Security%20Related%20Research%20Projects%20at%20UCCS%20Network%20Research%20Lab

1
Security Related Research Projects at UCCS
Network Research Lab
C. Edward Chow Department of Computer
Science University of Colorado at Colorado Springs
2
Outline of the Talk

• Brief Introduction to the Network/Protocol
  Research Lab at UCCS
• Network security related research projects at
  UCCS Network/Protocol Research Lab
• Autonomous Anti-DDoS Project
• Secure Collective Defense Project
• BGP/MPLS based VPN Project
• Discussion on Innerwall-UCCS Joint Research
  Project
• STTR N03-T010 TITLE Intrusion Monitoring,
  Detection and Reporting

3
UCCS Network Research Lab

• Director Dr. C. Edward Chow
• Graduate students
• John Bicknell/Steve McCaughey/Anders Hansmat
  Distributed Network Restoration/Network
  Survivability
• Hekki Julkunen Dynamic Packet Filter
• Chandra Prakash High Available Linux
  kernel-based Content Switch
• Ganesh Godavari Linux based Secure Web Switch
• Angela Cearns Autonomous Anti-DDoS (A2D2)
  Testbed
• Longhua Li IXP-based Content Switch
• Yu Cai (Ph.D. research assistant) Multipath
  Routing
• Jianhua Xie (Ph.D.) Secure Storage Networks
• Frank Watson Content Switch for Email Security
• Paul Fong Wireless AODV Routing for sensor
  networks
• Nirmala Belusu Wireless Network Security PEAP
  vs. TTLS
• David Wikinson/Sonali Patankar Secure Collective
  Defense
• Murthy Andukuri/Jing Wu Enhanced BGP/MPLS-based
  VPN
• Patricia Ferrao/Merlin Vincnet Web-based
  Collaborative System Support

4
UCCS Network Lab Setup

• Gigabit fiber connection to UCCS backbone
• Switch/Firewall/Wireless AP
• HP 4000 switch 4 Linksys/Dlink Switches.
• Sonicwall Pro 300 Firewall
• 8 Intel 7112 SSL accelerators 4 7820 XML
  directors donated by Intel.
• Cisco 1200 Aironet Dual Band Access Point and 350
  client PC/PCI cards (both 802.11a and 802.11b
  cards).
• Intel IXP12EB network processor evaluation board
• Servers Two Dell PowerEdge Servers.
• Workstations/PCs
• 8 Dell PCs (3Ghz-500Mhz) 12 HP PCs (500-233Mhz)
• 2 laptop PCs with Aironet 350 for mobile wireless
• OS Linux Redhat 8.0 Window XP/2000

5
HP4000SWGigibit Fiber to UCCS
BackboneWorkstationDell ServerIntel IXP
Network Processor
6

• Intel 7110 SSL Accelerators
• 7280 XML Director

7
DDoS Distributed Denial of Service Attack
DDoS VictimsYahoo/Amazon 2000CERT
5/2001DNS Root Servers 10/2002
DDoS ToolsStacheldrahtTrinooTribal Flood
Network (TFN)
8
How wide spread is DDoS?

• Research by Moore et al of University of
  California at San Diego, 2001.
• 12,805 DoS in 3-week period
• Most of them are Home, small to medium sized
  organizations

9
Intrusion Related Research Areas

• Intrusion Prevention
• General Security Policy
• Ingress/Egress Filtering
• Intrusion Detection
• Anomaly Detection
• Misuse Detection
• Intrusion Response
• Identification/Traceback/Pushback
• Intrusion Tolerance

10
Security Related Research Projects

• Secure Content Switch
• Autonomous Anti-DDoS Project
• Deal with Intrusion Detection and Handling
• Techniques
• IDS-Firewall Integration
• Adaptive Firewall Rules
• Easy to use/manage.
• Secure Collective Defense Project
• Deal with Intrusion Tolerance How to tolerate
  the attack
• Techniques (main idea?Explore secure alternate
  paths for clients to come in)
• Multiple Path Routing
• Secure DNS extension how to inform client DNS
  servers to add alternate new entries
• Utilize a consortium of Proxy servers with IDS
  that hides the IP address of alternate gateways.
• BGP/MPLS based VPN Project
• Content Switch for Email Security.

11
Design of an Autonomous Anti-DDOS Network (A2D2)

• Graduate Student Angela Cearns
• Goals
• Study Linux Snort IDS/Firewall system
• Develop Snort-Plug-in for Generic Flood Detection
• Investigate Rate Limiting and Class Based
  Queueing for Effective Firewall Protection
• Intrusion Detection automatically triggers
  adaptive firewall rule update.
• Study QoS impact with/without A2D2 system.
• http//cs.uccs.edu/chow/pub/master/acearns/doc/

12
(No Transcript)
13
A2D2 Multi-Level Adaptive Rate Limiting
14
A2D2 QoS Results - Baseline
Playout Buffering to Avoid Jitter

• 10-min Video Stream betweenReal Player Real
  Server
• Packets Received
• Around 23,000 (23,445)
• No DDoS Attack

QoS Experienced at A2D2 by Real Player Client
with No DDoS
15
A2D2 Results Non-stop Attack

• Packets Received 8,039
• Retransmission Request 2,592
• Retransmission Received 35
• Lost 2,557
• Connection Timed-out

Lost of Packets
QoS Experienced at A2D2 Client
16
A2D2 Results UDP AttackMitigation Firewall
Policy

• Packets Received 23,407
• Retransmission Request 0
• Retransmission Received 0
• Lost 0
• Look like we just need plainold Firewall rules,
  no fancy Rate Limiting/CBQ?

QoS Experienced at A2D2 Client
17
A2D2 Results ICMP AttackMitigation Firewall
Policy

• Packets Received 7,127
• Retransmission Request 2,105
• Retransmission Received 4
• Lost 2,101
• Connection Timed-out
• Just plain old firewall ruleis not good enough!

Packet/Connection Loss
QoS Experienced at A2D2 Client
18
A2D2 Results TCP AttackMitigation PolicyCBQ

• Turn on CBQ
• Packets Received 22,179
• Retransmission Request 4,090
• Retransmission Received 2,641
• Lost 1,449
• Screen Quality Impact!

Look OK But Quality Degrade
QoS Experienced at A2D2 Client
19
A2D2 Results TCP AttackMitigation
PolicyCBQRateLimiting

• Turn on Both CBQ Rate Limiting
• Packets Received 23,444
• Retransmission Request 49 1,376
• Retransmission Received 40 776
• Lost 9 600
• No image quality degradation

QoS Experienced at A2D2 Client
20
A2D2 Future Works

• Extend to include IDIP/Pushback
• Precise Anomaly Detection
• Improve Firewall/IDS Processing Speed
• Scalability Issues
• Tests with More Services Types
• Tests with Heavy Client Traffic Volume
• Fault Tolerant (Multiple Firewall Devices)
• Alternate Routing

21
Wouldnt it be Nice to Have Alternate Routes?
net-a.com
net-b.com
net-c.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
How to reroute clients traffic through R1-R3?
R
DNS
DDoS Attack Traffic
Client Traffic
Victim
22
Implement Alternate Routes
net-a.com
net-b.com
net-c.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Need to Inform Clients or Client DNS
servers!But how to tell which Clients are not
compromised?How to hide IP addresses of
Alternate Gateways?
R
DNS
DDoS Attack Traffic
Client Traffic
Victim
23
SCOD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
block
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
24
SCOD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
Proxy1
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
25
SCOD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
block
R
R2
R1
R3
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
26
SCOD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R1
R3
R2
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
27
SCOD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy2 to R2
3. New route via Proxy3 to R3
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R2
R1
R3
RerouteCoordinator
4b. Client traffic comes in via alternate route
Attack Traffic
1.distress call
Client Traffic
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s))
Victim
28
Secure Collective Defense

• Main Idea?Explore secure alternate paths for
  clients to come in Utilize geographically
  separated proxy servers.
• Goal
• Provide secure alternate routes
• Hide IP addresses of alternate gateways
• Techniques
• Multiple Path Routing
• Secure DNS extension how to inform client DNS
  servers to add alternate new entries (Not your
  normal DNS name/IP address mapping entry).
• Utilize a consortium of Proxy servers with IDS
  that hides the IP address of alternate gateways.
• How to partition clients to come at different
  proxy servers?? may help identify the attacker!
• How clients use the new DNS entries and route
  traffic through proxy server?? Use Sock
  protocol, modify resolver library?

29
New UCCS IA Degree/Certificate

• Master of Engineering Degree in Information
  Assurance
• Certificate in Information Assurance (offered to
  Peterson AFB through NISSC)
• Computer Networks Fundamental of Security
  Cryptography Advanced System Security Design

30
New CS691 Course on Advanced System Security
Design

• Use Matt Bishop new Computer Security Text
• Spring 2003 With one class at UCCS one at
  Peterson AFB.
• Enhanced by Demo/Hand-on exercises at Distribute
  Security Lab of Northorp Grumman.
• Integrate security research results into course
  material such as A2D2, Secure Collective Defense,
  MPLS-VPN projects.
• Invite speakers from Industry such as Innerwall
  and AFA?
• Looking for potential joint exercises with other
  institutions such as AFA, Northorp Grumman,
  Innerwall.

31
Joint Research/Development Effort

• STTR N03-T010 TITLE Intrusion Monitoring,
  Detection and Reporting
• Penetration Analysis/Testing projects?
• Intrusion Detection/Handling projects?
• Other Cyberwarfare related projects?
• Security Forum organized by Dean Haefner/Dr.
  Ayen
• Security Seminar Series with CITTI funding
  support
• Look for Speakers (suggestion?)