On Secure Collective Network Defense http://cs.uccs.edu/~scold/

1
On Secure Collective Network Defensehttp//cs.ucc
s.edu/scold/
Chinghua Edward Chow Yu Cai Dave
Wilkinson Department of Computer
Science University of Colorado at Colorado Springs
Part of this work is based on research sponsored
by the Air Force Research Laboratory, under
agreement number F49620-03-1-0207. It was
sponsored by a NISSC Summer 2002 grant. Will
be with School of Technology, Michigan
Technological University at Houghton
2
Outline of the Talk

• Secure Collective Network Defense, the idea. How
  should we pursue it?
• Secure Collective Network Defense, SCOLDv0.1. A
  technique based Intrusion Tolerance paradigm
• SCOLDv0.1 implementation and testbed
• Secure DNS update with indirect routing entries
• Indirect routing protocol based on IP tunnel
• Performance Evaluation of SCOLDv0.1
• SCOLD v0.2 multipath connection
• Conclusion and Future Directions

3
DDoS Distributed Denial of Service Attack
Research by Moore et al of University of
California at San Diego, 2001. 12,805 DoS in
3-week period Most of them are Home, small to
medium sized organizations
Famous DDoS VictimsYahoo/Amazon
2000CERT 5/2001DNS Root
Servers 10/2002(4up 7 crippled) Akamai DDNS
5/2004
DDoS ToolsStacheldrahtTrinooTribal Flood
Network (TFN)
4
DDoS Attack on Akamai?

• So today an outage of some sort at Akamai's
  distributed DNS service brought down access to
  some major sites from various parts of the world,
  including Google, Yahoo, and Microsoft. Pretty
  quickly, as evidenced by this slashdot thread the
  questions over how the days of "no single point
  of failure" are over started to pop up.Akamai
  problems. Quiet, well kinda quiet, day on the
  Internet--- Diego Doval, CTO of Clevercactus
• Update (Mon. May 24th 9 am EST, 1300 UTC, 1500
  CEST )
• It appears that websites that use Akamai's
  distribution system are currently not reachable.
  Security related web sites effected are
  symantec.com and trendmicro.com. Virus updates
  may fail as a result. Further details are
  currently not available and updates will be
  posted here as they become available. Thanks to
  Vidar Wilkens for alerting us of this problem.
  --- infoworld 7/4/2004

5
Secure Collective Network Defense

• Internet attacks community seems to be better
  organized.
• How about Internet Secure Collective Defense?
• Report/exchange virus info and distribute
  anti-virus not bad (need to pay Norton or
  Network Associate)
• Report/exchange spam info?not good (spambayes,
  spamassasin, email firewall, remove.org)
• Report attack (to your admin or FBI?)?not good
• IP Traceback? difficult to negotiate even the
  use of one bit in IP header
• Push back attack?slow call to upstream ISP hard
  to find IDIP spec!
• Form consortium and help each other during
  attacks?almost non-existent

6
An Enterprise Cyber-Defense System
7
Intrusion Related Research Areas

• Intrusion Prevention
• General Security Policy
• Ingress/Egress Filtering
• Intrusion Detection
• Honey pot
• Host-based IDS Tripwire
• Anomaly Detection
• Misuse Detection
• Intrusion Response
• Identification/Traceback/Pushback
• Intrusion Tolerance

8
Wouldnt it be Nice to Have Alternate Routes?
net-a.edu
net-b.com
net-c.edu
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
How to reroute clients traffic through
R1-R3?Multi-homing
R
DNS
DDoS Attack Traffic
Client Traffic
A
Attack Agent
Victim
9
Possible Solution for Alternate Routes
net-a.edu
net-b.com
net-c.edu
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
New route via Proxy3 to R3
Proxy2
Proxy1
Proxy3
Attacked blocked
Attack msgs blocked
R2
block
R
R1
R3
Sends Reroute Command with DNS/IP Addr. Of
Proxy and Victim
Victim
Distress Call
10
SCOLD
net-b.com
net-c.edu
net-a.edu
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
block
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
11
SCOLD
net-b.com
net-c.edu
net-a.edu
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
Proxy1
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
12
SCOLD
net-b.com
net-c.edu
net-a.edu
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
block
R
R2
R1
R3
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
13
SCOLD
net-b.com
net-c.edu
net-a.edu
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R1
R3
R2
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
14
SCOLD
net-b.com
net-c.edu
net-a.edu
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy2 to R2
3. New route via Proxy3 to R3
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R2
R1
R3
RerouteCoordinator
4b. Client traffic comes in via alternate route
Attack Traffic
1.distress call
Client Traffic
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s))
Victim
15
SCOLD Secure DNS Updatewith New Indirect DNS
Entries
Modified Bind9
Modified Bind9
Modified ClientResolveLibrary
(target.targetnet.com, 133.41.96.71, ALT
203.55.57.102                              
203.55.57.103                               185.1
1.16.49                               221.46.56.3
8
New Indirect DNS Entries
A set of alternate proxy servers for indirect
routes
16
SCOLD Indirect Routing
IP tunnel
IP tunnel
17
SCOLD Indirect Routing with Client running SCOLD
client daemon
IP tunnel
IP tunnel
18
Performance of SCOLD v0.1

• Table 1 Ping Response Time (on 3 hop route)
• Table 2 SCOLD FTP/HTTP download Test (from
  client to target)

No DDoS attack direct route DDoS attackdirect route No DDoS attack indirect route DDoS attack indirect route
0.49 ms 225 ms 0.65 ms 0.65 ms
With Single Indirect Route
With direct Route
19
Benefit of SCOLD v0.1

• Capability to perform Secure Peer-to-Peer DNS
  update (with enhanced DNS indirect routing
  entries) through indirect routes.
• Capability to establish multiple indirect routes
  in todays Internet via designated proxy servers
  and alternate gateway.
• Improved performance larger aggregated bandwidth
  (Can provide bandwidth on-demand service.)
• Improved reliability
• Send redundant critical info over geographical
  diverse paths.
• Avoid network congestion
• Improved security
• Dynamically establish alternate paths against
  DDoS
• Enable peer-to-peer indirect DNS query/update
• Spread traffic over multiple paths to avoid
  traffic analysis

20
SCOLD 0.2 Multipath Connection
21
Proxy Server based Multipath Connection (PSMC)

• How to set up multiple routes between two end
  hosts? via a set of intermediate connection relay
  proxy servers by using IP tunneling.
• How to stripe packets across multiple routes? IP
  layer, weighted round robin manner. Both TCP and
  UDP can benefit from .
• TCP persistent reordering problem. TCP packets
  over multiple routes are likely to reach
  destination out of sequence order. Our
  experimental results show that it can seriously
  degrade the overall system performance. In PSMC,
  we use double buffer at TCP layer on receiver
  side to solve the problem.
• TCP high loss rate problem. The loss rate of a
  multipath connection is usually higher than that
  of single path connection. Traditional TCP
  blindly cuts the congestion control window size
  in half upon fast retransmit, which may slow down
  the TCP performance in multipath scenario. In
  PSMC, we set the congestion window size to a more
  appropriate value upon fast retransmit.

22
Proxy Server based Multipath Connection (PSMC)

• Path selection. To achieve maximum aggregate
  bandwidth, a labeling algorithm is proposed in
  PSMC.
• Bad path detection. Experimental results show
  that a failed path, a bad path, or paths with
  shared congestion links can seriously affect
  the system performance. In PSMC, by passively
  monitoring on end hosts and periodically
  exchanging network information through
  communication channel, we can quickly detect the
  unwanted paths.
• Path management. Path addition and path deletion
  need to be finished dynamically with low cost in
  a timely manner.
• Failure recovery. A multipath system should
  recover quickly from sub-path failure.

23
PSMC Performance Result without Double Buffer
24
PSMC Performance Resultwith Double Buffer
25
Processing Overhead of PSMC on Single Path
26
Impact of Uneven Bandwidth among Paths
27
Selected Related Works

• Resilient Overlay Network, MIT (SOSP 2001)
• Detour project, U of Washington
• TCP-Westwood project, UCLA
• mTCP project, Princeton
• TCP-Persistent Reordering, UCSB/UDel/USC)
• Multihoming and Overlay, CMU, SIGCOMM 2004
• Internet Indirection Infrastructure, UCB, TON
  2004

28
Future Directions

• Integrate PSMC in Enterprise Cyber Defense
  System.
• Organic Networking/Security (Utilize PSMC in
  Network of Data Centers)
• Scold Proxy Server Selection Problem
• Make PSMC available to end users
• Porting DNS/Indirect Routing Protocol to Windows.
• Recruit sites for wide area network SCOLD
  experiments. Northrop Grumman and Air Force
  Academy's IA Lab are initial potential partners.
  Email me if you would like to be part of the
  SCOLD beta test sites and let us form a SCOLD
  consortium.
• SCOLD technologies can be used as a potential
  solution for bottlenecks detected by network
  analysis tool.

29
Conclusion

• Secure Collective Network Defense needs
  significant helps from community. Tremendous
  research and development opportunities.
• SCOLD v.01 demonstrated DDoS defense via
• use of secure DNS updates with new indirect
  routing
• IP-tunnel based indirect routing to let
  legitimate clients come in through a set of proxy
  servers and alternate gateways.
• Multiple indirect routes can also be used for
  improving the performance of Internet
  connections by using the proxy servers of an
  organization as connection relay servers.