Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem.

Published byPeregrine Bond Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem."— Presentation transcript:

1 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem Taieb Znati Presented by: Theodor Richardson Ani Starrenburg

2 2 Denial-of-Service Attacks: Links – exceeding link capacity Routers – congesting router buffers Front-Ends – consuming front-end processing with requests. Servers – requesting services at a high rate

3 3 Denial-of-Service Defenses: Replication – useful in protecting service front-ends Firewalls – strategy for prohibiting illegal flow of data Intrusion Detection Services – detection of tampering Honeypots – may be used for any number of purposes

4 4 Honeypots A security resource who’s value lies in being probed, attacked or compromised. Properties Environment:ProductionResearch Complexity:LowMediumHigh Purpose:DeceptionDeterrenceDetection Attacker Profile:Script KiddieProfessional Blackhat

5 5 Roaming Honeypot Properties Properties Environment:Production Complexity:LowMedium Purpose:DeceptionDeterrenceDetection Attacker Profile:Script Kiddie + …A mechanism that allows the locations of honeypots to be unpredictable, continuously- changing and disguised within a server pool

6 6 Proactive Server Roaming Background: Back-End Servers FirewallClients Attacker Idle Servers One Active Server Firewall

7 7 Proactive Server Roaming Background One server is active. At end of Epoch E i of duration R i server S i assumes role of active server. Client must store information locally Service must track and process legitimate users.

8 8 Proactive Server Roaming Background Backward chain of hashed keys K i is built where (0<i<n) R i = MSB m (H’(K i )) S i = servers MSB  lg N  H’’(K i ))

9 9 Roaming Honeypots: AGN Back-End Servers FirewallClients Attacker Honeypots & Active Servers Firewall

10 10 Roaming Honeypots Uses similar selection algorithms  selects for each in a set of servers  introduces a lower bound, m, on the epoch Uses k out of N servers as active servers, the remainder of which are honeypots Offloads processing from client and server to Access Gateway

11 11 Roaming Honeypot Properties Properties Environment:Production Complexity:LowMedium Purpose:DeceptionDeterrenceDetection Attacker Profile:Script Kiddie + Attack Type:Fixed TargetFollower Benefits:Filtering Effect Connection-Dropping Effect Degrading Attack Detection

12 12 Service Model Subscription-based service Protection of a pool of N back-end servers Packet-filtering firewall and IDS deployed AGN as layer of indirection

13 13 Access Gateway Network Provides level of indirection between client and back-end server Decouples authentication and authorization from service provision Only AGN follows server locations and status – forwards client packets Roaming scheme is transparent to client

14 14 AGN Structure Back-end server is considered tree root AG’s with higher resistance to attacks and lower reconfiguration rates are closer to the back-end servers (lower in the tree) AG is responsible for address registration and parent registration AG’s closest to root handle connection migration

15 15 AGN: Address Registration Each AG registers an tuple with the AG node responsible for storing addresses ID = (SID||L||Index)  SID is a service identifier  L is the level of the AG in the AGN  Index is the AG index within L

16 16 AGN: Parent Registration AG registers its IP address with its parent (the servers if at the root) AG uses (SID||L-1||Index(parent)) to lookup the parent Address Allows IP routing for migration messages

17 17 AGN: Connection Migration AG forwards traffic client C messages to server Si When servers change from active to inactive, AG chooses new Sj at random for client C AG re-registers with parent Sj AG encapsulates state information from Si and forwards to Sj in TCP SYN package

18 18 Roaming Protocol For a single active server:  Service time is divided into epochs – random intervals of activity/inactivity for servers  Length of epoch Ei is calculated by long hash chain Ri = H(Ki) where K is a random key and Ri is the number of seconds  Location of epoch Si = servers[MSB H’(Ki)] where MSB is Most Significant Bits of hash function H’ (such as MD5) Out of N servers, k are active at any time  Set of active servers is Pk(S)

19 19 Network Model AGN Back-End Servers FirewallClients Attacker Honeypot Active Server

20 20 Simulation Model Tested on the ns-2 Discrete event simulator aimed at network testing Simulates routing, TCP, and multicast protocol Supports wired and wireless networks http://www.isi.edu/nsnam/ns/

21 21 Simulation Model Tested under ns-2 simulation against Average Response Time (ART) is considered as primary metric Comparison of:  Nonroaming (Load Sharing)  Roaming w/o Filtering (Attacker traffic is not dropped)  Roaming w/ Filtering (Attacker traffic is dropped)

22 22 Effect of Migration Interval Restarting TCP must be balanced with migration interval timing to balance the overhead cost of re-establishing TCP with the new server set

23 23 Effect of Client Load Under small attack loads, the nonroaming scheme performs better because of the overhead of roaming

24 24 Effect of Attack Load Using filtering, the ART does not change as the attack load increases once the attacker is detected

25 25 Effect of Follow Delay In Roaming w/ Filter, clients experience an attack free window as the attacker experiences follow delay

26 26 Conclusions Strengths:  Under high attack load, roaming scheme performs better than load sharing  Undetectable honeypot locations  Transparent to client traffic

27 27 Conclusions Weaknesses:  Must balance TCP overhead of resetting connections  Wastes a large amount of server resources with inactivity (as honeypot)  Idea of logical roaming is underdeveloped in paper, but could save resources and reduce overhead

28 28 Conclusions Vulnerability remains that malicious code can be installed on legitimate servers Periodic reinstall suggested, but service can be compromised before reinstall if attack is sophisticated Violates property of honeypots that they should not adversely affect operation of standard service if compromised

Download ppt "1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem."

Similar presentations

Mitigating Routing Misbehavior in Mobile Ad-Hoc Networks Reference: Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, Sergio Marti, T.J. Giuli,

Mitigating Routing Misbehavior in Mobile Ad-Hoc Networks Reference: Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, Sergio Marti, T.J. Giuli,
Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.

Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.
Pastry Peter Druschel, Rice University Antony Rowstron, Microsoft Research UK Some slides are borrowed from the original presentation by the authors.

Pastry Peter Druschel, Rice University Antony Rowstron, Microsoft Research UK Some slides are borrowed from the original presentation by the authors.
Slides mostly by Sherif Khattab 1 Denial-of-Service [Gligor, 84] ``A group of otherwise-authorized users of a specific service is said to deny service.

Slides mostly by Sherif Khattab 1 Denial-of-Service [Gligor, 84] ``A group of otherwise-authorized users of a specific service is said to deny service.
TELE202 Lecture 8 Congestion control 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »X.25 »Source: chapter 10 ¥This Lecture »Congestion control »Source:

TELE202 Lecture 8 Congestion control 1 Lecturer Dr Z. Huang Overview ¥Last Lecture »X.25 »Source: chapter 10 ¥This Lecture »Congestion control »Source:
Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,

Improving TCP Performance over Mobile Ad Hoc Networks by Exploiting Cross- Layer Information Awareness Xin Yu Department Of Computer Science New York University,
SCRIBE A large-scale and decentralized application-level multicast infrastructure.

SCRIBE A large-scale and decentralized application-level multicast infrastructure.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Small-world Overlay P2P Network

Small-world Overlay P2P Network
Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung(1203584897) Sriram Gopinath(1203800749)

Traffic Management - OpenFlow Switch on the NetFPGA platform Chun-Jen Chung( ) Sriram Gopinath( )
The Power of Explicit Congestion Notification Aleksandar Kuzmanovic Northwestern University

The Power of Explicit Congestion Notification Aleksandar Kuzmanovic Northwestern University
ZIGZAG A Peer-to-Peer Architecture for Media Streaming By Duc A. Tran, Kien A. Hua and Tai T. Do Appear on “Journal On Selected Areas in Communications,

ZIGZAG A Peer-to-Peer Architecture for Media Streaming By Duc A. Tran, Kien A. Hua and Tai T. Do Appear on “Journal On Selected Areas in Communications,
Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.

Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
A Secure Network Access Protocol (SNAP) A. F. Al Shahri, D. G. Smith and J. M. Irvine Proceedings of the Eighth IEEE International Symposium on Computers.

A Secure Network Access Protocol (SNAP) A. F. Al Shahri, D. G. Smith and J. M. Irvine Proceedings of the Eighth IEEE International Symposium on Computers.
Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.

Denial of Service Resilience in Ad Hoc Networks Imad Aad, Jean-Pierre Hubaux, and Edward W. Knightly Designed by Yao Zhao.

Similar presentations

Ads by Google