Griffin Final Report DETER Testbed Update

1
Griffin Final ReportDETER Testbed Update

• Anthony D. Joseph
• UC Berkeley
• http//deter.cs.berkeley.edu/
• Sahara Retreat, June 2004

2
Outline

• Griffin
• Motivation
• Goals and Components
• Retreat talks
• DETER Update
• Motivation and goals
• Testbed status
• Applications virus filtering, worm propagation

3
Near-Continuous, Highly-Variable Internet
Connectivity

• Connectivity everywhere campus, in-building,
  satellite
• Projects Sahara (01-04), Iceberg (98-01), Rover
  (95-97)
• Most applications support limited variability (1
  to 2x)
• Design environment for legacy apps is static
  desktop LAN
• Strong abstraction boundaries (APIs) hide the
  of RPCs
• But, todays apps see a wider range of
  variability
• 3?5 orders of magnitude of bandwidth from 10's
  Kb/s ?1 Gb/s
• 4?6 orders of magnitude of latency from 1 ?sec
  ?1,000's ms
• 5?9 orders of magnitude of loss rates from 10-3 ?
  10-12 BER
• Neither best-effort or unbounded retransmission
  may be ideal
• Also, overloaded servers / limited resources on
  mobile devices
• Result Poor/variable performance from legacy apps

4
Griffin Goals and an Adpative, Predictive Approach

• Users always see excellent (? local, lightly
  loaded) application behavior and performance
• Agility key metric is time to predict, react,
  and adapt
• Apply continuous, cross-layer, multi-timescale
  introspection
• SUCCESS Tapas -- Building accurate models of
  correlated events
• Help legacy and new applications handle changing
  conditions
• Analyze, classify, and predict behavior
• Pre-stage dynamic/static code/data (activate on
  demand)
• SUCCESS REAP/MINO/COMPASS --- Dynamic code/data
  placement with automatic service location
• Overlay more powerful network model on top of IP
• Avoid standardization delays/inertia, enables
  dynamic svc placement
• PARTIAL Tapestry/Brocade --- Interoperation with
  IP routing policies

5
Some Enabling Infrastructure Components Weve
Built

• Tapas network characteristics toolkit Konrad
  Mills prof.
• Measuring/modeling/emulating/predicting delay,
  loss,
• Provides micro-scale network weather information
• Mechanism for monitoring/predicting available QoS
• REAP application building toolkit Czerwinski
  Google
• Introspective mobile code/data support for legacy
  / new apps
• REAP dynamic service component placement
• MINO E-mail application, COMPASS service instance
  locator
• Tapestry, Brocade, and Mobile Tapestry Hildrum
  IBM, Zhao UCSB prof.
• Overlay routing layer providing efficient
  application-level object location and routing
• Mobility support, fault-tolerance, varying
  delivery semantics

6
Related Talks at Retreat

• Kris Hildrum Locality in Tapestry
• Highlight talk today
• Sean Rhea OpenHash
• Tuesday morning in Overlay Networking parallel
  session
• Ling Huang Probabilistic data aggregation
• Tuesday evening in Overlay Networking parallel
  session

7
Outline

• Griffin
• Motivation
• Goals and Components
• Retreat talks
• DETER Update
• Motivation and goals
• Testbed status
• Applications virus filtering, worm propagation

8
(No Transcript)
9
cyber DEfense Technology Experimental Research
(DETER)

• NSF and DHS sponsored cyber-defense research
  project
• Lead PIs UCB, USC-ISI, McAfee
• DETER Goals
• Design and construction of a testbed for network
  security experiments,
• Research on experimental methodology for network
  security, and
• Research on network security.
• DETER focus on 1), but it needs to do some of 2)
  and 3)
• Goal Duplicate observed attack effects in the
  testbed
• E.g., self-congestion for worms

10
Background

• People
• Anthony Joseph, Ruzena Bajcsy, Shankar Sastry,
  David Culler, Doug Tygar, David Wagner, Eric
  Fraser (staff), Yih-Chun Hu (postdoc)
• 3 experiment areas in related EMIST project
• Worms, routing attacks, DDoS attacks
• Just completed major demo last week in DC
• 50 tech govnt (NSF, NIST, DARPA, NSA, DHS)
• Experimenters Workshop (11/8 or 11/15 week)

11
DETEREMIST Motivation

• New, increasingly virulent Worms and Viruses
• MyDoom/Novarg e-mail virus/worm
• 40 reports/hr in first hour, quarantined 8
  million in first 24 hours
• Spreads via E-mail, jumps firewalls thru
  Peer-to-Peer networks
• Blocks access to anti-virus and MS update sites
• Distributed Denial of Service (DDoS) attacks
• Large scale, international attack on Akamai
  infrastructure"
• Potential routing hardware software attacks
• Issues
• Inadequate wide scale deployment of security
  technologies
• Lack of experimental infrastructure
  limited-scale private labs
• Missing objective test data, traffic and metrics

12
DETEREMIST Vision

• ... to provide the scientific knowledge required
  to enable the development of solutions to cyber
  security problems of national importance
• Through the creation of an experimental
  infrastructure network -- networks, tools,
  methodologies, and supporting processes -- to
  support national-scale experimentation on
  research and advanced development of security
  technologies.
• Real systems, Real attacks, Real world!

13
Architecture and Design Cluster Testbed

• Basic choice cluster vs. distributed testbed
• Example Emulab vs. Planetlab design.
• Two major reasons to choose clusters for DETER
• Security containment
• would be impossible in a distributed testbed.
• Need complete control over experimental
  conditions for repeatability

14
DETER Experimental Network
Clusters of N identical experimental
nodes, interconnected dynamically
into arbitrary topologies using VLAN switch
Pool of N identical processors
160
PC
PC
PC
Switch Control Interface
N x 4 _at_1000bT Data ports
Programmable Patch Panel (VLAN switch)
15
Example Topology Created using DETER
(as11537-5s-2t)
16
The Fidelity Issue

• Would ideally like
• Large and realistic topologies
• Diverse, realistic nodes and links
• But
• Fidelity is expensive
• Large-scale fidelity may be unnecessary for
  (maybe even contrary to) good science.
• Plan to add limited heterogeneity and realism
  e.g., a few vendor routers, network processors

17
Early-stage Local Research Efforts

• APE SLT-based virus detection and containment
• Uses unsupervised learning to classify outgoing
  e-mail based on features ( of recipients,
  attachments, etc.)
• Built prototype, now exploring different models
• Worm propagation effects on realistic topologies
• Using Parallel and Distributed NS to emulate up
  to 15,000 nodes with realistic latencies and
  bandwidths
• Significantly different propagation patterns from
  analytical models due to congestion effects

18
Wide-Area Testbed Architecture
Cyber Defense Experiments run on Virtual Internet
Network Traces
32 PCs, but more powerful HW firewalls July 04
UC Berkeley
Internet
ISI-East
USC-ISI
19
UCB DETER Testbed
Internet
Control VPN Server
Data VPN Server
Cutoff Point
Firewall
Cache Boss Server
Foundry FastIron 1500 16 x 10 1000bT ports
Switch Control Interface
Serial Line Power Server

32 _at_ 1000bT Control ports
32 x 4 _at_1000bT Data ports
160
APC Power Controllers
SUN
SUN
SUN
20
Collaboration Opportunities

• http//www.isi.deterlab.net/index.php3
• Research opportunities
• Measuring application behavior under attack
• Web servers, file servers, etc.
• Strategies for mitigating attacks
• Worm defenses, DDoS traceback and block,
  hardening routing protocols
• Operations and management
• Substantial knowledgebase from commercial
  operations
• Hardware donations
• Network nodes, Firewall machines, L2/L3 routers,
  etc

21
Overlay Networking Parallel Sessions Schedule

• 0830-1000 Peer-to-Peer and Routing (Ion)
• Sean Rhea OpenHash
• Jayanth Kanan Supporting Legacy applications in
  i3
• Brighten Godfrey A Heterogeneity-Aware
  Distributed Hash Table
• Rodrigo Fonseca Beacon Vector Routing
• 1930-2100 Applications in Wide Area Networks
  (Anthony)
• Ling Huang Probabilistic Aggregation in
  Distributed Networks
• David Oppenheimer Resource Discovery in
  Distributed Systems
• Dennis Geels Deterministic Replay for Debugging
  Overlay Networks

22
Griffin Final ReportDETER Testbed Update

• Anthony D. Joseph
• UC Berkeley
• http//deter.cs.berkeley.edu/
• Sahara Retreat, June 2004