Title: SCOLD:%20Secure%20Collective%20Internet%20Defense%20http://cs.uccs.edu/~scold/%20A%20NISSC%20Sponsored%20Project
1SCOLD Secure Collective Internet
Defensehttp//cs.uccs.edu/scold/A NISSC
Sponsored Project
C. Edward ChowYu CaiDave Wilkinson Department
of Computer Science University of Colorado at
Colorado Springs
Part of this work is based on research sponsored
by the Air Force Research Laboratory, under
agreement number F49620-03-1-0207. It was
sponsored by a NISSC Summer 2002 grant.
2Outline of the Talk
- Network security related research projects at
UCCS Network/Protocol Research Lab - Secure Collective Internet Defense, the idea.
How should we pursue it? - Secure Collective Internet Defense, SCOLDv0.1. A
technique based Intrusion Tolerance paradigm - SCOLDv0.1 implementation and testbed
- Secure DNS update with indirect routing entries
- Indirect routing protocol based on IP tunnel
- Performance Evaluation of SCOLDv0.1
- Conclusion and Future Directions
3New UCCS IA Degree/Certificate
- Master of Engineering Degree in Information
Assurance - Certificate in Information Assurance (First
program offered to officers of SPACECOM at
Peterson AFB through NISSC and UCCS Continue
Education, 2002-3) - It includes four courses Computer Networks
Fundamental of Security Cryptography Advanced
System Security Design
4UCCS Network/System Research Lab
- Director Dr. C. Edward Chow
- Network System Research Seminar Every Tuesday
EAS177 5-6pm, open to public - New CS Faculty Dr. Xiaobo Zhou (Differential
Service QoS Degraded DDoS Defense) - Graduate students
- John Bicknell/Steve McCaughey/Anders Hansmat
Distributed Network Restoration/Network
Survivability (Two US Patents) - Hekki Julkunen Dynamic Packet Filter
- Chandra Prakash High Available Linux
kernel-based Content Switch - Ganesh Godavari (Ph.D.) Linux based Secure Web
Switch Secure Groupware Wireless Sensor Network - Angela Cearns Autonomous Anti-DDoS (A2D2)
Testbed - Longhua Li IXP-based Content Switch
- Yu Cai (Ph.D.) SCOLD Indirect Routing,
Multipath Routing - Jianhua Xie (Ph.D.) Secure Storage Networks
- Frank Watson Content Switch for Email Security
- Paul Fong Wireless AODV Routing for sensor
networks - Nirmala Belusu Wireless Network Security PEAP
vs. TTLS apply to ad hoc network access control - David Wikinson SCOLD Secure DNS Update.
- Murthy Andukuri/Jing Wu Enhanced BGP/MPLS-based
VPN Disaster Recovery based on iSCSI.
5UCCS Network Lab Setup
- Gigabit fiber connection to UCCS backbone
- Router/Switch/Firewall/Wireless AP
- 8 Routers, 4 Express 420 switches, 2HP 4000
switches, 8 Linksys/Dlink Switches. - Sonicwall Pro 300 Firewall, 8VPN gateway,
- 8 Intel 7112 SSL accelerators 4 7820 XML
directors. - Cisco 1200 Aironet Dual Band Access Point and 350
client PC/PCI cards (both 802.11a and 802.11b
cards). - Intel IXP12EB network processor evaluation board
- Servers Two Dell PowerEdge Servers, 4 Cache
appliance. - Workstations/PCs
- 8 Dell PCs (3Ghz-500Mhz) 12 HP PCs (500-233Mhz)
- 2 laptop PCs with Aironet 350 for mobile wireless
- OS Linux Redhat 9.0 Window XP/2000
- Equipment donated by Intel
6DDoS Distributed Denial of Service Attack
Research by Moore et al of University of
California at San Diego, 2001. 12,805 DoS in
3-week period Most of them are Home, small to
medium sized organizations
DDoS VictimsYahoo/Amazon 2000CERT
5/2001DNS Root Servers 10/2002
DDoS ToolsStacheldrahtTrinooTribal Flood
Network (TFN)
7Secure Collective Internet Defense
- Internet attacks community seems to be better
organized. - How about Internet Secure Collective Defense?
- Report/exchange virus info and distribute
anti-virus not bad (need to pay Norton or
Network Associate) - Report/exchange spam info?not good (spambayes,
spamassasin, email firewall, remove.org) - Report attack (to your admin or FBI?)?not good
- IP Traceback? difficult to negotiate even the
use of one bit in IP header - Push back attack?slow call to upstream ISP hard
to find IDIP spec! - Form consortium and help each other during
attacks?almost non-existent
8Intrusion Related Research Areas
- Intrusion Prevention
- General Security Policy
- Ingress/Egress Filtering
- Intrusion Detection
- Honey pot
- Host-based IDS Tripwire
- Anomaly Detection
- Misuse Detection
- Intrusion Response
- Identification/Traceback/Pushback
- Intrusion Tolerance
9Wouldnt it be Nice to Have Alternate Routes?
net-a.com
net-b.com
net-c.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
How to reroute clients traffic through
R1-R3?Multi-homing
R
DNS
DDoS Attack Traffic
Client Traffic
Victim
10Secure Collective Defense
- Main Idea?Explore secure alternate paths for
clients to come in Utilize geographically
separated proxy servers. - Goal
- Provide secure alternate routes
- Hide IP addresses of alternate gateways
- Techniques
- Multiple Path (Indirect) Routing
- Secure DNS extension how to inform client DNS
servers to add alternate new entries (Not your
normal DNS name/IP address mapping entry). - Utilize a consortium of Proxy servers with IDS
that hides the IP address of alternate gateways. - How to partition clients to come at different
proxy servers?? may help identify the attacker! - How clients use the new DNS entries and route
traffic through proxy server?? Use Sock
protocol, modify resolver library
11Implement Alternate Routes
net-a.com
net-b.com
net-c.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Need to Inform Clients or Client DNS
servers!But how to tell which Clients are not
compromised?How to hide IP addresses of
Alternate Gateways?
R
DNS
DDoS Attack Traffic
Client Traffic
Victim
12SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
block
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
13SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
Proxy1
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
14SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
block
R
R2
R1
R3
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
15SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R1
R3
R2
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
16SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy2 to R2
3. New route via Proxy3 to R3
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R2
R1
R3
RerouteCoordinator
4b. Client traffic comes in via alternate route
Attack Traffic
1.distress call
Client Traffic
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s))
Victim
17SCOLD Secure DNS Updatewith New Indirect DNS
Entries
Modified Bind9
Modified Bind9
Modified ClientResolveLibrary
(target.targetnet.com, 133.41.96.71, ALT
203.55.57.102
203.55.57.103 185.1
1.16.49 221.46.56.3
8
New Indirect DNS Entries
A set of alternate proxy servers for indirect
routes
18SCOLD Indirect Routing
IP tunnel
IP tunnel
19SCOLD Indirect Routing with Client running SCOLD
client daemon
IP tunnel
IP tunnel
20Performance of SCOLD v0.1
- Table 1 Ping Response Time (on 3 hop route)
- Table 2 SCOLD FTP/HTTP download Test (from
client to target)
No DDoS attack direct route DDoS attackdirect route No DDoS attack indirect route DDoS attack indirect route
0.49 ms 225 ms 0.65 ms 0.65 ms
21A2D2 Multi-Level Adaptive Rate Limiting For
Anti-DDos Defense
22Future Directions
- Modify TCP to utilize the multiple geographically
diverse routes set up with IP tunnels. - Recruit sites for wide area network SCOLD
experiments. Northrop Grumman, Air Force
Academy's IA Lab, and University of Texas are
initial potential partners. Email me if you would
like to be part of the SCOLD beta test sites and
members of the SCOLD consortium. - We are currently working with Northrop Grumman
researchers to beta test their new MIND network
analysis tool. - The network status information collected and
analyzed by the MIND can be used for selecting
proxy server sites. - Pick and choose a geographically diverse set of
proxy servers for indirect routing is a
challenging research problem. - SCOLD technologies can be used as a potential
solution for bottlenecks detected by MIND.
23Conclusion
- Secure Collective Internet Defense needs
significant helps from community. Tremendous
research and development opportunities. - SCOLD v.01 demonstrated DDoS defense via
- use of secure DNS updates with new indirect
routing - IP-tunnel based indirect routing to let
legitimate clients come in through a set of proxy
servers and alternate gateways. - Multiple indirect routes can also be used for
improving the performance of Internet
connections by using the proxy servers of an
organization as connection relay servers.