SCOLD:%20Secure%20Collective%20Internet%20Defense%20http://cs.uccs.edu/~scold/%20A%20NISSC%20Sponsored%20Project

1
SCOLD Secure Collective Internet
Defensehttp//cs.uccs.edu/scold/A NISSC
Sponsored Project
C. Edward ChowYu CaiDave Wilkinson Department
of Computer Science University of Colorado at
Colorado Springs
Part of this work is based on research sponsored
by the Air Force Research Laboratory, under
agreement number F49620-03-1-0207. It was
sponsored by a NISSC Summer 2002 grant.
2
Outline of the Talk

• Network security related research projects at
  UCCS Network/Protocol Research Lab
• Secure Collective Internet Defense, the idea.
  How should we pursue it?
• Secure Collective Internet Defense, SCOLDv0.1. A
  technique based Intrusion Tolerance paradigm
• SCOLDv0.1 implementation and testbed
• Secure DNS update with indirect routing entries
• Indirect routing protocol based on IP tunnel
• Performance Evaluation of SCOLDv0.1
• Conclusion and Future Directions

3
New UCCS IA Degree/Certificate

• Master of Engineering Degree in Information
  Assurance
• Certificate in Information Assurance (First
  program offered to officers of SPACECOM at
  Peterson AFB through NISSC and UCCS Continue
  Education, 2002-3)
• It includes four courses Computer Networks
  Fundamental of Security Cryptography Advanced
  System Security Design

4
UCCS Network/System Research Lab

• Director Dr. C. Edward Chow
• Network System Research Seminar Every Tuesday
  EAS177 5-6pm, open to public
• New CS Faculty Dr. Xiaobo Zhou (Differential
  Service QoS Degraded DDoS Defense)
• Graduate students
• John Bicknell/Steve McCaughey/Anders Hansmat
  Distributed Network Restoration/Network
  Survivability (Two US Patents)
• Hekki Julkunen Dynamic Packet Filter
• Chandra Prakash High Available Linux
  kernel-based Content Switch
• Ganesh Godavari (Ph.D.) Linux based Secure Web
  Switch Secure Groupware Wireless Sensor Network
• Angela Cearns Autonomous Anti-DDoS (A2D2)
  Testbed
• Longhua Li IXP-based Content Switch
• Yu Cai (Ph.D.) SCOLD Indirect Routing,
  Multipath Routing
• Jianhua Xie (Ph.D.) Secure Storage Networks
• Frank Watson Content Switch for Email Security
• Paul Fong Wireless AODV Routing for sensor
  networks
• Nirmala Belusu Wireless Network Security PEAP
  vs. TTLS apply to ad hoc network access control
• David Wikinson SCOLD Secure DNS Update.
• Murthy Andukuri/Jing Wu Enhanced BGP/MPLS-based
  VPN Disaster Recovery based on iSCSI.

5
UCCS Network Lab Setup

• Gigabit fiber connection to UCCS backbone
• Router/Switch/Firewall/Wireless AP
• 8 Routers, 4 Express 420 switches, 2HP 4000
  switches, 8 Linksys/Dlink Switches.
• Sonicwall Pro 300 Firewall, 8VPN gateway,
• 8 Intel 7112 SSL accelerators 4 7820 XML
  directors.
• Cisco 1200 Aironet Dual Band Access Point and 350
  client PC/PCI cards (both 802.11a and 802.11b
  cards).
• Intel IXP12EB network processor evaluation board
• Servers Two Dell PowerEdge Servers, 4 Cache
  appliance.
• Workstations/PCs
• 8 Dell PCs (3Ghz-500Mhz) 12 HP PCs (500-233Mhz)
• 2 laptop PCs with Aironet 350 for mobile wireless
• OS Linux Redhat 9.0 Window XP/2000
• Equipment donated by Intel

6
DDoS Distributed Denial of Service Attack
Research by Moore et al of University of
California at San Diego, 2001. 12,805 DoS in
3-week period Most of them are Home, small to
medium sized organizations
DDoS VictimsYahoo/Amazon 2000CERT
5/2001DNS Root Servers 10/2002
DDoS ToolsStacheldrahtTrinooTribal Flood
Network (TFN)
7
Secure Collective Internet Defense

• Internet attacks community seems to be better
  organized.
• How about Internet Secure Collective Defense?
• Report/exchange virus info and distribute
  anti-virus not bad (need to pay Norton or
  Network Associate)
• Report/exchange spam info?not good (spambayes,
  spamassasin, email firewall, remove.org)
• Report attack (to your admin or FBI?)?not good
• IP Traceback? difficult to negotiate even the
  use of one bit in IP header
• Push back attack?slow call to upstream ISP hard
  to find IDIP spec!
• Form consortium and help each other during
  attacks?almost non-existent

8
Intrusion Related Research Areas

• Intrusion Prevention
• General Security Policy
• Ingress/Egress Filtering
• Intrusion Detection
• Honey pot
• Host-based IDS Tripwire
• Anomaly Detection
• Misuse Detection
• Intrusion Response
• Identification/Traceback/Pushback
• Intrusion Tolerance

9
Wouldnt it be Nice to Have Alternate Routes?
net-a.com
net-b.com
net-c.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
How to reroute clients traffic through
R1-R3?Multi-homing
R
DNS
DDoS Attack Traffic
Client Traffic
Victim
10
Secure Collective Defense

• Main Idea?Explore secure alternate paths for
  clients to come in Utilize geographically
  separated proxy servers.
• Goal
• Provide secure alternate routes
• Hide IP addresses of alternate gateways
• Techniques
• Multiple Path (Indirect) Routing
• Secure DNS extension how to inform client DNS
  servers to add alternate new entries (Not your
  normal DNS name/IP address mapping entry).
• Utilize a consortium of Proxy servers with IDS
  that hides the IP address of alternate gateways.
• How to partition clients to come at different
  proxy servers?? may help identify the attacker!
• How clients use the new DNS entries and route
  traffic through proxy server?? Use Sock
  protocol, modify resolver library

11
Implement Alternate Routes
net-a.com
net-b.com
net-c.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Need to Inform Clients or Client DNS
servers!But how to tell which Clients are not
compromised?How to hide IP addresses of
Alternate Gateways?
R
DNS
DDoS Attack Traffic
Client Traffic
Victim
12
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
block
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
13
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
Proxy1
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
14
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
block
R
R2
R1
R3
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
15
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R1
R3
R2
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
16
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy2 to R2
3. New route via Proxy3 to R3
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R2
R1
R3
RerouteCoordinator
4b. Client traffic comes in via alternate route
Attack Traffic
1.distress call
Client Traffic
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s))
Victim
17
SCOLD Secure DNS Updatewith New Indirect DNS
Entries
Modified Bind9
Modified Bind9
Modified ClientResolveLibrary
(target.targetnet.com, 133.41.96.71, ALT
203.55.57.102                              
203.55.57.103                               185.1
1.16.49                               221.46.56.3
8
New Indirect DNS Entries
A set of alternate proxy servers for indirect
routes
18
SCOLD Indirect Routing
IP tunnel
IP tunnel
19
SCOLD Indirect Routing with Client running SCOLD
client daemon
IP tunnel
IP tunnel
20
Performance of SCOLD v0.1

• Table 1 Ping Response Time (on 3 hop route)
• Table 2 SCOLD FTP/HTTP download Test (from
  client to target)

No DDoS attack direct route DDoS attackdirect route No DDoS attack indirect route DDoS attack indirect route
0.49 ms 225 ms 0.65 ms 0.65 ms
21
A2D2 Multi-Level Adaptive Rate Limiting For
Anti-DDos Defense
22
Future Directions

• Modify TCP to utilize the multiple geographically
  diverse routes set up with IP tunnels.
• Recruit sites for wide area network SCOLD
  experiments. Northrop Grumman, Air Force
  Academy's IA Lab, and University of Texas are
  initial potential partners. Email me if you would
  like to be part of the SCOLD beta test sites and
  members of the SCOLD consortium.
• We are currently working with Northrop Grumman
  researchers to beta test their new MIND network
  analysis tool.
• The network status information collected and
  analyzed by the MIND can be used for selecting
  proxy server sites.
• Pick and choose a geographically diverse set of
  proxy servers for indirect routing is a
  challenging research problem.
• SCOLD technologies can be used as a potential
  solution for bottlenecks detected by MIND.

23
Conclusion

• Secure Collective Internet Defense needs
  significant helps from community. Tremendous
  research and development opportunities.
• SCOLD v.01 demonstrated DDoS defense via
• use of secure DNS updates with new indirect
  routing
• IP-tunnel based indirect routing to let
  legitimate clients come in through a set of proxy
  servers and alternate gateways.
• Multiple indirect routes can also be used for
  improving the performance of Internet
  connections by using the proxy servers of an
  organization as connection relay servers.