SCOLD: Secure Collective Internet Defense http:cs'uccs'eduscold

1
SCOLD Secure Collective Internet
Defensehttp//cs.uccs.edu/scold/
C. Edward Chow, Yu Cai, Ganesh Godavari Departmen
t of Computer Science University of Colorado at
Colorado Springs
Part of this work is based on research sponsored
by the Air Force Research Laboratory, under
agreement number F49620-03-1-0207. It was
sponsored by a NISSC Summer 2002 grant.
2
Outline of the Talk

• Secure Collective Internet Defense, the idea.
  How should we pursue it?
• Secure Collective Internet Defense, SCOLDv0.1. A
  technique based Intrusion Tolerance paradigm
• SCOLDv0.1 implementation and testbed
• Secure DNS update with indirect routing entries
• Indirect routing protocol based on IP tunnel
• Performance Evaluation of SCOLDv0.1
• SCOLD v0.2 multipath connection
• Conclusion and Future Directions

3
DDoS Distributed Denial of Service Attack
Research by Moore et al of University of
California at San Diego, 2001. 12,805 DoS in
3-week period Most of them are Home, small to
medium sized organizations
DDoS VictimsYahoo/Amazon 2000CERT
5/2001DNS Root Servers
10/2002(4up 7 cripple 80Mbps) Akamai DDNS
5/2004
DDoS ToolsStacheldrahtTrinooTribal Flood
Network (TFN)
4
DDoS Attack on Akamai?

• So today an outage of some sort at Akamai's
  distributed DNS service brought down access to
  some major sites from various parts of the world,
  including Google, Yahoo, and Microsoft. Pretty
  quickly, as evidenced by this slashdot thread the
  questions over how the days of "no single point
  of failure" are over started to pop up.Akamai
  problems. Quiet, well kinda quiet, day on the
  Internet--- Diego Doval, CTO of Clevercactus
• Update (Mon. May 24th 9 am EST, 1300 UTC, 1500
  CEST )
• It appears that websites that use Akamai's
  distribution system are currently not reachable.
  Security related web sites effected are
  symantec.com and trendmicro.com. Virus updates
  may fail as a result. Further details are
  currently not available and updates will be
  posted here as they become available. Thanks to
  Vidar Wilkens for alerting us of this problem.
  --- infoworld 7/4/2004

5
Secure Collective Internet Defense

• Internet attacks community seems to be better
  organized.
• How about Internet Secure Collective Defense?
• Report/exchange virus info and distribute
  anti-virus not bad (need to pay Norton or
  Network Associate)
• Report/exchange spam info?not good (spambayes,
  spamassasin, email firewall, remove.org)
• Report attack (to your admin or FBI?)?not good
• IP Traceback? difficult to negotiate even the
  use of one bit in IP header
• Push back attack?slow call to upstream ISP hard
  to find IDIP spec!
• Form consortium and help each other during
  attacks?almost non-existent

6
An Enterprise Cyber-Defense System
7
Intrusion Related Research Areas

• Intrusion Prevention
• General Security Policy
• Ingress/Egress Filtering
• Intrusion Detection
• Honey pot
• Host-based IDS Tripwire
• Anomaly Detection
• Misuse Detection
• Intrusion Response
• Identification/Traceback/Pushback
• Intrusion Tolerance

8
Secure Collective Defense

• Main Idea?Explore secure alternate paths for
  clients to come in Utilize geographically
  separated proxy servers.
• Goal
• Provide secure alternate routes
• Hide IP addresses of alternate gateways
• Techniques
• Multiple Path (Indirect) Routing
• Secure DNS extension how to inform client DNS
  servers to add alternate new entries (Not your
  normal DNS name/IP address mapping entry).
• Utilize a consortium of Proxy servers with IDS
  that hides the IP address of alternate gateways.
• How to partition clients to come at different
  proxy servers?? may help identify the attacker!
• How clients use the new DNS entries and route
  traffic through proxy server?? Use Sock
  protocol, modify resolver library

9
Wouldnt it be Nice to Have Alternate Routes?
net-a.com
net-b.com
net-c.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
How to reroute clients traffic through
R1-R3?Multi-homing
R
DNS
DDoS Attack Traffic
Client Traffic
Victim
A Compromised Agent
10
Possible Solution for Alternate Routes
net-a.com
net-b.mil
net-c.mil
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
New route via Proxy3 to R3
Proxy2
Proxy1
Proxy3
Attacked blocked
Attack msgs blocked
R2
block
R
R1
R3
Sends Reroute Command with DNS/IP Addr. Of
Proxy and Victim
Victim
Distress Call
11
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
block
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
12
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
Proxy1
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
13
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
block
R
R2
R1
R3
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
14
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R1
R3
R2
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
15
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy2 to R2
3. New route via Proxy3 to R3
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R2
R1
R3
RerouteCoordinator
4b. Client traffic comes in via alternate route
Attack Traffic
1.distress call
Client Traffic
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s))
Victim
16
SCOLD Secure DNS Updatewith New Indirect DNS
Entries
Modified Bind9
Modified Bind9
Modified ClientResolveLibrary
(target.targetnet.com, 133.41.96.71, ALT
203.55.57.102                              
203.55.57.103                               185.1
1.16.49                               221.46.56.3
8
New Indirect DNS Entries
A set of alternate proxy servers for indirect
routes
17
SCOLD Indirect Routing
IP tunnel
IP tunnel
18
SCOLD Indirect Routing with Client running SCOLD
client daemon
IP tunnel
IP tunnel
19
Performance of SCOLD v0.1

• Table 1 Ping Response Time (on 3 hop route)
• Table 2 SCOLD FTP/HTTP download Test (from
  client to target)

With Single Indirect Route
With direct Route
20
Benefit of SCOLD v0.1

• Capability to perform Secure Peer-to-Peer DNS
  update (with enhanced DNS indirect routing
  entries) through indirect routes.
• Capability to establish multiple indirect routes
  in todays Internet via designated proxy servers
  and alternate gateway.
• Improved performance larger aggregated bandwidth
  (Can provide bandwidth on-demand service.)
• Improved reliability
• Send redundant critical info over geographical
  diverse paths.
• Avoid network congestion
• Improved security
• Dynamically establish alternate paths against
  DDoS
• Enable peer-to-peer indirect DNS query/update
• Spread traffic over multiple paths to avoid
  traffic analysis

21
SCOLD 0.2 Multipath Connection
22
Proxy Server based Multipath Connection (PSMC)

• How to set up multiple routes between two end
  hosts? via a set of intermediate connection relay
  proxy servers by using IP tunneling.
• How to stripe packets across multiple routes? IP
  layer, weighted round robin manner. Both TCP and
  UDP can benefit from .
• TCP persistent reordering problem. TCP packets
  over multiple routes are likely to reach
  destination out of sequence order. Our
  experimental results show that it can seriously
  degrade the overall system performance. In PSMC,
  we use double buffer at TCP layer on receiver
  side to solve the problem.
• TCP high loss rate problem. The loss rate of a
  multipath connection is usually higher than that
  of single path connection. Traditional TCP
  blindly cuts the congestion control window size
  in half upon fast retransmit, which may slow down
  the TCP performance in multipath scenario. In
  PSMC, we set the congestion window size to a more
  appropriate value upon fast retransmit.

23
Proxy Server based Multipath Connection (PSMC)

• Path selection. To achieve maximum aggregate
  bandwidth, a labeling algorithm is proposed in
  PSMC.
• Bad path detection. Experimental results show
  that a failed path, a bad path, or paths with
  shared congestion links can seriously affect
  the system performance. In PSMC, by passively
  monitoring on end hosts and periodically
  exchanging network information through
  communication channel, we can quickly detect the
  unwanted paths.
• Path management. Path addition and path deletion
  need to be finished dynamically with low cost in
  a timely manner.
• Failure recovery. A multipath system should
  recover quickly from sub-path failure.

24
PSMC Performance result without double buffer
25
PSMC Performance resultwith double buffer
26
processing overhead of PSMC on single path
27
the impact of bad path
28
Selected related works

• RON network, MIT
• Detour project, U of Washington
• Westwood project, UCLA
• mTCP project, Princeton
• TCP-PR, UC
• Multihoming and overlay, SIGCOMM 2004
• Internet Indirection Infrastructure, TON 2004

29
Future Directions

• Add thin layer between TCP and IP to utilize the
  multiple geographically diverse routes set up
  with IP tunnels.
• Scold Proxy Server Selection Problem
• Porting DNS/Indirect Routing Protocol to Windows.
• Recruit sites for wide area network SCOLD
  experiments. Northrop Grumman, Air Force
  Academy's IA Lab, and University of Texas are
  initial potential partners. Email me if you would
  like to be part of the SCOLD beta test sites and
  form a SCOLD consortium.
• SCOLD technologies can be used as a potential
  solution for bottlenecks detected by network
  analysis tool.

30
Conclusion

• Secure Collective Internet Defense needs
  significant helps from community. Tremendous
  research and development opportunities.
• SCOLD v.01 demonstrated DDoS defense via
• use of secure DNS updates with new indirect
  routing
• IP-tunnel based indirect routing to let
  legitimate clients come in through a set of proxy
  servers and alternate gateways.
• Multiple indirect routes can also be used for
  improving the performance of Internet
  connections by using the proxy servers of an
  organization as connection relay servers.