forward
  packets with DST T to S
• SOAP A forwards authenticated packets with DST T
  to B
  
  
• Overlay nodes are known to the public but their
  roles are secret
• Communications between overlay nodes are
  secure/authenticated
• Packets are authenticated by SOAP before the
  overlay

16
Against the DoS attacks

• Redundancy in SOS
• Every overlay node can be SOAP, Beacon or Servlet
• A target can select multiple Servlets
• Multiple beacons can be used by using different
  hashes
• Many SOAPs
• User ? SOAP ? Beacon ? Servlet ? Target

• Attacks on an overlay node
• Chord self-heals by removing the node from
  Chord
• Attacks on all SOAPs, otherwise an alternative
  SOAP exists
• Attacks on all Beacons remove the nodes and
  change hash functions
• Attacks on all Servlets
• The target can real-time change the set of
  Servlets
• Target is protected by filters

17
Static Attack Analysis

• N nodes in the overlay
• For a given target T
• S is the number of Servlets
• B is the number of Beacons
• A is the number of SOAPs
• Static Attacks attackers randomly shutdown M out
  of N nodes
• Pstatic P(N, M, S, B, A) Pstop
  communications with T
• P(n,b,c) Pset of b nodes chosen randomly from
  set of n nodes, and set of b nodes contains set
  of c nodes

18
Successfully Attack all Servlets or all Beacons
or all SOAPs
Pstatic P(N, M, S, B, A) 1
(1-P(N,M,S))(1-P(N,M,B))(1-P(N,M,A))
Prob Of Attack Success
Number of nodes attacked
19
Dynamic Attacks

• Attack/Repair Battle
• The Overlay removes attacked nodes, taking time
  TR
• Attackers shifts attacking traffic from removed
  nodes to active nodes, taking time TA
• Assume TR and TA are exponential distributed
  R.V., modeled as a birth-death process
• Attacking rate ?
• Repairing rate ?
• Attack Load Ratio ? ? / ?

20
Centralized Attacks and Centralized Recovery
M/M/1/K

• 1000 nodes, 10 SOAP, 10 Beacons, 10 Servlets
• If repairing is faster then attacking, SOS can
  survive under large scale attacks

21
Centralized Attacks and Distributed, M/M/K/K
22
Distributed Attacks and Centralized Recovery
M/M/1//K
23
Distributed Attacks and Distributed Recovery,
M/M///K
24
Conclusions

• SOS protects a target from DOS
• Only legitimate traffic will reach the target
• Approach
• Ingress Filtering
• Hidden Proxies
• Self-healing overlay networks to defeat attacks
• Preliminary Analysis
• Static Attacks
• Dynamic Attacks

25
Mayday

• Goal protect critical servers
• Components
• A Server centralized resource
• A Filter Ring around the server to protect it
• Edge routers of a domain
• An Overlay network
• An Overlay node can be
• an ingress point of the overlay network (SOAP)
• an egress point from the overlay network to the
  filter ring (Servlet)
• a forwarding node of the overlay network
• A Client is authenticated by an overlay node but
  not trusted

26
Mayday Architecture
27
Generalizing the Idea of SOS

• Packet Authenticators at a filter (mostly in IP
  header)
• Egress Sources IP Address (SOS)
• Server Destination Port 1 to 65,536, large
  search space
• Server Destination Address 1 out of N reserved
  IP addresses, (like VPN shield)
• Application-defined ok with firewall, not core
  routers
• Overlay routing schemes
• Proximity Routing proxies close to client,
  filter is known
• Singly-Indirect Routing egress address is known
• Double-Indirect Routing (SOS)
• Random Walk
• Mix Routing each node only know next step

28
Summary

• SOS provides formal analysis
• Mayday discusses potential practical solutions
• Discussion of Advanced attacking approaches
• Questions
• Long Delay in overlay routing
• Trust of overlay nodes
• Repair Speed v.s. Attacking Rate