3/30/2005 Auburn University Information Assurance Lab 1 Simulating Secure Overlay Services
3/30/ Auburn University Information Assurance Lab Outline SOS Overview SOS Overview Communication Architecture Communication Architecture Ideas and Assumptions Ideas and Assumptions Models Models Experiments Experiments Results Results Future Work Future Work Questions? Questions?
3/30/ Auburn University Information Assurance Lab SOS Overview Target Site Target Site High-Speed Routers High-Speed Routers Secret Servlet Secret Servlet Beacon Beacon Secure Overlay Access Point (SOAP) Secure Overlay Access Point (SOAP)
3/30/ Auburn University Information Assurance Lab SOS Overview Target Site Target Site The machine enlisting the protection of the overlay network The machine enlisting the protection of the overlay network High-Speed Filter Routers High-Speed Filter Routers Routers that govern all access to the protected site Routers that govern all access to the protected site Must have the capacity to repel a sizeable attack Must have the capacity to repel a sizeable attack
3/30/ Auburn University Information Assurance Lab SOS Overview Secret Servlet Secret Servlet The only Node that is allowed to send data directly to the Target Site The only Node that is allowed to send data directly to the Target Site Beacon Beacon The ultimate destination as far as the overlay is concerned The ultimate destination as far as the overlay is concerned Secure Overlay Access Point (SOAP) Secure Overlay Access Point (SOAP) The point at the edge of the overlay through which users are authenticated, and their traffic forwarded The point at the edge of the overlay through which users are authenticated, and their traffic forwarded
3/30/ Auburn University Information Assurance Lab Design Philosophy and Assumptions Simplicity Simplicity Communication Protocol Communication Protocol Inter-node communication is reduced to single packet instructions and acknowledgements Inter-node communication is reduced to single packet instructions and acknowledgements User-target communication is very simple stop-and-wait protocol, allows us to make simple measurements of round trip time, loss rates, etc. User-target communication is very simple stop-and-wait protocol, allows us to make simple measurements of round trip time, loss rates, etc. Network Models Network Models The models should be as functionally pure as possible The models should be as functionally pure as possible The network should not be overburdened with excessively complex routing The network should not be overburdened with excessively complex routing
3/30/ Auburn University Information Assurance Lab Design Philosophy and Assumptions Simplicity (cont’d) Simplicity (cont’d) Attacks are simulated by intermittently failing nodes as opposed to generating large amounts of traffic to overwhelm them Attacks are simulated by intermittently failing nodes as opposed to generating large amounts of traffic to overwhelm them Attacker Assumptions Attacker Assumptions Attackers do not know the function of nodes in the network, only that they are participating Attackers do not know the function of nodes in the network, only that they are participating Attackers have the strength to shut down n nodes in a single stroke Attackers have the strength to shut down n nodes in a single stroke
3/30/ Auburn University Information Assurance Lab Models SOS Node Model SOS Node Model Secret Servlet Secret Servlet Beacon Beacon SOAP SOAP Intermediate Node Intermediate Node Target Site Target Site Accepts authenticated traffic and replies Accepts authenticated traffic and replies
3/30/ Auburn University Information Assurance Lab Models Router Router Filters what it is told to filter, forwards everything else Filters what it is told to filter, forwards everything else User (Traffic Generator) User (Traffic Generator) Injects data into the network and waits patiently for ACKs Injects data into the network and waits patiently for ACKs
3/30/ Auburn University Information Assurance Lab Models The Network The Network 25 Subnets 25 Subnets Each Subnet contains (at least) a router and an SOS node Each Subnet contains (at least) a router and an SOS node
3/30/ Auburn University Information Assurance Lab Models
3/30/ Auburn University Information Assurance Lab Models
3/30/ Auburn University Information Assurance Lab Models
3/30/ Auburn University Information Assurance Lab Models
3/30/ Auburn University Information Assurance Lab Models
3/30/ Auburn University Information Assurance Lab Models
3/30/ Auburn University Information Assurance Lab Models
3/30/ Auburn University Information Assurance Lab Experimental Design Unsophisticated Random Attacker Unsophisticated Random Attacker That attacker knows which nodes are participating in the network, but does not know their roles. That attacker knows which nodes are participating in the network, but does not know their roles. The attacker can fail any node in the network with probability p. After a random amount of downtime, the node will rejoin the network. The attacker can fail any node in the network with probability p. After a random amount of downtime, the node will rejoin the network. Unsophisticated Targeted Attacker Unsophisticated Targeted Attacker The attacker can use all of her resources to bring down n nodes simultaneously. These nodes do not have the chance to rejoin the network. The attacker can use all of her resources to bring down n nodes simultaneously. These nodes do not have the chance to rejoin the network.
3/30/ Auburn University Information Assurance Lab Experimental Design Sophisticated (Overinformed) Attacker Sophisticated (Overinformed) Attacker This attacker can divine the identity of the overlay’s most guarded secret, the identity of the secret servlet. This attacker can divine the identity of the overlay’s most guarded secret, the identity of the secret servlet. This discovery takes a short and near constant amount of time. This discovery takes a short and near constant amount of time.
3/30/ Auburn University Information Assurance Lab Results Unsophisticated Random Attacker Unsophisticated Random Attacker For small values of p the overlay is hardly effected For small values of p the overlay is hardly effected Anything larger than 0.5 creates long periods of down time for recovery. Anything larger than 0.5 creates long periods of down time for recovery.
3/30/ Auburn University Information Assurance Lab Results Unsophisticated Targeted attacker Attacker Unsophisticated Targeted attacker Attacker Again, once 50% of the nodes are susceptible to failure, recovery becomes very difficult, if not impossible Again, once 50% of the nodes are susceptible to failure, recovery becomes very difficult, if not impossible
3/30/ Auburn University Information Assurance Lab Results Sophisticated Attacker Sophisticated Attacker Recovery time for losing a secret servlet is near constant no matter how many times it happenes Recovery time for losing a secret servlet is near constant no matter how many times it happenes
3/30/ Auburn University Information Assurance Lab Conclusions The ease with which attackers can recruit a zombie hoard make DDoS a large and realistic threat to the communication infrastructure. The ease with which attackers can recruit a zombie hoard make DDoS a large and realistic threat to the communication infrastructure. Secure Overlay Services represents a creative solution to a complicated problem. Secure Overlay Services represents a creative solution to a complicated problem. With a large enough number of participating nodes, and very high speed links, SOS provides adequate protection and real-time recoverability in the face of a bandwidth denial of service attack. With a large enough number of participating nodes, and very high speed links, SOS provides adequate protection and real-time recoverability in the face of a bandwidth denial of service attack.
3/30/ Auburn University Information Assurance Lab Future Work More Accurate Network Model More Accurate Network Model TCP/IP Stack TCP/IP Stack Dynamic Routing Dynamic Routing Implementation Implementation Ask Adam… Ask Adam…
3/30/ Auburn University Information Assurance Lab Resources A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In Proceedings of ACM SIGCOMM, pages , August A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In Proceedings of ACM SIGCOMM, pages , August I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan. Chord: A Scalable Peer-To-Peer Lookup Service for Internet Applications. In Proceedings of ACM SIGCOMM, I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan. Chord: A Scalable Peer-To-Peer Lookup Service for Internet Applications. In Proceedings of ACM SIGCOMM, Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, V., Rubenstein, D.: Using Graphic Turing Tests to Counter Automated DDoS Attacks Against Web Servers. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS). (2003) Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, V., Rubenstein, D.: Using Graphic Turing Tests to Counter Automated DDoS Attacks Against Web Servers. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS). (2003) D. Karger, E. Lehman, F. Leighton, R. Panigrahy, M. Levine, and D. Lewin. Consistent Hashing and Random Trees: Distributed Caching Protocols for Relieving Hot Spots on the World Wide Web. In Proceedings of ACM Symposium on Theory of Computing (STOC), pages 654–663, May D. Karger, E. Lehman, F. Leighton, R. Panigrahy, M. Levine, and D. Lewin. Consistent Hashing and Random Trees: Distributed Caching Protocols for Relieving Hot Spots on the World Wide Web. In Proceedings of ACM Symposium on Theory of Computing (STOC), pages 654–663, May H. W. Fletcher, K. Richardson, M. C. Carlisle, J. A. Hamilton. Simulation Experimentation with Secure Overlay Services. In review for SES Summer Simulation Conference, H. W. Fletcher, K. Richardson, M. C. Carlisle, J. A. Hamilton. Simulation Experimentation with Secure Overlay Services. In review for SES Summer Simulation Conference, 2005.