SCOLD: Secure Collective Internet Defense http://cs.uccs.edu/~scold/ A NISSC Sponsored Project - PowerPoint PPT Presentation

About This Presentation
Title:

SCOLD: Secure Collective Internet Defense http://cs.uccs.edu/~scold/ A NISSC Sponsored Project

Description:

SCOLD: Secure Collective Internet Defense http://cs.uccs.edu/~scold/ A NISSC Sponsored Project C. Edward Chow Department of Computer Science University of Colorado at ... – PowerPoint PPT presentation

Number of Views:103
Avg rating:3.0/5.0
Slides: 24
Provided by: tm2016
Learn more at: http://www.cs.uccs.edu
Category:

less

Transcript and Presenter's Notes

Title: SCOLD: Secure Collective Internet Defense http://cs.uccs.edu/~scold/ A NISSC Sponsored Project


1
SCOLD Secure Collective Internet
Defensehttp//cs.uccs.edu/scold/A NISSC
Sponsored Project
C. Edward Chow Department of Computer
Science University of Colorado at Colorado Springs
Part of this work is based on research sponsored
by the Air Force Research Laboratory, under
agreement number F49620-03-1-0207. It was
sponsored by a NISSC Summer 2003 grant.
2
Outline of the Talk
  • Network Security Research in UCCS Network Lab
  • Secure Collective Internet Defense, the Basic
    Idea.
  • Secure Collective Internet Defense, SCOLDv0.1. A
    technique based Intrusion Tolerance paradigm
  • SCOLDv0.1 implementation and testbed
  • Secure DNS update with indirect routing entries
  • Indirect routing protocol based on IP tunnel
  • Performance Evaluation of SCOLDv0.1
  • Conclusion and Future Directions

3
New UCCS IA Degree/Certificate
  • Master of Engineering Degree in Information
    Assurance
  • Certificate in Information Assurance (First
    program offered to officers of SPACECOM at
    Peterson AFB through NISSC and UCCS Continue
    Education, 2002-3)
  • It includes four courses Computer Networks
    Fundamental of Security Cryptography Advanced
    System Security Design

4
UCCS Network/System Research Lab
  • Director Dr. C. Edward Chow
  • Network System Research Seminar Every Tuesday
    EAS177 5-6pm, open to public
  • New CS Faculty Dr. Xiaobo Zhou (Differential
    Service QoS Degraded DDoS Defense)
  • Graduate students
  • John Bicknell/Steve McCaughey/Anders Hansmat
    Distributed Network Restoration/Network
    Survivability (Two US Patents)
  • Hekki Julkunen Dynamic Packet Filter
  • Chandra Prakash High Available Linux
    kernel-based Content Switch
  • Ganesh Godavari (Ph.D.) Linux based Secure Web
    Switch Secure Groupware First Responder
    Wireless Sensor Network
  • Angela Cearns Autonomous Anti-DDoS (A2D2)
    Testbed
  • Longhua Li IXP-based Content Switch
  • Yu Cai (Ph.D.) SCOLD Indirect Routing,
    Multipath Routing
  • Jianhua Xie (Ph.D.) Secure Storage Networks
  • Frank Watson Content Switch for Email Security
  • Paul Fong Wireless AODV Routing for sensor
    networks
  • Nirmala Belusu Wireless Network Security PEAP
    vs. TTLS apply to ad hoc network access control
  • David Wikinson SCOLD Secure DNS Update.
  • Murthy Andukuri/Jing Wu Enhanced BGP/MPLS-based
    VPN Disaster Recovery based on iSCSI.
  • Research Projects with Local Companies
  • MCI on Network Restoration/Survivability. Two
    Patents Awarded.

5
UCCS Network Lab Setup
  • Gigabit fiber connection to UCCS backbone
  • Router/Switch/Firewall/Wireless AP
  • 8 Routers, 4 Express 420 switches, 2HP 4000
    switches, 8 Linksys/Dlink Switches.
  • Sonicwall Pro 300 Firewall, 8VPN gateway,
  • 8 Intel 7112 SSL accelerators 4 7820 XML
    directors.
  • Cisco 1200 Aironet Dual Band Access Point and 350
    client PC/PCI cards (both 802.11a and 802.11b
    cards).
  • Intel IXP12EB network processor evaluation board
  • Servers Two Dell PowerEdge Servers, 4 Cache
    appliance.
  • Workstations/PCs
  • 8 Dell PCs (3Ghz-500Mhz) 12 HP PCs (500-233Mhz)
  • 2 laptop PCs with Aironet 350 for mobile wireless
  • OS Linux Redhat 9.0 Window XP/2000
  • Equipment donated by Intel

6
DDoS Distributed Denial of Service Attack
Research by Moore et al of University of
California at San Diego, 2001. 12,805 DoS in
3-week period Most of them are Home, small to
medium sized organizations
DDoS Major VictimsYahoo/Amazon
2000CERT 5/2001DNS Root
Servers 10/2002
DDoS ToolsStacheldrahtTrinooTribal Flood
Network (TFN)
7
Where is Cyber-Neighborhood Watch?
How Old is this?
When Neighbor Watch started? http//www.usaonwatch
.org/history.asp
8
Secure Collective Internet Defense
  • Internet attacks community seems to be better
    organized.
  • How about Internet Secure Collective Defense?
  • Report/exchange virus info and distribute
    anti-virus ? not bad (need to pay Norton or
    Network Associate)
  • Report/exchange spam info?not good (spambayes,
    spamassasin, email firewall, remove.org)
  • Report attack (Have you ever done that? to your
    admin or FBI? 303-629-7171, http//www1.ifccfbi.g
    ov/index.asp)?not good
  • IP Traceback? difficult to negotiate even the
    use of one bit in IP header
  • Push back attack?slow call to upstream ISP hard
    to find Intrusion Detection and Isolation
    Protocol spec!
  • Form consortium and help each other during
    attacks?not exist!

9
Intrusion Related Research Areas
  • Intrusion Prevention
  • General Security Policy
  • Ingress/Egress Filtering
  • Intrusion Detection
  • Honey pot
  • Host-based IDS Tripwire
  • Anomaly Detection
  • Misuse Detection
  • Intrusion Response
  • Identification/Traceback/Pushback
  • Intrusion Tolerance

10
Wouldnt it be Nice to Have Alternate Routes?
net-a.com
net-b.com
net-c.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
How to reroute clients traffic through
R1-R3?Multi-homing
R
DNS
DDoS Attack Traffic
Client Traffic
Victim
11
Secure Collective Defense
  • Main Idea?Explore secure alternate paths for
    clients to come in Utilize geographically
    separated proxy servers.
  • Goal
  • Provide secure alternate routes
  • Hide IP addresses of alternate gateways
  • Techniques
  • Multiple Path (Indirect) Routing
  • Secure DNS extension how to inform client DNS
    servers to add alternate new entries (Not your
    normal DNS name/IP address mapping entry).
  • Utilize a consortium of Proxy servers with IDS
    that hides the IP address of alternate gateways.
  • How to partition clients to come at different
    proxy servers?? may help identify the attacker!
  • How clients use the new DNS entries and route
    traffic through proxy server?? Use Sock
    protocol, modify resolver library

12
Implement Alternate Routes
net-a.com
net-b.com
net-c.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Need to Inform Clients or Client DNS
servers!But how to tell which Clients are not
compromised?How to hide IP addresses of
Alternate Gateways?
R
DNS
DDoS Attack Traffic
Client Traffic
Victim
13
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
block
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
14
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
DNS3
DNS1
DNS2
R
R
R
Proxy2
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
Proxy1
block
R
R2
R1
R3
RerouteCoordinator
1. IDS detects intrusion Blocks Attack
Traffic Sends distress call to Reroute
Coordinator
Attack Traffic
Client Traffic
Victim
15
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s)) to DNS
block
R
R2
R1
R3
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
16
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R1
R3
R2
RerouteCoordinator
Attack Traffic
Client Traffic
Victim
17
SCOLD
net-b.com
net-c.com
net-a.com
...
...
...
...
A
A
A
A
A
A
A
A
3. New route via Proxy2 to R2
3. New route via Proxy3 to R3
3. New route via Proxy1 to R1
DNS3
DNS1
DNS2
R
R
R
Proxy2
Proxy3
Proxy1
4. Attack traffic detected by IDSblock by
Firewall
block
4a. Attack traffic detected by IDSblock by
Firewall
R
R2
R1
R3
RerouteCoordinator
4b. Client traffic comes in via alternate route
Attack Traffic
1.distress call
Client Traffic
2. Sends Reroute Command with (DNS Name, IP
Addr. Of victim, Proxy Server(s))
Victim
18
SCOLD Secure DNS Updatewith New Indirect DNS
Entries
Major WorkNew Protocol
Modified Bind9
Modified Bind9
Modified ClientResolveLibrary
(target.targetnet.com, 133.41.96.71, ALT
203.55.57.102                              
203.55.57.103                               185.1
1.16.49                               221.46.56.3
8
New Indirect DNS Entries
A set of alternate proxy servers for indirect
routes
19
SCOLD Indirect Routing
IP tunnel
IP tunnel
20
Performance of SCOLD v0.1
  • Table 1 Ping Response Time (on 3 hop route)
  • Table 2 SCOLD FTP/HTTP download Test (from
    client to target)

No DDoS attack direct route DDoS attackdirect route No DDoS attack indirect route DDoS attack indirect route
0.49 ms 225 ms 0.65 ms 0.65 ms
21
A2D2 Multi-Level Adaptive Rate Limiting For
Anti-DDos Defense
22
Future Directions
  • Modify TCP to utilize the multiple geographically
    diverse routes set up with IP tunnels.
  • Recruit sites for wide area network SCOLD
    experiments. Northrop Grumman, Air Force
    Academy's IA Lab, and University of Texas are
    initial potential partners. Email me if you would
    like to be part of the SCOLD beta test sites and
    members of the SCOLD consortium.
  • We are currently working with Northrop Grumman
    researchers to beta test their new MIND network
    analysis tool.
  • The network status information collected and
    analyzed by the MIND can be used for selecting
    proxy server sites.
  • Pick and choose a geographically diverse set of
    proxy servers for indirect routing is a
    challenging research problem.
  • SCOLD technologies can be used as a potential
    solution for bottlenecks detected by MIND.
  • SCOLD can be used to provide additional Internet
    bandwidth dynamically when there is sudden
    bandwidth and connection need. Not just a
    security tool.
  • A company can deploy SCOLD by using its branch
    offices to provide proxy servers.

23
Conclusion
  • Secure Collective Internet Defense needs
    significant helps from community. Tremendous
    research and development opportunities.
  • SCOLD v.01 demonstrated DDoS defense via
  • use of secure DNS updates with new indirect
    routing
  • IP-tunnel based indirect routing to let
    legitimate clients come in through a set of proxy
    servers and alternate gateways.
  • Can be used to provide additional Internet
    bandwidth (nice side effect!)
  • Multiple indirect routes can also be used for
    improving the performance of Internet
    connections by using the proxy servers of an
    organization as connection relay servers.
  • If you would like to fund this project or
    commercialize it, let me know.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "SCOLD: Secure Collective Internet Defense http://cs.uccs.edu/~scold/ A NISSC Sponsored Project" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!