Presentation is loading. Please wait.

Presentation is loading. Please wait.

CONTRA Camouflage of Network Traffic to Resist Attack (Intrusion Tolerance Using Masking, Redundancy and Dispersion) DARPA OASIS PI Meeting – Hilton Head.

Published byMarcus Bryant Modified over 6 years ago

Similar presentations

Presentation on theme: "CONTRA Camouflage of Network Traffic to Resist Attack (Intrusion Tolerance Using Masking, Redundancy and Dispersion) DARPA OASIS PI Meeting – Hilton Head."— Presentation transcript:

1 CONTRA Camouflage of Network Traffic to Resist Attack (Intrusion Tolerance Using Masking, Redundancy and Dispersion) DARPA OASIS PI Meeting – Hilton Head – March 12-15, 2002 Janet Lepanto William Weinstein The Charles Stark Draper Laboratory, Inc. Aegis Research Corporation® Aegis Research Corporation

2 DDoS Flooding Attack is Analogous to Jamming
DDoS Flooding Attacks DDoS Flooding Attack is Analogous to Jamming Jammer concentrates energy at a particular frequency and location Jamming Attacker directs traffic against a particular IP address DDoS Flood Frequency Hopping Jamming Defenses IP Address Masking IP Address Hopping Flooding Defenses Energy Dispersion IP Identity Dispersion

3 Key Ideas Spread the identity of a server across multiple IP addresses
Add redundancy to each message, and send a portion of each message to each of the IP addresses of the server If some of the addresses are flooded, that traffic can be dropped The messages can be reconstructed from the remaining traffic Prevent an attacker from associating a set of addresses with a particular server Force the attacker to dilute the attack by spreading the flood across randomly chosen sets of IP addresses

4 Assumptions CONTRA system comprises a set of cooperating hosts
Communicate among themselves over the Internet Servers could be made available to outsiders by designating some of the clients as gateways Attacker attempts to determine address(es) of high value target By monitoring traffic at one or more accessible points of the Internet By analyzing communication patterns Attacker can use public data to determine IP block assignments Attacker knows the organization that is communicating Pipes have sufficient capacity to accommodate the total traffic

5 Approach Leverage selected aspects of Consider ease of deployment
VPNs Anonymity systems Fault-tolerant communications Consider ease of deployment Implement as a communications proxy on top of UDP Redundancy in messages provides reliability Real source IP addresses can be masked Structure protocols to support Continuous operation through attack Distribution of reconfiguration information Monitoring of attack progress Extension to mitigate “insider” attacks

6 Implementation Messages are sent from a source to a destination host as follows: Messages are encoded with redundancy and divided into N parts, any K<N of which can be used to recover the message The N parts are sent over different paths, each of which contains at least one relay host that functions as a mix The N parts of the message are dispersed across all of the IP addresses that define the destination host The “real” IP addresses of the source and destination, and the message content, are encrypted Only the IP addresses of individual hops are exposed A virtual network topology can be chosen that exposes only a portion of the system’s IP address to an attacker sniffing at a single point

7 Message Encoding X = -1 X = ? Predetermined Transformation Origin Host
Relay Host MESSAGE ? NETWORK M1 M2 M3 T11 T31 T41 T12 T32 T42 T13 T33 T43 -1 T21 T51 T22 T52 T23 T53 SELECT 1, 3, 4 T11 T21 T31 T41 T51 T12 T22 T32 T42 T52 T13 T23 T33 T43 T53 X Z1 Z2 Z3 Z4 Z5 = Z1 Z3 Z5 Z4 Destination Host w/ Multiple IP Addresses Z1 Z3 Z4 X = M1 M2 M3 MESSAGE

8 CONTRA Packet Structure
Encrypted Between Hops Encrypted Source-to-Destination IP Header Transport Header CONTRA Header Payload Contains: Real SourceIP/port Real Destination IP/port K-of-N Encoding Msg Segment Number Padding Source/relay host status Vnet configuration status

9 Message Relay Relay Host Destination Source

10 Relay Operations Decrypt CONTRA header Extract real destination
Change padding Reencrypt with key of next hop Mix

11 Server IP Address Assignments
Internet Server listens on M >= N addresses K<N parts needed to rebuild message Site Router Server Client Server

12 Challenges Robustness of traffic mixing “Insider” attacks
Minimum level of traffic “Insider” attacks Clients are users as well as relays The CONTRA proxy on the client needs to know the real addresses of CONTRA destinations Need to protect this information

Download ppt "CONTRA Camouflage of Network Traffic to Resist Attack (Intrusion Tolerance Using Masking, Redundancy and Dispersion) DARPA OASIS PI Meeting – Hilton Head."

Similar presentations

RIP V1 W.lilakiatsakun.

RIP V1 W.lilakiatsakun.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.

Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic.
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.

DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.
DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.

DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
(4.4) Internet Protocols Layered approach to Internet Software 1.

(4.4) Internet Protocols Layered approach to Internet Software 1.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.

Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
Chapter 13 – Network Security

Chapter 13 – Network Security
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.

Chapter 1: Introduction to Web Applications. This chapter gives an overview of the Internet, and where the World Wide Web fits in. It then outlines the.
OV 12 - 1 Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV 12 - 1 Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Anonymity on the Internet Presented by Randy Unger.

Anonymity on the Internet Presented by Randy Unger.

Similar presentations

Ads by Google