Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.

Similar presentations


Presentation on theme: "CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize."— Presentation transcript:

1 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize and favor the legitimate traffic  Source-end, inline defense system  Gathers statistics on flows and connections, compares them with protocol-based models:  Mismatching flow statistics indicate attack  Matching connection statistics indicate legitimate traffic  Dynamic and selective rate-limit algorithm:  Fast decrease to relieve the victim  Fast increase when the attack stops and on false alarms  Detects and forwards legitimate connection packets 1 “Attacking DDoS at the source,” Mirkovic, Prier, Reiher, ICNP 2002

2 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 2 Flows And Connections

3 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 3 D-WARD Overview

4 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 4 D-WARD Overview

5 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 5 D-WARD Overview

6 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 6 Can It Work?  Extensive experiments indicate:  Fast detection of a wide range of attacks  Effective control of the attack traffic  Extremely low collateral damage  Fast removal of rate limit when attack stops  Small processing and memory overhead  Effectively stops attacks from deploying networks  Only effective in actually stopping attacks if deployed at most/all potential attacking networks  May provide synergistic benefits with other defenses

7 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 7 Advantages And Limitations +Fast detection and control of wide range of attacks +Extremely low collateral damage +Low number of false positives +Stops attacks as soon as possible –Attackers can perform successful attacks from unprotected networks –Deployment motivation is low

8 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 8 Netbouncer 1  Goal: detect legitimate clients and only serve their packets  Victim-end, inline defense system deployed in front of the choke point  Keeps a list of legitimate clients:  Only packets from these clients are served  Unknown clients receive a challenge to prove their legitimacy, several levels of legitimacy tests  Various QoS techniques are applied to assure fair sharing of resources by legitimate client traffic  Legitimacy of a client expires after a certain interval 1 “NetBouncer: Client-legitimacy-based High-performance DDoS Filtering, ” Thomas, Mark, Johnson. Croall, DISCEX 2003

9 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 9 Netbouncer Overview N Legitimacy list

10 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 10 Netbouncer Overview N Legitimacy list

11 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 11 Netbouncer Overview N Legitimacy list

12 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 12 Netbouncer Overview N Legitimacy list

13 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 13 Can It Work?  Successfully defeats spoofed attacks  Ensures fair sharing of resources among clients that have proved to be legitimate  All legitimacy tests are stateless – defense system cannot be target of state-consumption attacks  Some legitimate clients do not support certain legitimacy tests (i.e. ping test)  Legitimate client identity can be misused for attacks  Large number of agents can still degrade service to legitimate clients, creating “flash crowd” effect

14 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 14 Advantages And Limitations +Ensures good service to legitimate clients in the majority of cases +Does not require modifications of clients or servers +Stateless legitimacy tests ensure resiliency to DoS attacks on Netbouncer +Realistic deployment model: Autonomous solution, close to the victim –Attackers can perform successful attacks by: –Misusing identities of legitimate clients –Recruiting a large number of agents –Some legitimate clients will not be validated –Challenge generation may exhaust defense

15 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 15 SOS 1  Goal: route only “verified user” traffic to the server, drop everything else  Clients use overlay network to reach the server  Clients are authenticated at the overlay entrance, their packets are routed to proxies  Small set of proxies are “approved” to reach the server, all other traffic is heavily filtered out 1 “ SOS: Secure Overlay Services, ” Keromytis, Misra, Rubensteain, ACM SIGCOMM 2002

16 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 16 SOS  User first contacts nodes that can check its legitimacy and let him access the overlay – access points  An overlay node uses Chord overlay routing protocol to send user’s packets to a beacon  Beacon sends packets to a secret servlet  Secret servlets tunnel packets to the firewall  Firewall only lets through packets with an IP of a secret servlet  Secret servlet’s identity has to be hidden, because their source address is a passport for the realm beyond the firewall  Beacons are nodes that know the identity of secret servlets  If a node fails, other nodes can take its role

17 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 17 SOS Overview SS F B B AP Access Point Beacon Secure Servlet Firewall

18 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 18 SOS Overview SS F B B AP Access Point Beacon Secure Servlet Firewall

19 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 19 SOS Overview SS F B B AP Access Point Beacon Secure Servlet Firewall

20 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 20 SOS Overview SS F B B AP Access Point Beacon Secure Servlet Firewall

21 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 21 Can It Work?  SOS successfully protects communication with a private server:  Access points can distinguish legitimate from attack communications  Overlay protects traffic flow  Firewall drops attack packets  Redundancy in the overlay and secrecy of the path to the target provide security against DoS attacks on SOS

22 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 22 Advantages And Limitations +Ensures communication of “verified user” with the victim +Resilient to overlay node failure +Resilient to DoS on the defense system –Does not work for public service –Clients must be aware of overlay and use it to access the victim –Traffic routed through the overlay travels on suboptimal path –Still allows brute force attack on links leading to the firewall –If the attacker can find it

23 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 23 Client Puzzles 1  Goal: defend against connection depletion attacks  When under attack:  Server distributes small cryptographic puzzles to clients requesting service  Clients spend resources to solve the puzzles  Correct solution, submitted on time, leads to state allocation and connection establishment  Non-validated connection packets are dropped  Puzzle generation is stateless  Client cannot reuse puzzle solutions  Attacker cannot make use of intercepted packets 1 “Client puzzles: A cryptographic countermeasure against connection depletion attacks, ” Juels, Brainard, NDSS 1999

24 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 24 Client Puzzles Overview

25 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 25 Client Puzzles Overview

26 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 26 Client Puzzles Overview

27 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 27 Can It Work?  Client puzzles guarantee that each client has spent a certain amount of resources  Server determines the difficulty of the puzzle according to its resource consumption  Effectively server controls its resource consumption  Protocol is safe against replay or interception attacks  Other flooding attacks will still work

28 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 28 Advantages And Limitations +Forces the attacker to spend resources, protects server resources from depletion +Attacker can only generate a certain number of successful connections from one agent machine +Low overhead on server –Requires client modification –Will not work against highly distributed attacks –Will not work against bandwidth consumption attacks –Puzzle verification consumes server resources

29 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 29 COSSACK 1 Goal: detect the attack, place response near the sources COSSACK watchdogs are located at edge networks and organized into a multicast tree Client watchdog detects the attack, notifies all involved sources via multicast tree Sources join victim-specific group and exchange information Involved sources perform smart filtering to control attack traffic 1 “COSSACK: Coordinated Suppression of Simultaneous Attacks, ” Papadopoulos, Lindell, Mehringer, Hussain, Govindan, DISCEX 2003

30 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 30 COSSACK Overview W W W W W W

31 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 31 COSSACK Overview W W W W W W

32 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 32 COSSACK Overview W W W W W W

33 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 33 COSSACK Overview W W W W W W

34 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 34 Can It Work?  Victim-end detection is very accurate  Source-end response effectively stops attack, minimizes collateral damage  COSSACK should successfully detect and stop flooding attacks from protected networks  May inflict collateral damage if attack is similar to legitimate traffic

35 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 35 Advantages And Limitations +Accurate detection at the victim, effective response at the source +No changes are required at client machines –Multicast communication is not scalable –Attacks from unprotected networks cannot be stopped –Collateral damage will be inflicted if attack is similar to legitimate traffic

36 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 36 DefCOM 1  Goal: detect the attack, rate-limit the attack traffic, forward legitimate traffic  DefCOM nodes build an overlay network  Three types of nodes:  Alert generator – detect the attack, inform other nodes  Classifier – separate legitimate from suspicious traffic, forward legitimate packets marked with legitimate mark, rate-limit suspicious packets, mark them with monitored mark  Rate-limiter – rate limit all traffic to the victim, give the highest priority to legitimate, then to marked traffic  Alert generators and classifiers deployed at the edge, rate-limiters deployed at the core 1 “Forming alliance for DDoS defense, ” Mirkovic, Robinson, Reiher, Kuenning, NSPW 2003

37 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 37 DefCOM Overview AG C C RL Alert Generator Rate-Limiter Classifier Overlay

38 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 38 DefCOM Overview AG C C RL Alert Generator Rate-Limiter Classifier Overlay

39 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 39 DefCOM Overview AG C C RL Alert Generator Rate-Limiter Classifier Overlay

40 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 40 DefCOM Overview AG C C RL Alert Generator Rate-Limiter Classifier Overlay

41 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 41 DefCOM Overview AG C C RL Alert Generator Rate-Limiter Classifier Overlay

42 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 42 DefCOM Overview AG C C RL Alert Generator Rate-Limiter Classifier Overlay

43 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 43 Can It Work?  Victim-end detection is very accurate  Source-end response effectively stops attacks  Rate-limiters in the core handle attacks from networks that do not have classifier nodes  Classifiers minimize collateral damage  DefCOM should successfully stop flooding attacks, while guaranteeing good service to legitimate traffic

44 CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 44 Advantages And Limitations +All actions are performed where they are most successful: +Accurate detection at the victim +Rate-limiting in the core +Traffic differentiation at the source +Selective response provides low collateral damage +Core nodes handle attacks from legacy networks +Overlay architecture provides scalability +Only a few deployment points are needed –Only effective with some core router deployment –Compromised overlay nodes can damage operation


Download ppt "CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize."

Similar presentations


Ads by Google