Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu DARPA FTN PI Meeting August 2, 2001 NC State /

Slides:

Advertisements

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Advertisements

QoS Strategy in DiffServ aware MPLS environment Teerapat Sanguankotchakorn, D.Eng. Telecommunications Program, School of Advanced Technologies Asian Institute.

Guide to Network Defense and Countermeasures Second Edition

IPSec: Authentication Header, Encapsulating Security Payload Protocols CSCI 5931 Web Security Edward Murphy.

Network Security. Reasons to attack Steal information Modify information Deny service (DoS)

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

IP Security. Overview In 1994, Internet Architecture Board (IAB) issued a report titled “Security in the Internet Architecture”. This report identified.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Fundamentals of Computer Security Geetika Sharma Fall 2008.

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Firewalls and Intrusion Detection Systems

Differentiated Services. Service Differentiation in the Internet Different applications have varying bandwidth, delay, and reliability requirements How.

Introduction Future wireless systems will be characterized by their heterogeneity - availability of multiple access systems in the same physical space.

1 IP Security Outline of the session –IP Security Overview –IP Security Architecture –Key Management Based on slides by Dr. Lawrie Brown of the Australian.

CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

FIREWALL Mạng máy tính nâng cao-V1.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

{vp, sra, Security in Differentiated Services Networks Venkatesh Prabhakar Srinivas R.

Integrated Services (RFC 1633) r Architecture for providing QoS guarantees to individual application sessions r Call setup: a session requiring QoS guarantees.

MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.

Tiziana Ferrari Quality of Service Support in Packet Networks1 Quality of Service Support in Packet Networks Tiziana Ferrari Italian.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 7 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

Honeypot and Intrusion Detection System

Access Control List ACL. Access Control List ACL.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Windows 7 Firewall.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

Karlstad University IP security Ge Zhang

A Firewall for Routers: Protecting Against Routing Misbehavior1 June 26, A Firewall for Routers: Protecting Against Routing Misbehavior Jia Wang.

11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 

IP Security: Security Across the Protocol Stack. IP Security There are some application specific security mechanisms –eg. S/MIME, PGP, Kerberos, SSL/HTTPS.

1 Introduction to NS-2 r Tutorial overview of NS m Create basic NS simulation r Walk-through a simple example m Model specification m Execution and trace.

NC State / UC Davis / MCNC Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu  Dan Stephenson DARPA.

1 Protecting Network Quality of Service against Denial of Service Attacks Douglas S. Reeves S. Felix Wu Chandru Sargor N. C. State University / MCNC October.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

NC STATE UNIVERSITY / MCNC Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu  Fengmin Gong Talk:

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

NC STATE UNIVERSITY / MCNC Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu  Fengmin Gong DARPA.

01/29/2001Policy'2001, Bristol, UK, January 29-31, IPSec/VPN Security Policy: Correctness, Conflict Detection and Resolution Zhi Fu S. Felix Wu He.

IPSec – IP Security Protocol By Archis Raje. What is IPSec IP Security – set of extensions developed by IETF to provide privacy and authentication to.

IPSec is a suite of protocols defined by the Internet Engineering Task Force (IETF) to provide security services at the network layer. standard protocol.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

Network Layer Security Network Systems Security Mort Anvari.

IS3220 Information Technology Infrastructure Security

@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

The Transport Layer Implementation Services Functions Protocols

Encryption and Network Security

Distributed Network Traffic Feature Extraction for a Real-time IDS

IT443 – Network Security Administration Instructor: Bo Sheng

File Transfer Issues with TCP Acceleration with FileCatalyst

دیواره ی آتش.

Introduction to Network Security

Session 20 INST 346 Technologies, Infrastructure and Architecture

Presentation transcript:

Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves  S. Felix Wu DARPA FTN PI Meeting August 2, 2001 NC State / UC Davis / MCNC

August 2, FTN PI Meeting2 Timetable and Participants Start date = August 1999 Duration = 36 months (+extension) Point of contact = Dr. Kevin Kwiat, AFRL, (315) No clearances Douglas Reeves, Peter WurmanN.C. State University (919) S. Felix WuU.C. Davis (530) Dan Stephenson,Xiaoyong WuMCNC

NC State / UC Davis / MCNC August 2, FTN PI Meeting3 Scope of the Project CategoryControl FlowData FlowPrevention from Misuse ProtectDetect Attacks ProtectDetect Attacks IntservRSVP authenticat ion Pricing Trust-based allocation Reliable multicast DiffServ 1.Intrusion detection Pricing Queue Management Reliable multicast Packet dropping analysis Security Policy 2.IPSec Policy generation, correctness Application level Traceback Watermar king, Traffic correlation

NC State / UC Davis / MCNC August 2, FTN PI Meeting4 Results Accomplished –Approximately 15 published papers to date –5 students graduated, 7 more in progress –Software: packet dropping attack analysis, RSVP authentication, RSVP pricing, trust- based allocation (and more to come) –Patent and standards submissions –Collaborations with Nortel

NC State / UC Davis / MCNC August 2, FTN PI Meeting5 Disappointments (Failures) Failure of QoS to be deployed on a widespread basis in the Internet –lack of security / fault tolerance a major reason? Pricing –requirements for adoption TCP Packet Dropping attacks –limitations of neural nets

NC State / UC Davis / MCNC August 2, FTN PI Meeting6 1. DiffServ Intrusion Detection Work by Xiaoyong Wu of MCNC

NC State / UC Davis / MCNC August 2, FTN PI Meeting7 DiffServ Components H H H H H H C E E E E C C C C Vulnerabilities -Packet dropping -Packet remarking -Packet delaying

NC State / UC Davis / MCNC August 2, FTN PI Meeting8 Intrusion Detection Architecture Network monitoring –DiffServ aggregated flow monitor –Micro-flow traffic monitor Anomaly (statistical analysis) detection Rule based detection Detection and analysis result correlation DSMonTrafMon StatRule Linux Kernel DiffServ Implementation LibPCAP Fast Packet Capturing Local & Remote Correlation

NC State / UC Davis / MCNC August 2, FTN PI Meeting9 Network Monitors Communicate with Statistical Analysis and Rule- based Detection Modules Monitor Both Aggregated Flows and Microflows DiffServ aggregated flow monitor –Periodically extract statistical values from Linux kernel using Traffic Controller Library (libtc) –Bytes and packets delivered –Over-limit and dropped packets Micro-flow traffic monitor –Micro-flow is defined by a traffic filter –Uses Fast Packet Capturing (libpcap)

NC State / UC Davis / MCNC August 2, FTN PI Meeting10 Goodness of Fit Test –H 0 : The data follows a "given" distribution –H 1 : The data does not follow the specified distribution Obtain the Chi-Squared Value –O = Observed value –E = Expected value –  2 =  (((O-E) 2 )/E) Notes –The range of   is from 0 to infinity NIDES/JiNao Statistical Analysis (Anomaly-based detection)

NC State / UC Davis / MCNC August 2, FTN PI Meeting11 Similarity “Score” Counting Measures –Byte count and packet count Score Value - "Normalized" Q Value –S =  -1 (1-(TP/2)) –TP = P m + P m P max  is the cumulative distribution function of a N(0,1) variable –P m is the relative frequency with which  2 belongs to the m th interval –M and max are manually selected at present

NC State / UC Davis / MCNC August 2, FTN PI Meeting12 Long Term Q Distribution Examples Background Traffic (Poisson) –4Mbps –Byte counts Audio Traffic (Periodic) –64Kbps –Byte counts

NC State / UC Davis / MCNC August 2, FTN PI Meeting13 Rule Based Detection Meant to Detect Known Attacks and Vulnerabilities Rules from RFC's and Real Deployments –Expedited Forwarding No-Dropping Rule of inlimit traffic No-Overlimit Rule, within diffserv network –Static Traffic Markings (DSCP's) Mark Mapping Rule for a microflow

NC State / UC Davis / MCNC August 2, FTN PI Meeting14 Attack Implementation Linux Kernel Module –Runs in kernel space –Uses proc file system to configure Emulated Scenarios –Planned: tunable packet delay distributions –congestion and background loss – aggregated flow –bandwidth limitation -- microflow –Planned: packet reordering / duplication

NC State / UC Davis / MCNC August 2, FTN PI Meeting15 Traffic Generation Tools tcpTalk –Audio Traffic –TCP MGEN –Background Traffic and Attack Traffic –UDP –CBR or Poisson Thttp (future) –Background Traffic –TCP (HTTP, FTP, SMTP, NNTP, etc.) –Emulate the traffic at the Internet core –Generate the packets based on the pre-calculated distributions

NC State / UC Davis / MCNC August 2, FTN PI Meeting16 Detection Scenario and Performance R1, R2 are 2 DiffServ routers with IDS running –R1 and R2 collect long term behaviors for BE traffics and EF traffics –R1 is compromised and starts to mark one BE flow as EF –Rule detection on R2 notices change of marking for BE flow –Accumulated increased EF traffics deviate from the long term EF behavior –Stat analysis on R2 notices the deviation Performance –With 1% false alarm rate we can get 100% detection rate R1 R2 BE EF

NC State / UC Davis / MCNC August 2, FTN PI Meeting17 Detection Results

NC State / UC Davis / MCNC August 2, FTN PI Meeting18 Collaboration and Future Work Collaboration with Avaya Systems –Network evaluation for Voice over IP solutions –Interested in the impact of intrusions on voice traffic –Interested in monitoring mechanisms Local and Remote Correlation –Bayesian belief networks

NC State / UC Davis / MCNC August 2, FTN PI Meeting19 2. IPSec Policy Generation and Correctness “Policy conflicts” for IPSec/VPN: –what will possibly go wrong? Requirement versus Policy –what are their relationship?

NC State / UC Davis / MCNC August 2, FTN PI Meeting20 IPSec Policy: Implementation Policy Policy: –if then IPSec policy: –Condition: src,dst,src-port,dst-port, protocol, … –Action: Deny | Allow | ipsec (entry, exit, mode, sec-prot, alg) Example: –Condition: src=A, dst=B, port=*, prot=TCP –Action: ipsec (Rb, Rd, tun, ESP, 3DES) BARcRbRd Rb,Rd, ESPA, B

NC State / UC Davis / MCNC August 2, FTN PI Meeting21 ASG-1SG-2B XY Example Conflict #1: Privacy and Content Examination

NC State / UC Davis / MCNC August 2, FTN PI Meeting22 ASG-1SG-2B XY Example Conflict #2: Selector Confusion

NC State / UC Davis / MCNC August 2, FTN PI Meeting23 SG-1.1, SG-2A, B B SG-2 SG-1SG-2.1 SG-1,SG-2.1SG-1.1, SG-2A, B SG-1.1 SG-1.1, SG-2A, B A Example Conflict #3: Tunnel Overlapping

NC State / UC Davis / MCNC August 2, FTN PI Meeting24 Policy Conflict IPSec/VPN Policy A set of (implementation) policies does not quite work well together such that the packets (information bits) are either dropped or revealed/sent unsafely. Requirement(s): Intention(s) behind the implementation-level policies: e.g., I want to maintain the privacy of certain flows: –IPSec ESP Tunnels. Conflicts: a set of policies together does not support the requirements requirements conflict among themselves.

NC State / UC Davis / MCNC August 2, FTN PI Meeting25 Policy versus Requirement Policy: (implementation, low-level) How should a network entity or a policy domain handle a particular flow of packets functionally? Currently, the processing is based on the selector (i.e., the packet header information). Requirement: (intention, high-level) How should a particular set/flow of packets (information bits) be protected and handled from A to B? Even if the packet header changes, the information bits in the payload should still be protected in the same way.

NC State / UC Davis / MCNC August 2, FTN PI Meeting26 Policy versus Requirement a requirement a set of policy or a requirement a set of policy

NC State / UC Davis / MCNC August 2, FTN PI Meeting27 Policy Analysis a set of policy a requirement ????

NC State / UC Davis / MCNC August 2, FTN PI Meeting28 IPSec Security Requirements (1) Access Control Requirement (ACR) –Restrict access only to trusted traffic E.g. Deny all telnet traffic Security Coverage Requirement (SCR) –Apply security functions to prevent traffic from being compromised during transmission across certain area. +who can be trusted? H2H1RbRd Encryption or Authentication trusted

NC State / UC Davis / MCNC August 2, FTN PI Meeting29 IPSec Security Requirement (2) Content Access Requirement (CAR) –Specify the needs to access content of certain traffic I will examine the content for intrusion detection Security Association Requirement (SAR) –Specify trust/distrust relationship in SA setup X Can not set up SA CMR: modify CER : examine

NC State / UC Davis / MCNC August 2, FTN PI Meeting30 Security Requirement Satisfaction (1) H2H1RcRbRd H2H1RcRbRd Access Control Requirement - deny or allow Security Coverage Requirement –All the links and nodes in the area will need to be covered by specified security No! Yes! Encryption

NC State / UC Davis / MCNC August 2, FTN PI Meeting31 Security Requirement Satisfaction (2) H2H1RcRbRd Content Access Requirement –Certain node needs to access the content, Rb? Rc? Rb: No! Rc: Yes! Security Association Requirement –Some nodes are not allowed to set up SA

NC State / UC Davis / MCNC August 2, FTN PI Meeting32 IPSec Requirement Spec. Formal specification: ACR-SCR-CAR-SAR Conflict Detection in Requirements: Requirement Satisfiability Problem (RSP): given a set of requirements, an algorithm to check whether at all possible to find a set of policies to satisfy all the requirements. Completeness Proof Policy Determination: Transformation: if possible, an algorithm to find the “optimal” set of policies. Correctness and Efficiency

NC State / UC Davis / MCNC August 2, FTN PI Meeting33 Example (per flow): SCR#1: ENC 2-4 trusted 3 SCR#2: AUTH 1-4 trusted 3 SCR#3: ENC 3-5 trusted 4 CAR#1: (ENC, AUTH) by 4 SAR#1: not-ENC 2-5 SAR#2: not-ENC 1-5 SAR#3: not-AUTH 1-4 Coverage: Content: SA relation:

NC State / UC Davis / MCNC August 2, FTN PI Meeting34 Solution: ENC AUTH SCR#1: ENC 2-4 trusted 3 SCR#2: AUTH 1-4 trusted 3 SCR#3: ENC 3-5 trusted 4 CAR#1: (ENC, AUTH) by 4 SAR#1: not-ENC 2-5 SAR#2: not-ENC 1-5 SAR#3: not-AUTH 1-4 Coverage: Content: SA relation:

NC State / UC Davis / MCNC August 2, FTN PI Meeting35 Policy Generation CPU Time

NC State / UC Davis / MCNC August 2, FTN PI Meeting36 Number of Policy Rules Generated

NC State / UC Davis / MCNC August 2, FTN PI Meeting37 Results Collaboration with Nortel Networks For more information: –Policy’2001: requirement specification language –DSOM’2001: automatic policy generation algorithms.