Presentation is loading. Please wait.

Presentation is loading. Please wait.

Design of an Autonomous Anti-DDOS Network (A2D2) Angela Cearns Thesis Defense Thursday October 24, 2002 Master of Software Engineering Department of Computer.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Design of an Autonomous Anti-DDOS Network (A2D2) Angela Cearns Thesis Defense Thursday October 24, 2002 Master of Software Engineering Department of Computer."— Presentation transcript:

1 Design of an Autonomous Anti-DDOS Network (A2D2) Angela Cearns Thesis Defense Thursday October 24, 2002 Master of Software Engineering Department of Computer Science University of Colorado, Colorado Springs

2 Design of an Autonomous Anti-DDOS Network (A2D2) Author: Angela Cearns Committee Members: Dr. C. Edward Chow Dr. Jugal K. Kalita Dr. Charles M. Shub

3 DoS & DDoS Problem Domain Definition DoS Denial of Service Attack DDoS Distributed Denial of Service Attack Yahoo Amazon CERT Stacheldraht Trinoo Tribal Flood Network (TFN)

4 Mitigation - Commercial Commercial $ystems

5 Mitigation Commercial Cisco Secure Dragon IDSISS RealSecure Cisco IPXCheck Point SidewinderWatchguard Friebox Primary Product Function IDS Firewall $ 3,500 - $6,100 Price$3,000 (10MB) $750 / host $8,995 / server $320 - $1300 $280 - $8,000 $4,995 - $17,495 $360 - $9,500 IntruVert Networks IntruShield 4000 iPolicy Networks IpEnforcer 6000 OneSecureTippingPoint Tech Unity One Primary Product Function Firewall, IDS Firewall, IDS, Anti-virus Firewall, IDSIDS, Anti-virus, Vulnerability Assess Price$100,000 Starts at $125,000 Starts at $16,500$100,000

6 DDoS Target Audience Research by University of California at San Diego 12,805 DoS in 3-week period Home, small to medium sized networks

7 Mitigation A2D2 – This Thesis Autonomous Anti-DDoS Network (A2D2) A2D2 Target Audience Home, small to medium sized networks Design Principles Affordable Manageable Configurable Portable Research-Oriented

8 A2D2 Background Research 3 main research areas: Intrusion Prevention General Security Policy Ingress/Engress Filtering Intrusion Detection Anomaly Detection Misuse Detection Intrusion Response Source Identification Intrusion Tolerance

9 A2D2 – Intrusion Tolerance Fault Tolerance Quality of Service (QoS) Intrusion Tolerant QoS Techniques Rate Limiting Class-Based Queuing (CBQ) Intrusion Tolerant QoS Systems XenoService Pushback Mechanisms Cooperative Intrusion Traceback and Response Architecture (CITRA)

10 Intrusion Tolerance Techniques - Rate Limiting Interne t Internal Private Network

11 Intrusion Tolerance Techniques - Class-Based Queuing (CBQ) Interne t Internal Private Network

12 Intrusion Tolerance Systems - XenoService

13 Intrusion Tolerance Systems - Pushback Mechanism

14 Intrusion Tolerance Systems - CITRA Cooperative Intrusion Traceback and Response Architecture (CITRA) The Defense Advanced Research Projects Agency (DARPA) Intruder Detection and Isolation Protocol (IDIP)

15 Intrusion Tolerance Research Limitations Intrusion Tolerance Techniques Not autonomous Time-consuming Require knowledgeable staff Intrusion Tolerance Systems Expensive Worldwide agreements Extensive Collaboration

16 DDoS Defense (Macro vs Micro)

17

18 A2D2 Firewall Policy #Set default policies to DROP IPTABLES="/sbin/iptables" $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # Set up IP FORWARDing and Masquerading echo 1 > /proc/sys/net/ipv4/ip_forward $IPTABLES --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE $IPTABLES --append FORWARD --in-interface $DMZ -j ACCEPT # DNAT - translate incoming ftp (21), ssh (22), telnet (23) traffic to my internal hosts iptables -t nat -A PREROUTING -p tcp --dport 21 -i $INTERNET -j DNAT --to 192.168.0.2:21 iptables -t nat -A PREROUTING -p tcp --dport 22 -i $INTERNET -j DNAT --to 192.168.0.2:22 iptables -t nat -A PREROUTING -p tcp --dport 23 -i $INTERNET -j DNAT --to 192.168.0.2:23

19 Intrusion Tolerance Techniques - Class-Based Queuing (CBQ) Interne t Internal Private Network

20 A2D2 CBQ Implementation # Classify icmp traffic to be queue class 1 $IPTABLES -A FORWARD -p icmp -o $DMZ -t mangle -j MARK --set-mark 1 # Mark incoming mail traffic from smtp with mark value 2 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport smtp -d 0/0 -t mangle -j MARK --set-mark 2 # Mark incoming ftp traffic with mark value 3 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 21 -d 0/0 -t mangle -j MARK -- set-mark 3 # Mark incoming www and Real Server traffic with mark value 4 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 80 -d 0/0 -t mangle -j MARK -- set-mark 4 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 7070 -d 0/0 -t mangle -j MARK --set-mark 4 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 8080 -d 0/0 -t mangle -j MARK --set-mark 4 $IPTABLES -A FORWARD -p udp -o $DMZ -s 0/0 --dport 8080 -d 0/0 -t mangle -j MARK --set-mark 4

21 Intrusion Tolerance Techniques - Class-Based Queuing (CBQ) Interne t Internal Private Network

22 A2D2 CBQ Implementation TC="/sbin/tc“ Set up the queue with the specific network interface $TC qdisc add dev $DMZ root handle 10: cbq bandwidth 10Mbit avpkt 1000 Create the root class and initialized it with the queue $TC class add dev $DMZ parent 10:0 classid 10:1 cbq bandwidth 10Mbit rate 64kbit allot 1514 weight 6.4kbit prio 8 maxburst 20 avpkt 1000 bounded Create different classes of queus with different bandwidth allocation add_class() { # $1=parent class $2=classid $3=hiband $4=lowband $5=handle $6=style $TC class add dev $DMZ parent $1 classid $2 cbq bandwidth 10Mbit rate $3 allot 1514 weight $4 prio 5 maxburst 20 avpkt 1000 $6 $TC qdisc add dev $DMZ parent $2 cbq 1514b $TC filter add dev $DMZ protocol ip prio 3 handle $5 fw classid $2 } # First type of traffic ICMP marked '1' by the firewall code gets 5% of our internal bandwidth (10240*0.05=5120.0) add_class 10:1 10:100 512kbit 51.2kbit 1 bounded # Second type of traffic SMTP marked '2' by the firewalling code gets 15% of our internal bandwidth (10240*0.15=1536.0) add_class 10:1 10:200 1536kbit 153.6kbit 2 # Third type of traffic ftp marked '3' by the firewalling code gets 10% of our internal bandwidth (10240*0.1=1024.0) add_class 10:1 10:300 1024kbit 102.4kbit 3 # Last type of traffic is interactive traffic (marked '4‘) gets 70% of our internal bandwidth (10240*0.70=7168.0) add_class 10:1 10:400 7168kbit 716.8kbit 4

23 A2D2 IDS Snort Flood Preprocessor Detection Engine (Rule Based) Preprocessor (Perform logic)

24 A2D2 IDS Snort Flood Preprocessor Prepare the snort plugbase.h file #include “spp_flood.h” Prepare the Snort plugbase.c file void InitPreprocessor() { SetupFlood (); } Prepare the snort.conf file preprocessor flood: $HOME_NET void InitPreprocessor() Create two flood-plugin files: spp_flood.h spp_flood.c In spp_flood.h, add void SetupFlood(); void FloodInit(u_char *); # The FloodInit function creates the preprocessor data structure In spp_flood.c, register the preprocessors: void SetupFlood(void) { RegisterPreprocessor("flood", FloodInit); }

25 A2D2 IDS Snort Flood Preprocessor Additional Features FloodIgnoreHosts Preprocessor FloodRateLimiter Preprocessor

26 A2D2 Multi-Level Rate Limiting

27

28 A2D2 Results - Baseline 10-min Video Packets Received: Around 23,000 (23,445) QoS Experienced at A2D2 Client

29 A2D2 Results – 1-min Attack Packets Received: 17,869 Retransmission Request: 1,929 Retransmission Received: 121 Lost: 1,808 QoS Experienced at A2D2 Client

30 A2D2 Results – Non-stop Attack Packets Received: 8,039 Retransmission Request: 2,592 Retransmission Received: 35 Lost: 2,557 Connection Timed-out QoS Experienced at A2D2 Client

31 A2D2 Results – UDP Attack Mitigation: Firewall Policy Packets Received: 23,407 Retransmission Request: 0 Retransmission Received: 0 Lost: 0 QoS Experienced at A2D2 Client

32 A2D2 Results – ICMP Attack Mitigation: Firewall Policy Packets Received: 7,127 Retransmission Request: 2,105 Retransmission Received: 4 Lost: 2,101 Connection Timed-out QoS Experienced at A2D2 Client

33 A2D2 Results – ICMP Attack Mitigation: Firewall Policy & CBQ Packets Received: 23,438 Retransmission Request: 0 Retransmission Received: 0 Lost: 0 QoS Experienced at A2D2 Client

34 A2D2 Results – TCP Attack Mitigation: Policy+CBQ Packets Received: 22,179 Retransmission Request: 4,090 Retransmission Received: 2,641 Lost: 1,449 Screen Quality Impact QoS Experienced at A2D2 Client

35 A2D2 Results – TCP Attack Mitigation: Policy+CBQ+Rate Packets Received: 23,444 Retransmission Request: 49 – 1,376 Retransmission Received: 40 – 776 Lost: 9 – 600 QoS Experienced at A2D2 Client

36 A2D2 Future Works TCP – SYN Attack Firewall Processing Speed Alternate Routing Scalability More Services Anomaly Detection Fault Tolerant

37 A2D2 Software Engineering Process ISO/IEC 12207 (Software Life Cycle Processes) Evolutionary Model R: Requirements D: Design C/T: Coding and Testing I/AS: Installation and Acceptance Support Information Flow (Refinements) Build 1 DC/TI/AS R1 R2 DC/TI/AS Build 2 R3 DC/TI/AS Build 3 Rn DC/TI/AS Build n

38 A2D2 Conclusion Intrusion Tolerance A2D2 Clients Enjoy QoS During Various Types of Attack

39 Questions? References: Please refer to Thesis Document http://cs.uccs.edu/~chow/master/acearns/doc/angThesis-1022.doc

40 Mitigation A2D2 Check Please.

Download ppt "Design of an Autonomous Anti-DDOS Network (A2D2) Angela Cearns Thesis Defense Thursday October 24, 2002 Master of Software Engineering Department of Computer."

Similar presentations

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.

Ipchains and Iptables Linux operating system natively supports packet-filtering rules: Kernel versions 2.2 and earlier support the ipchains command. Kernel.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.

Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.

Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Design of an Autonomous Anti-DDOS Network (A2D2) Angela Cearns Thesis Proposal Master of Software Engineering University of Colorado, Colorado Springs.

Design of an Autonomous Anti-DDOS Network (A2D2) Angela Cearns Thesis Proposal Master of Software Engineering University of Colorado, Colorado Springs.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
DDos Distributed Denial of Service Attacks by Mark Schuchter.

DDos Distributed Denial of Service Attacks by Mark Schuchter.
Autonomous Anti-DDoS Network V2.0 (A2D2-2) Sarah Jelinek University Of Colorado, Colo. Spgs. Spring Semester 2003, CS691 Project.

Autonomous Anti-DDoS Network V2.0 (A2D2-2) Sarah Jelinek University Of Colorado, Colo. Spgs. Spring Semester 2003, CS691 Project.
Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.

Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

Similar presentations

Ads by Google