1 sos: secure overlay services a. d. keromytis v. misra d. runbenstein columbia university
Post on 14-Jan-2016
217 Views
Preview:
TRANSCRIPT
3
Introduction/Motivation
9/11 events The Internet vs. Phone Network Communication paths between
the “important” sites and Emergency Response Teams
Trends of DDoS Attacks Previous Reactive Approaches Proactive Mechanisms
4
Attack Trends [CERT’01] Trend 6 - Increasing threat from infrastructure attacks, type 1
Distributed denial of service, ….
The degree of automation Manual Attacks - early DDoS attacks Semi-Automatic Attacks - Attacks with communications between
masters and slaves Automatic Attacks - Just issue a single command
High-impact, low-effort
5
Distributed Denial of Service Attacks (DDOS)
Attacker logs into Master and signals slaves to launch an attack on a specific target address (victim).
Slaves then respond by initiating TCP, UDP, ICMP or Smurf attack on victim.
6
What makes DDoS attacks possible?
Internet security is highly interdependent
Internet resources are limited Power of many is greater that
power few Intelligence and resources are not
collocated
7
What to Do About DDoS? Detection
Intrusion detection systems Traceback (unfortunately, not to the attacks)
Link Testing ICMP Traceback Hash-based Traceback Probabilistic Marking
Prevention Traffic monitoring e.g., ICMP packets, SYN
packets Ingress filtering on the routers GovNet – A separate network
8
Objective of Secure Overlay Services
Motivated by ERT scenario Focus on protecting a site that
stores information that is difficult to replicate
Secure communication on top of today’s existing IP infrastructure from DDoS attacks
Does NOT solve the general DoS problems
9
Assumptions
4. The attacker can not acquire sufficient resources to severely disrupt large portions pf the backbone
1. Pre-determined subset of clients scattered
through the wide-area network(WAN)
3. The attacker does not have unobstructed access to the network core
2. A set of users want to prevent access to this info and will launch DoS attack upon any network points whose jamming will archive this goal
11
Architecture Descriptions SOS is a network overlay Nodes are known to the public Communications between overlay
nodes are assumed to remain secure
The user’s packets must be authenticated and authorized by SOS before traffic is allowed to flow though the overlay
12
Filtered region Establish filters at the ISP’s POP
routers attaching to the ISP backbone
Distinguish and drop illegitimate packets
Issues IP address changes and user
roles changes IP spoofing
13
Secret Servlets A subset of nods, Ns, selected by the target
to act as forwarding proxies The filters only allow packets whose source
address matches n Ns
Hide the identities of the proxies to prevent IP spoofing or attacks aiming at proxies
Activated by the target’s message Challenge: reach a secret servlet without
revealing the servlet’s ID to the nodes that wish to reach it.
Random next hopO(N/Ns)
14
SOAP: Secure Overlay Access Point
Receive and verify traffic Authentication tools: IPSec/TLS A large number of SOAPs make a
distributed firewall Effects on DoS – increase the amount
of resources/bandwidth to deny connectivity to legitimate clients
How to map SOAPs to different users?
15
Routing through the Overlay Chord service (www.cs.umn.edu/~he/iss/) Each Overlay node contains O(logN)
identifiers Chord delivers the packet to one of
several beacons, which knows the secret servlet’s identity.
Beacon’s identifier is mapped by hashing the target’s IP address
Multiple hash functions produce different paths.
16
Against the DoS attacks An access point is attacked.
The source point can choose an alternative access point
A node within the overlay is attackedChord service self-heals
A secret servlet’s identifier is discovered and the servlet is targeted as an attack pointThe target chooses an alternative set of secret servlets
17
Performance Analysis (1)Varying number of Attacks and nodes in the overlay
# of nodes attacked
P(AttackSucces
s)
18
Load of attack traffic
Performance Analysis (2)Blocking probability for legitimate traffic as a function of attack traffic load
Blockingprobability
for legitimate
traffic
19
Performance Analysis (3)Performance gains of increasing the capacity of the attacked node
Bandwidth increase factor
Bandwidth Gain
20
Performance Analysis (4)Performance gains of increasing the anonymity of the attacked node
Size of the overlay
RandomizationGain
21
Implementation Filtering
high and medium routers(performance & cost) high-speed packet classification
Authentication and authorization of sources IPSec Public Key Infrastructure/Certificate
Tunneling IP-in-IP encapsulation GRE encapsulation IPSec in tunnel mode
22
Discussions Attacks from inside the overlay
security management oversights development bugs potential damage from inside
A shared overlay multiple organizations utilize a shared overlay A breach in one org. security would not lead to
breaches in other networks Timely delivery
Latency (10 times lager, preliminary simulations) Trade security with performance
top related