APOD Network Mechanisms and the APOD Red-team Experiments

1
APOD Network Mechanisms and the APOD Red-team
Experiments

• Chris Jones
• Michael Atighetchi, Partha Pal, Franklin Webber
• BBN Technologies

QuO APOD
2
Outline

• Motivating Scenario and APOD Overview
• QuO Overview
• APOD Description
• Example APOD Strategies
• Example APOD Tactics
• Example APOD Mechanisms
• Red-team Experiments
• Concluding Remarks

3
Motivating Scenario and APOD Description

• Applications that Participate in their Own
  Defense (APOD)
• Demonstrates that dynamic defense and adaptive
  responses increase an applications resiliency to
  certain kinds of attacks.
• A toolkit of mechanism wrappers and adaptation
  strategies that allows an application to defend
  itself by dynamically adapting to a hostile
  environment.
• Uses QuO, which provides middleware support for
  mechanism integration and adaptation.

Attackers Host
Application Host
Application Host
Application Host
4
Outline

• Motivating Scenario and APOD Overview
• QuO Overview
• APOD Description
• Example APOD Strategies
• Example APOD Tactics
• Example APOD Mechanisms
• Red-team Experiments
• Concluding Remarks

5
Quality Objects(QuO) Architecture
Application Developer
CORBA DOC MODEL
Mechanism Developer
Application Developer
CLIENT
CLIENT
operation()
OBJ REF
out args return value
Delegate
Delegate
QoS Developer
Qosket
SysCond
SysCond
SysCond
QUO/CORBA DOC MODEL
SysCond
IDL SKELETON
MECHANISM/PROPERTY MANAGER
IDL STUBS
OBJECT ADAPTER
Mechanism Developer
6
QuO Overview

• QuO is a middleware framework that supports the
  development and execution of adaptation and
  adding it to an application.
• Adaptation can be driven by changes in an
  applications operating environment.
• Host resources (CPU and memory) usage.
• Network resource availability.
• Host and Network Intrusion status.
• The adaptive code is encapsulated in a middleware
  component called qosket.
• A qosket is a set of specifications and
  implementations that defines a reusable module of
  specific adaptive behavior.
• It can be added into a distributed object
  application with minimum impact on the
  application.

7
QuO Overview (cont.)

• Quality Description Languages (QDL)
• Contract description language, adaptive behavior
  description language.
• Code generators that generate Java and C code
  for contracts, delegates, creation, and
  initialization.
• System Condition Objects
• Provide interfaces to resources, managers, and
  mechanisms.
• QuO Runtime Kernel
• Contract evaluator.
• Factory object which instantiates contract and
  system condition objects.

8
Outline

• Motivating Scenario and APOD Overview
• QuO Overview
• APOD Description
• Example APOD Strategies
• Example APOD Tactics
• Example APOD Mechanisms
• Red-team Experiments
• Concluding Remarks

9
APOD Description

• Key Idea by adapting to and trying to control
  its environment, an application can increase its
  chances of survival under attack.
• Use QuO to integrate multiple security mechanisms
  into a coherent strategy for adaptive defense.
• This is complementary to the usual hardening or
  protection of applications, resources, or
  services where available and practical.
• Ties security information to the adaptation of an
  application through the QuO system condition
  objects.
• APOD has sensor mechanisms that feed defense
  tactics and strategies.
• Actuator mechanisms implement tactic and strategy
  reactions.
• APOD tactics integrate sensors and actuator
  mechanisms to mount a local defensive response.
• Combining individual mechanisms and tactics into
  higher-level defense strategies helps
  applications meet survivability requirements.
• The following slides are examples, not an
  exhaustive list of the possibilities or the
  mechanisms, tactics, and strategies that we are
  using.

10
APOD Strategies

• Use QuO middleware to coordinate all available
  defense mechanisms in a coherent strategy.
• Examples of APOD strategies have been created
• outrun move application components off
  corrupted hosts and on to good ones at a rate
  faster than the hosts go bad.
• Slow down the attackers ability to corrupt host
  by quarantine.
• contain quarantine bad hosts and bad LANs by
  limiting or blocking network traffic from them
  and, within limits, shutting them down.
• Respond quickly with locally gathered
  information.
• Can only quarantine so many hosts or LANs before
  application performance becomes affected.
• In follow on projects we are looking at having
  backup hosts to replenish application
  capabilities depleted by quarantining bad
  application hosts.

11
APOD Tactics

• Examples of APOD tactics that are implemented
  used in strategies
• Block Suspicious Traffic
• Combines network intrustion detection system and
  firewall mechanisms to catch attacker
  reconnaissance traffic and block further
  malicious traffic from the attacker host.
• Choking TCP Connection Floods
• Joins TCP Connection counting with a firewall to
  block hosts that request large numbers of
  connections to a single port.
• Containing ARP Cache Poisoning
• Incorporates an ARP cache poisoning sensor and
  firewall to monitor mapping of MAC to IP
  addresses and resets any mapping if they change
  as well as blocking traffic from offending MAC
  address.
• Squelching Insider Flooding
• Uses network traffic accounting to keep track of
  packets/second and bits/second, and comparing
  means between observed and expected to determine
  a spike in outgoing traffic.
• If spike occurs, rate limiting is applied to
  outgoing traffic of a LAN.

12
APOD Network Sensor Mechanisms

• Network Intrusion Detection
• Attacker can run live attacks and known scripted
  network attacks on hosts.
• Use Snort, a lightweight network intrusion
  detection system.
• Extract the offending host addresses to pass to
  an APOD strategy.
• TCP Connection Flood sensor
• Attacker can flood port with many connections
  making it very difficult or impossible for
  legitimate clients to connect.
• Have a mechanism using netstat to determine
  number of connections to a given port.
• Mechanism monitors application ports for too
  many connections and will warn an APOD strategy
  of any host that has gone over the connection
  threshold.
• ARP cache poisoning detection
• Attacker with access to a subnet can use ARP
  cache poisoning to disrupt or intercept network
  traffic.
• Tool to detect changes in MAC/IP pairings and
  notify an APOD tactic or strategy of changes.
• Uses ping and arp commands to get pairings and
  compares previously collected pairing for
  changes.

13
APOD Network Actuator Mechanisms

• Network traffic filters
• Uses iptables for blocking and rate-limiting
  traffic from hosts believed to be malicious.
• Bandwidth Management
• Intserv (RSVP, SecureRSVP)
• Uses an enhanced RSVP version of Darmstadts RSVP
  implementation.
• Enhanced version done at North Carolina State
  University.
• Bandwidth Broker
• Tool using tc command to make changes in queuing
  policies of routers.
• Secure network traffic
• Uses FreeS/WAN IPSec for protecting network
  traffic.
• Dynamically bring up IPSec between two hosts.
• Dynamic endpoint mechanism
• Uses a NAT gateway to hide the real endpoints,
  address and port, of application.
• The fake endpoints are chosen randomly and
  changed periodically.

14
Outline

• Motivating Scenario and APOD Overview
• QuO Overview
• APOD Description
• Example APOD Strategies
• Example APOD Tactics
• Example APOD Mechanisms
• Red-team Experiments
• Concluding Remarks

15
APOD Red-teaming Experimentation

• Reasons for experiments.
• Validate APOD idea that dynamic adaptation
  defenses can prolong an applications usefulness
  in a hostile environment.
• Also, analyzing the overhead of APOD.
• Sandia Labs red-team tasked with validating APOD.
• Outside, independent team.
• Given full knowledge of application, APOD
  defenses added, and test network.
• Red-teaming happened in two distinct experiments.
• Each experiment consisted of multiple runs of the
  defended application.
• During each run, the red-team would try different
  attacks.
• Started with single attacks per run to multiple
  attacks per run.

16
Application Used in APOD Experiments
serve image
Image Server
Image Display
APOD Defenses
APOD Defenses
query
Image Server
Image Display
register
APOD Defenses
Broker
APOD Defenses
Broker
APOD Defenses
APOD Defenses
APOD Defenses
APOD Defenses
APOD Defenses
Replication group
17
Experimentation Configuration
broker2_1
broker2_2
broker1_1
broker1_2
server1
client2
attack1
APOD Exp Network
bc_ipnet_2
bc_ipnet_1
IPNET2
attack2
IPNET1
router_1
router_2
router_3
router_4
Experiment Control Host
IPNET3
IPNET4
bc_ipnet_3
bc_ipnet_4
broker4_1
broker4_2
server4
broker3_1
broker3_2
server3
client3
18
APOD Experiment Strategies
BC Contain Strategy
IPNET3
bc_ipnet_3
broker3_2
client3
broker3_1
server3
Outrun Contain Strategies
Outrun Contain Strategies
App. Contain Strategy
App. Contain Strategy

• A third strategy was added, Flood prevention and
  Traceback.
• make static SE-RSVP reservations up-front to
  protect network paths from being flooded.
• quarantine hosts by blocking traffic from/to them
  closer to their source (added to contain strategy
  on boundary controllers).

19
Red-teaming Attacks and Results

• APOD defenses blocked or impeded the red-teams
  progress.
• The APOD defenses overcame or blocked many of the
  single attack runs.
• The red-team was forced to combine different
  attacks to cause a denial of service of the
  broker on the defense enabled application.
• Of the attack runs that ended with the
  application in a denial of service, the average
  time-to-denial was approximately 45 minutes from
  start of attacks, with a minimum of roughly 10
  minutes. Without APOD defenses, service was
  denied immediately.

20
Results

• The cost of adding the APOD defenses to image
  latency was approximately 5 to 20 depending
  which tactics and strategies were in place.
• We concluded that most of the latency increase
  was caused by the containment strategy and
  accompanying mechanisms that ran on the boundary
  control routers.

21
Concluding Remarks

• Conclusion.
• Dynamic adaptation has added value for an
  application by giving it the ability to prolong
  its usefulness in the presents of attacks.
• This prolonged usefulness has a reasonable cost.
• Red-team experiments are beneficial for
  validating and stress testing our defenses.
• APOD is being used in other survivability
  projects.
• Using and expanding of APOD mechanisms, tactics,
  and strategies.
• Other projects include ITUA, DPASA, and Dynamic
  Quarantine.
• Websites
• QuO quo.bbn.com
• APOD apod.bbn.com
• ITUA itua.bbn.com