Roaming Honeypots for Mitigating Servicelevel DenialofService Attacks

1
Roaming Honeypots for Mitigating Service-level
Denial-of-Service Attacks

• Sherif M. Khattab, Chatree Sangpachatanaruk,
  Daniel Mosse, Rami Melhem, Taieb Znati.
• University of Pittsburgh, PA .
• BY Nikhil Mahajan
• Sriharsha Hammika

2
Denial of Service

• Attempt to make a computer resource unavailable
  to its intended users.
• Typically the targets are high-profile web
  servers.

3
Effects of DoS

• Force the victim computer(s) to reset or consume
  its resources such that it can no longer provide
  its intended service.
• Obstruct the communication media between the
  intended users and the victim in such that they
  can no longer communicate adequately.

4
Basic Idea comes from previous Paper

• Server Roaming
• Proactive server roaming to mitigate the effects
  of Denial-of-Service (DoS) attacks.
• The active server changes its location within a
  pool of servers to defend against unpredictable
  and undetectable attacks.
• Only legitimate clients can follow the active
  server as it roams.

5
However

• Basic reasons to shift the paradigm
• Server Bandwidth.
• Clients have to keep track of active server.
• Ratio of Active to idle servers.

6
Honeypots ?

• Honeypots are closely monitored network decoys
  serving several purposes
• Can distract adversaries from more valuable
  machines on a network,
• Can provide early warning about new attack and
  exploitation trends
• Allow in-depth examination of adversaries during
  and after exploitation of a honeypot.

7
Honeypots.

• Upgraded method on the same lines.d
• A proactive detection mechanism.
• Machines that are not supposed to receive any
  legitimate traffic.
• Any traffic destined to a honeypot is most
  probably an ongoing attack and can be analyzed to
  reveal vulnerabilities targeted by attackers.

8
Standard implementation

• Deployed at fixed locations.
• Detectable locations and on machines different
  than the ones they are supposed to protect.
• Sophisticated attacks can avoid the honeypots.

9
Proposed Solution

• Roaming Honeypots
• A scheme for mitigating service-level DoS attacks
  against back-ends of private services.
• The locations of honeypots are continuously and
  unpredictably changing disguisedly within a pool
  of back-end servers.
• Each server alternates between providing the
  service and acting as a honeypot in a manner
  unpredictable to attackers.

10
On the same lines

• Honeynet type of honeypot.
• High-interaction research honeypot.
• Designed to capture extensive information on
  threats.
• The highly controlled network contains one or
  more honeypots for attackers to interact with,
  and provides some tools to collect and analyze
  the information.

11
Honeynet

• Three basic jobs
• Data control
• Data capture and
• Data analysis

12

• DataControl Reduce risk, Compromised systems
  should not be used.
• DataCapture detect and capture attackers
  activities.
• DataAnalysis to analyse and thus prevent further
  attcks.

13
Back to Honeypots

• Filtering Effect.
• Connection-dropping effect.

14

• Filtering Effect
• Idle servers (honeypots) detect attacker
  addresses so that all their subsequent requests
  are filtered out
• Connection-Dropping Effect
• Each time a server switches from idle to active,
  it drops all its current (attack) connections,
  opening a window of opportunity for legitimate
  requests before the attack re-builds up.

15
AGN
Access Gateway Network
16
AGN

• Keeps track of current active servers.
• Clients contact AGs to subscribe and request
  services.
• After the request is authenticated and
  authorized, AG redirect the request to one of the
  active servers.
• Also support dynamic Load balancing.

17
Connection Migration

• At the end of each service epoch, a subset of
  servers change their status from Active-to-Idle
  and Idle-to-Active.
• Sai and Sia
• Sai Sia.
• For each client connection C to a server Sai, its
  handling AG selects a server uniformly from Sia.
• Connection is established between this Active
  server and the client using the latest update
  message from C

18
Network Level Attacks

• Using Spoofed IP address.
• Suppose that, attacker uses a forged source
  address to hide their identity.
• If such a request hits a honeypot then all future
  correspondence from this IP address is dropped.
• If this IP address is a valid address of a Client
  then this client is discarded automatically.
• !!!!!!!! ????
• Fortunately, AGN automatically takes care of this
  situation.

19
Countering Spoofed attacks

• Legitimate requests are tunneled through AGN
• For this attack to be successful an attacker
  needs to spoof an AGs address.
• An AG can easily detect that it is under such an
  attack (all its requests are being dropped) and
  can respond by changing its IP address.
• The AG then updates its address registration with
  the new IP address.

20
Attack Models

• Two types of attack models
• Fixed-target attacks
• Follower attacks
• Fixed-Target Attack
• The attacker selects few servers and
  attacks them continuously.
• Follower Attacks
• The attacker tries to continuously
  direct the attack into active servers.
• Follow delay is found.

21
Other Attack Models

• Service-Level Attack
• Usually found in public services.
• Can be possible in private services with a large
  client population and high join/leave and service
  request rates.
• Not possible using a spoofed source address as a
  three-way handshake is required for the TCP
  service.
• Eavesdropping

22
Experimental Results

• Simulation
• ns-2(Network Simulator) was used.
• Ns is a discrete event simulator targeted at
  network research.
• Supports simulation of TCP, routing and multicast
  protocols over wired or wireless networks.

23
Simulation Model

• Roaming
• Created a wrapper for the ns-2 built-in FullTcp
  agent and added a socket layer
• Testbed
• Created a multi-threaded FTP server and client
  modules
• FTP connection remains active until either the
  FTP request is fulfilled or roaming occurs.

24
Simulation Model (cntd)

• What happens if roaming occurs in between a FTP
  transfer???
• Client module uses its socket layer to record the
  current FTP state (number of remaining bytes) of
  the connection
• Drops the current TCP agent
• Connect to another active agent selected at
  random
• Send the recorded FTP state to new server in
  order to resume the FTP transfer

25
Simulation Model (cntd)

• Filtering Effect
• Connection-dropping
• Modeled a roaming scheme in which there is no
  filtering
• Filter roaming (FR) Roaming honeypots
• Full replication scheme Non roaming
• No filtering roaming (R)

26
Simulation Topology

• Authenticator functionality of roaming update

27
Simulation Result
28
ART Inferences

• Every point in the graph represents the ART
  issued within the previous 30 seconds
• Non-roaming
• keeps on increasing during the attack (50-250s)
• Roaming
• Slight increase
• Filter Roaming
• Increases slightly between 50-180s and then
  stabilizes as all attackers are recorded

29
Effect of Migration Interval
30
M value comparison

• There exists a critical value of M(10,for this
  case)
• Below Critical Value
• Roaming overhead is dominant
• M increases gt frequency of connection
  re-establishment decreases resulting in a
  decreased ART.
• Beyond Critical Value
• M increases gt ART increases.
• Two reasons
• Connection-dropping effect occurs less frequently
• More client requests are issued to attacked server

31
Effect of Client Load
32
Comparison

• The attack load is 5Mbps
• For small attack loads, non-roaming scheme
  outperforms R and FR.
• Other attack loads exhibit similar behavior

33
Effect of Attack Load
34
Comparison

• FR
• Keeps the ART stable with increasing attack loads
• Non-roaming
• ART is less for small loads
• Art increases for large loads
• R
• ART increases with increasing attack load

35
Effect of Follow Delay
36
Follow Delay Comparison

• FR
• ART decreases as follow delay increases
• R
• ART decreases as follow delay increases
• Non-roaming
• ART is same for follower and fixed-target attacks

37
Limitations

• Roaming honeypots scheme incurs an overhead that
  causes performance degradation, both in the
  absence of attacks and under low attack.
• Reasons for Overhead
• Load is distributed over k instead of N servers.
• During a switch from Active-to-idle state, all
  the active connections have to be re-established.

38
Future Work

• A mechanism that adaptively changes the number of
  concurrent active servers depending on attack and
  client loads, is a subject of future work.

39
Conclusion

• At any point of time, a subset of servers is
  active and providing service while rest are
  acting as honeypots.
• All legitimate requests are directed by the AGN(
  from Client server and vice-versa)
• Though this scheme offers an overhead, under the
  circumstance of high attack loads, it shows a
  performance gain.

40

• Thank you.
• Any Questions???
• Best of luck for your Presentation and Final exam
  !!!!!!