Presentation is loading. Please wait.

Presentation is loading. Please wait.

David M. Nicol Assoc. Director R&D, ISTS Professor of Computer Science, Dartmouth Network Security Research Using High Performance Simulation.

Published byBaldwin Hancock Modified over 9 years ago

Similar presentations

Presentation on theme: "David M. Nicol Assoc. Director R&D, ISTS Professor of Computer Science, Dartmouth Network Security Research Using High Performance Simulation."— Presentation transcript:

1 David M. Nicol Assoc. Director R&D, ISTS Professor of Computer Science, Dartmouth Network Security Research Using High Performance Simulation

2 SOS7, 6 March 2003 My First Car 1967 VW Microbus Mine was yellow, with spots of black primer Car repair, Control Data Corporation style

3 SOS7, 6 March 2003 We Count Tera-Xs Too (courtesy of George Riley) Packet view of Internet: 110M hosts, 1.1M routers 50%/50% modem/10Mpbs ethernet connectivity by hosts Router-Router 50% 10Mbs, 40% 100Mbs 5% 655Mpbs, 5% 2.4Gbs Link utilization –50% host-router –10% router-router 1% hosts “connected” at a time Avg packet size 5000 bits These assumptions imply 0.3 Tera-events/sec At 1M evts/sec/CPU, 300K execution secs/model second 290 Terabytes memory, just for traffic in flight This analysis is –conservative –already 1.5 years old

4 SOS7, 6 March 2003 Internet Scale Problems Require Supercomputing Major DoD networks use commercial infrastructure –Vulnerable to co-location, e.g. peering hotels, shared fiber –Large set of heterogeneous networks, analysis requires detailed representation Securing Routing Infrastructure –Each router has entry for every announced network prefix –Memory demands grow as a square of network size –Routing convergence depends on topology Assessing cyber-attack effects on routing –Recent worms use entire Internet, must be represented at some level

5 SOS7, 6 March 2003 Large-scale Network Simulation using SSF SSF - scalable simulation framework Java and C++ APIs Framework for domains Execution on shared memory clusters Widely used, ported to many platforms Applications DDoS attacks/defenses BGP black-hole attacks Worm propagation and effect on routing Security of BGP

6 SOS7, 6 March 2003 Speedup : DaSSF (C++) Figure of merit tied to rate of network simulation work. 640K concurrent TCP sessions delivered (one per host) –Many more TCP sessions possible by colocation Linear speedup on COTS cluster computer. Speedup is nearly 31 of 32

7 SOS7, 6 March 2003 BGP Primer Internet is a confederation of “Autonomous Systems” (each AS originates various prefixes of Internet addressing space) Traffic flow between them is dynamically maintained : Boundary Gateway Protocol is the glue Every BGP router is supposed to know how to get to every advertised prefix A BGP router bases the routes it advertises on the routes its peers advertise –A Session reset is the re-establishment of a relationship between two peers---happens following a router reboot, or re- establishment of a TCP session between them Global information propagation –Any AS being “difficult to get to” will cause a great deal of BGP update traffic.

8 SOS7, 6 March 2003 Efficient Securing of BGP Path Advertisements Problem : Efficient authentication of BGP path in advertisement 202.128.0.0/14 703 17 34 –Without authentication, AS path can be spoofed By an intruder masquerading as a peer Prefix origination can be spoofed Various attacks : block hole, sniffing, economic, DoS A solution is to apply authentication at every hop in the path 202.128.0.0/14 703 17 34 s(h(703 17)) s(h(17 34)) s(h(202.128.0.0/14 34)) Source/destination must be signed to defeat “cut and paste” attack –A rogue peer R observes announcement A ->B, copies it and sends to D Multiple signatures every announcement

9 SOS7, 6 March 2003 S-BGP : Cost analysis Crypto costs (RSA, 1024-bit modulus,SHA-1 hash) –Signature: approx. 512 modular exponentiations and 1024 squaring –Verification : 2 large exponentiations and small (17) squarings –Hash : linear in the length of the hashed data Outbound crypto operation costs –Separate hash & signature for every peer Inbound crypto operation costs – hash and verification of each hop High connectivity and long paths make this very costly

10 SOS7, 6 March 2003 The Cost of Crypto Matters Convergence time is affected by extra cost each advertisement Experiment (using SSFNet) –110 AS graph reduced from internet topology, avg degree 5.2, max degree 20 –Max degree AS crashes, reboots Measure time needed for paths to AS to all settle –Behavior as function of MRAI considered –Timing costs of crypto operations obtained from instrumentation

11 SOS7, 6 March 2003 Signature Amortization : Reduction of Crypto Operations Outbound cost reduction: Aggregation across peers –Describe output set of peers with a bit vector –Sign one message : extension+bit vector, send to all peers Aggregation across UPDATES –Each MRAI release, use hash-tree to sign all unsigned UPDATES that are waiting Inbound cost reduction Lazy verification

12 SOS7, 6 March 2003 Behavior of Convergence time

13 SOS7, 6 March 2003 S-BGP Simulation on Cluster Computers Run on COTS cluster –16 2-CPU nodes, 1GB/node –512 AS model : 7.6Gb memory needed Run on ORNL Eagle and Cheetah clusters –8 Cheetah nodes (used 14 cpus @) –8 Eagle nodes (4 cpus @) Probably a uniquely inefficient use of these machines! Implementation Issues –BGP simulator is in Java : communication, garbage collection

14 Interaction of Worms and Routing Infrastructure

15 SOS7, 6 March 2003 Motivation Is there a causal connection between large-scale worm infestations and BGP update message surges? Observed correlation [Cowie et al., ’02] Globally visible BGP update bursts Correlated with Code Red v2 & Nimda Similar occurrence during Slammer

16 SOS7, 6 March 2003 Application: Explanation of worm/BGP interaction Variable resolution modeling of worm propagation and effect on BGP Diversity of scan traffic explains empirical observations Worm Epidemic Router stress BGP Code analysis scan traffic session resets BGP updates BGP updates Network Topology Scan packet headers Cisco advisories Increasing model resolution

17 SOS7, 6 March 2003 Worm/BGP experiments:BGP when worm spreads : worm->reset->advertisements Global infection growth curve closely matches reality

18 SOS7, 6 March 2003 Worm/BGP experiments: reverberating advertisements Cascading lengths due to cycling through backup paths

19 SOS7, 6 March 2003 High Performance Simulation : Summary We have a mature toolset designed to study large-scale systems. –Designed to scale up with problem size and execution engine –Proven on large-scale problems and large-scale machines –Used on a number of networking studies DDoS attack analysis Worm propagation / BGP BGP convergence BGP black hole attacks

Download ppt "David M. Nicol Assoc. Director R&D, ISTS Professor of Computer Science, Dartmouth Network Security Research Using High Performance Simulation."

Similar presentations

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Routing Basics.

Routing Basics.
COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.

COS 461 Fall 1997 Routing COS 461 Fall 1997 Typical Structure.
Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.

Network Layer: Internet-Wide Routing & BGP Dina Katabi & Sam Madden.
Routing: Exterior Gateway Protocols and Autonomous Systems Chapter 15.

Routing: Exterior Gateway Protocols and Autonomous Systems Chapter 15.
© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.

© J. Liebeherr, All rights reserved 1 Border Gateway Protocol This lecture is largely based on a BGP tutorial by T. Griffin from AT&T Research.
Border Gateway Protocol Autonomous Systems and Interdomain Routing (Exterior Gateway Protocol EGP)

Border Gateway Protocol Autonomous Systems and Interdomain Routing (Exterior Gateway Protocol EGP)
Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.

Fundamentals of Computer Networks ECE 478/578 Lecture #18: Policy-Based Routing Instructor: Loukas Lazos Dept of Electrical and Computer Engineering University.
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—3-1 Medium-Sized Routed Network Construction Reviewing Routing Operations.

© 2007 Cisco Systems, Inc. All rights reserved.ICND2 v1.0—3-1 Medium-Sized Routed Network Construction Reviewing Routing Operations.
BGP in 2009 Geoff Huston APNIC May 2009. Conventional BGP Wisdom IAB Workshop on Inter-Domain routing in October 2006 – RFC 4984: “routing scalability.

BGP in 2009 Geoff Huston APNIC May Conventional BGP Wisdom IAB Workshop on Inter-Domain routing in October 2006 – RFC 4984: “routing scalability.
1 CCNA 3 v3.1 Module 1. 2 CCNA 3 Module 1 Introduction to Classless Routing.

1 CCNA 3 v3.1 Module 1. 2 CCNA 3 Module 1 Introduction to Classless Routing.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
CS 164: Global Internet Slide Set -- 11. In this set... More about subnets Classless Inter Domain Routing (CIDR) Border Gateway Protocol (BGP) Areas with.

CS 164: Global Internet Slide Set In this set... More about subnets Classless Inter Domain Routing (CIDR) Border Gateway Protocol (BGP) Areas with.
Network Resilience: Exploring Cascading Failures Vishal Misra Columbia University in the City of New York Joint work with Ed Coffman, Zihui Ge and Don.

Network Resilience: Exploring Cascading Failures Vishal Misra Columbia University in the City of New York Joint work with Ed Coffman, Zihui Ge and Don.
Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.

Mini Introduction to BGP Michalis Faloutsos. What Is BGP?  Border Gateway Protocol BGP-4  The de-facto interdomain routing protocol  BGP enables policy.
Unicast Routing Protocols: RIP, OSPF, and BGP

Unicast Routing Protocols: RIP, OSPF, and BGP
Routing.

Routing.
Routing in Wired Nets CS 215 W 01 - Mario Gerla. Routing Principles Routing: delivering a packet to its destination on the best possible path Routing.

Routing in Wired Nets CS 215 W 01 - Mario Gerla. Routing Principles Routing: delivering a packet to its destination on the best possible path Routing.
How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

How to Own the Internet in your spare time Ashish Gupta Network Security April 2004.

Similar presentations

Ads by Google