1 TPAC 10/10/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs SCOLD: Secure Collective Internet Defense http://cs.uccs.edu/~scold/ A NISSC Sponsored Project Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreement number F49620-03-1-0207. It was sponsored by a NISSC Summer 2003 grant.
23
Embed
1 TPAC 10/10/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of Computer Science.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1TPAC 10/10/2003 chow
C. Edward Chow
Department of Computer ScienceUniversity of Colorado at Colorado Springs
C. Edward Chow
Department of Computer ScienceUniversity of Colorado at Colorado Springs
Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreement number F49620-03-1-0207. It was sponsored by a NISSC Summer 2003
grant.
2TPAC 10/10/2003 chow
Outline of the TalkOutline of the Talk
Network Security Research in UCCS Network Lab
Secure Collective Internet Defense, the Basic Idea.
Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm
SCOLDv0.1 implementation and testbed
Secure DNS update with indirect routing entries
Indirect routing protocol based on IP tunnel
Performance Evaluation of SCOLDv0.1
Conclusion and Future Directions
Network Security Research in UCCS Network Lab
Secure Collective Internet Defense, the Basic Idea.
Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm
SCOLDv0.1 implementation and testbed
Secure DNS update with indirect routing entries
Indirect routing protocol based on IP tunnel
Performance Evaluation of SCOLDv0.1
Conclusion and Future Directions
3TPAC 10/10/2003 chow
New UCCS IA Degree/CertificateNew UCCS IA Degree/Certificate
Master of Engineering Degree in Information Assurance Certificate in Information Assurance (First program
offered to officers of SPACECOM at Peterson AFB through NISSC and UCCS Continue Education, 2002-3) It includes four courses: Computer Networks;
Fundamental of Security; Cryptography; Advanced System Security Design
4TPAC 10/10/2003 chow
UCCS Network/System Research LabUCCS Network/System Research Lab Director: Dr. C. Edward Chow Network System Research Seminar: Every Tuesday EAS177 5-6pm, open to public New CS Faculty: Dr. Xiaobo Zhou (Differential Service; QoS; Degraded DDoS Defense) Graduate students:
John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability (Two US Patents)
Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari (Ph.D.): Linux based Secure Web Switch; Secure Groupware; First
Responder Wireless Sensor Network Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch Yu Cai (Ph.D.): SCOLD: Indirect Routing, Multipath Routing Jianhua Xie (Ph.D.): Secure Storage Networks Frank Watson: Content Switch for Email Security Paul Fong: Wireless AODV Routing for sensor networks Nirmala Belusu: Wireless Network Security PEAP vs. TTLS apply to ad hoc network access control David Wikinson: SCOLD: Secure DNS Update. Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN; Disaster Recovery based on iSCSI.
Research Projects with Local Companies: MCI on Network Restoration/Survivability. Two Patents Awarded. Beta test Northrop Grumman’s MIND enhanced network analysis tool. CASI-Omnipoint on Wireless Antenna Placement Tool.
5TPAC 10/10/2003 chow
UCCS Network Lab SetupUCCS Network Lab Setup
Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP:
2. Sends Reroute Command with (DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
15TPAC 10/10/2003 chow
SCOLDSCOLD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R
R
Proxy1
Proxy2Proxy3
R2
R1 R3
Attack TrafficClient Traffic
RerouteCoordinato
r
2. Sends Reroute Command with (DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
R
block
16TPAC 10/10/2003 chow
SCOLDSCOLD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R
Proxy1
Proxy2Proxy3
R1
Attack TrafficClient Traffic
RerouteCoordinato
r
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
R
block4a. Attack traffic detected by IDSblock by Firewall
4. Attack traffic detected by IDSblock by Firewall
R R
R3R2
17TPAC 10/10/2003 chow
SCOLDSCOLD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
1.distress call
Proxy1Proxy2 Proxy3
4a. Attack traffic detected by IDSblock by Firewall
R2
R1 R3
block
3. New route via Proxy2 to R2
RerouteCoordinato
rAttack TrafficClient Traffic
3. New route via Proxy3 to R3
4. Attack traffic detected by IDSblock by Firewall
4b. Client traffic comes in via alternate route 2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim, Proxy Server(s))
3. New route via Proxy1 to R1
18TPAC 10/10/2003 chow
SCOLD Secure DNS Updatewith New Indirect DNS EntriesSCOLD Secure DNS Update
with New Indirect DNS Entries
(target.targetnet.com, 133.41.96.71, ALT 203.55.57.102 203.55.57.103 185.11.16.49 221.46.56.38
A set of alternate proxy servers for indirect routes
New Indirect DNS Entries:
Modified
Bind9
Modified
Bind9
Modified
ClientResolveLibrary
Major WorkNew
Protocol
19TPAC 10/10/2003 chow
SCOLD Indirect RoutingSCOLD Indirect Routing
IP tunnelIP tunnel
20TPAC 10/10/2003 chow
Performance of SCOLD v0.1Performance of SCOLD v0.1
Table 1: Ping Response Time (on 3 hop route)
Table 2: SCOLD FTP/HTTP download Test (from client to target)
Table 1: Ping Response Time (on 3 hop route)
Table 2: SCOLD FTP/HTTP download Test (from client to target)
No DDoS attack, direct route
DDoS attack, direct route
No DDoS attack, indirect route
with DDoS attack indirect route Doc
Size
FTP HTTP FTP HTTP FTP HTTP FTP HTTP 100k 0.11 s 3.8 s 8.6 s 9.1 s 0.14 s 4.6 s 0.14 s 4.6 s 250k 0.28 s 11.3 s 19.5 s 13.3 s 0.31 s 11.6 s 0.31 s 11.6 s 500k 0.65 s 30.8 s 39 s 59 s 0.66 s 31.1 s 0.67 s 31.1 s 1000k 1.16 s 62.5 s 86 s 106 s 1.15 s 59 s 1.15 s 59 s 2000k 2.34 s 121 s 167 s 232 s 2.34 s 122 s 2.34 s 123 s
No DDoS attack direct route
DDoS attackdirect route
No DDoS attack indirect route
DDoS attack indirect route
0.49 ms 225 ms 0.65 ms 0.65 ms
21TPAC 10/10/2003 chow
A2D2 Multi-Level Adaptive Rate Limiting For
Anti-DDos Defense
A2D2 Multi-Level Adaptive Rate Limiting For
Anti-DDos Defense
IP: 128.198.61.12NM: 255.255.255.128
GW: 128.198.61.1
eth0
Firewall Gateway
Multi-LevelRate Limiting
as Linux Router
IP: 192.168.0.1NM: 255.255.0.0
GW: 128.198.61.12
eth1
IDS
snort.confFloodPreprocessor
Threshold
snort.confFloodRateLimiter
PreprocessorThresholds
rateif.conflevels, rate,expiration,port # etc.
./snort -A UNSOCK
report.c./alert
rateif.pl
Level 4
Open(5 days)
Level 3
100 p/s
Level 2
50 p/s
Level 1
Block(2 hrs)
Level 0
Block(2 days)
Level 1Expires
22TPAC 10/10/2003 chow
Future DirectionsFuture Directions Modify TCP to utilize the multiple geographically diverse routes set up with IP
tunnels. Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air
Force Academy's IA Lab, and University of Texas are initial potential partners. Email me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium.
We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool.
The network status information collected and analyzed by the MIND can be used for selecting proxy server sites.
Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem.
SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND.
SCOLD can be used to provide additional Internet bandwidth dynamically when there is sudden bandwidth and connection need. Not just a security tool.
A company can deploy SCOLD by using its branch offices to provide proxy servers.
Modify TCP to utilize the multiple geographically diverse routes set up with IP tunnels.
Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. Email me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium.
We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool.
The network status information collected and analyzed by the MIND can be used for selecting proxy server sites.
Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem.
SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND.
SCOLD can be used to provide additional Internet bandwidth dynamically when there is sudden bandwidth and connection need. Not just a security tool.
A company can deploy SCOLD by using its branch offices to provide proxy servers.
23TPAC 10/10/2003 chow
ConclusionConclusion
Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities.
SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate clients come in
through a set of proxy servers and alternate gateways. Can be used to provide additional Internet bandwidth (nice side
effect!) Multiple indirect routes can also be used for improving the
performance of Internet connections by using the proxy servers of an organization as connection relay servers.
If you would like to fund this project or commercialize it, let me know.
Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities.
SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate clients come in
through a set of proxy servers and alternate gateways. Can be used to provide additional Internet bandwidth (nice side
effect!) Multiple indirect routes can also be used for improving the
performance of Internet connections by using the proxy servers of an organization as connection relay servers.
If you would like to fund this project or commercialize it, let me know.