design of an autonomous anti-ddos network (a2d2) angela cearns thesis defense thursday october 24,...

Design of an Autonomous Anti-DDOS Network

(A2D2)

Angela CearnsThesis Defense

Thursday October 24, 2002

Master of Software EngineeringDepartment of Computer Science

University of Colorado, Colorado Springs

Design of an Autonomous Anti-DDOS Network

(A2D2)

Author: Angela Cearns

Committee Members:Dr. C. Edward ChowDr. Jugal K. Kalita

Dr. Charles M. Shub

DoS & DDoSProblem Domain Definition

DoS Denial of Service

Attack

DDoS Distributed Denial

of Service Attack

Yahoo

Amazon

CERT

Stacheldraht

Trinoo

Tribal Flood Network (TFN)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Handler(Middleman)

Agent(Attacker)

Handler(Middleman)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Client(Attack Commander)

MastermindIntruder

Mitigation - Commercial Commercial $ystems

Mitigation Commercial Cisco

SecureDragon IDS ISS

RealSecureCisco IPX Check

PointSidewinder Watchguard

Friebox

Primary Product Function

IDS IDS IDS Firewall Firewall Firewall Firewall

$ 3,500 - $6,100

Price $3,000 (10MB)$750 / host

$8,995 / server

$320 - $1300

$280 - $8,000

$4,995 - $17,495

$360 - $9,500

IntruVert NetworksIntruShield 4000

iPolicy NetworksIpEnforcer 6000

OneSecure TippingPoint Tech Unity One

Primary Product Function

Firewall, IDS Firewall, IDS, Anti-virus

Firewall, IDS IDS, Anti-virus, Vulnerability Assess

Price $100,000 Starts at $125,000 Starts at $16,500

$100,000

DDoS Target Audience Research by University of

California at San Diego

12,805 DoS in 3-week period Home, small to medium sized

networks

Mitigation A2D2 – This Thesis Autonomous Anti-DDoS Network (A2D2)

A2D2 Target Audience Home, small to medium sized networks

Design Principles Affordable Manageable Configurable Portable

Research-Oriented

A2D2 Background Research

3 main research areas: Intrusion Prevention

General Security Policy Ingress/Engress Filtering

Intrusion Detection Anomaly Detection Misuse Detection

Intrusion Response Source Identification Intrusion Tolerance

Intrusion Tolerance

A2D2 – Intrusion Tolerance Fault Tolerance

Quality of Service (QoS)

Intrusion Tolerant QoS Techniques Rate Limiting Class-Based Queuing (CBQ)

Intrusion Tolerant QoS Systems XenoService Pushback Mechanisms Cooperative Intrusion Traceback and Response

Architecture (CITRA)

Intrusion Tolerance Techniques- Rate Limiting

packetFilter: iptables

packet

DROP

Filter

packetpacket

packetpacketpacketpacket




packet packet

packet

packet

packet





7 56

121110

8 4

21

9 3

1 second7 56

121110

8 4

21

9 3

1 second

Internet

Internet

Internal Private Network

Intrusion Tolerance Techniques- Class-Based Queuing (CBQ)

Class-basedQueuing(CBQ)

First-In-First-Out (FIFO)

High Priority Queue

Queue 1 (HTTP)

Queue 2 (SMTP)

Queue 3 (NNTP)

packet

UDP

Otherpacket type

Filter: iptables

packet

HTTP - Mark 1

SMTP - Mark 2

NNTP - Mark 3

ICMP - Mark 4

Queue 4 (ICMP)

Low Priority Queue

Sch

edul

er

DROP

Filter/classifierQueues based on

Queuing Disciplines Scheduler

Internet

Internet


Intrusion Tolerance Systems- XenoService

InternetInternet

XenoServer

XenoServer

XenoServer

XenoServer

XenoServer

XenoServer

Intrusion Tolerance Systems- Pushback Mechanism

InternetInternet

IDSFirewall

ISP RouterAlertsRate Limiting

Upstream RouterUpstream Router

Upstream Router

Upstream Router

Upstream Router

Upstream Router

Rate Limiting

Rate LimitingRate Limiting

Pushback

Pushback

Pushback Pushback

Intrusion Tolerance Systems- CITRA Cooperative Intrusion Traceback and Response Architecture (CITRA) The Defense Advanced Research Projects Agency (DARPA) Intruder Detection and Isolation Protocol (IDIP)

CITRA Neighborhood B

CITRA Neighborhood C

CITRA Neighborhood A

IDS IDS

DiscoveryCoordinator

(DC)

BoundaryController

BoundaryController

BoundaryController

Attack

Attack

BoundaryController

PushbackRate Limiting

Info for DC

IDIP

IDIP

BoundaryController

Intrusion Tolerance Research Limitations Intrusion Tolerance Techniques

Not autonomous Time-consuming Require knowledgeable staff

Intrusion Tolerance Systems Expensive Worldwide agreements Extensive Collaboration

DDoS Defense (Macro vs Micro)

Internet

Internet/ISPBandwidth

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Handler(Middleman)

Agent(Attacker)

Handler(Middleman)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Client(Attack Commander)

MastermindIntruder

ISP

ISP

ISP

ISP

ISP

ISP

ISP

ISP

Internet

ISP www.victim.comBandwidth

Macro

Micro

Attack

Attack Attack

Private Subnet192.168.0

Attack Network128.198.61

IP: 128.198.61.12NM: 255.255.255.128

GW: 128.198.61.1

eth0

Pluto

Titan

DMZ

Multi-LevelRate Limiting

Class-BasedQueuing(CBQ)

as Linux Router

Firewall(iptables)

Security Policy

IP: 192.168.0.1NM: 255.255.0.0

GW: 128.198.61.12

eth1

RealServer

Re

alS

erv

er

Tra

ffic

IDS

Ale

rts

tr

igg

er

Mu

lti-L

eve

lR

ate

-Lim

itin

g

IDS

70

% H

TT

P,

Re

alP

laye

r

1

5%

SM

TP

, P

OP

3

1

0%

SS

H,

SF

TP

5

% S

YN

, IC

MP

, D

NS

10 Mbps Hub

eth0

IP: 192.168.0.2NM: 255.255.0.0GW: 192.168.0.1

Public Network128.198

Internet

Alpha128.198.61.15

DDoSAgent

Gamma128.198.61.17

DDoSAgent

Beta128.198.61.16

DDoSAgent

Delta128.198.61.18

DDoSAgent

SimulatedInternet

100Mpbs Switch

Master Client& Handler

DDoS

Saturn128.198.61.11

NM: 255.255.255.128GW: 128.198.61.1

Autonomous Anti-DDoS Network(A2D2)

Client1128.198.a.195

Real Player Client

Client2128.198.b.82

Real Player Client

Client3128.198.c.31

Real Player Client

100Mpbs Switch

A2D2 Firewall Policy #Set default policies to DROP

IPTABLES="/sbin/iptables" $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP

# Set up IP FORWARDing and Masquerading echo 1 > /proc/sys/net/ipv4/ip_forward $IPTABLES --table nat --append POSTROUTING --out-interface $INTERNET -j

MASQUERADE $IPTABLES --append FORWARD --in-interface $DMZ -j ACCEPT

# DNAT - translate incoming ftp (21), ssh (22), telnet (23) traffic to my internal hosts

iptables -t nat -A PREROUTING -p tcp --dport 21 -i $INTERNET -j DNAT --to 192.168.0.2:21






High Priority Queue

Queue 1 (HTTP)

Queue 2 (SMTP)

Queue 3 (NNTP)

packet

UDP

Otherpacket type

Filter: iptables

packet

HTTP - Mark 1

SMTP - Mark 2

NNTP - Mark 3

ICMP - Mark 4

Queue 4 (ICMP)

Low Priority Queue

Sch

edul

er

DROP



Internet

Internet


A2D2 CBQ Implementation # Classify icmp traffic to be queue class 1

$IPTABLES -A FORWARD -p icmp -o $DMZ -t mangle -j MARK --set-mark 1

# Mark incoming mail traffic from smtp with mark value 2 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport smtp -d 0/0 -t mangle

-j MARK --set-mark 2

# Mark incoming ftp traffic with mark value 3 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 21 -d 0/0 -t mangle -j

MARK --set-mark 3

# Mark incoming www and Real Server traffic with mark value 4 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 80 -d 0/0 -t mangle -j

MARK --set-mark 4 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 7070 -d 0/0 -t mangle

-j MARK --set-mark 4 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 8080 -d 0/0 -t mangle

-j MARK --set-mark 4 $IPTABLES -A FORWARD -p udp -o $DMZ -s 0/0 --dport 8080 -d 0/0 -t

mangle -j MARK --set-mark 4




High Priority Queue

Queue 1 (HTTP)

Queue 2 (SMTP)

Queue 3 (NNTP)

packet

UDP

Otherpacket type

Filter: iptables

packet

HTTP - Mark 1

SMTP - Mark 2

NNTP - Mark 3

ICMP - Mark 4

Queue 4 (ICMP)

Low Priority Queue

Sch

edul

er

DROP



Internet

Internet


A2D2 CBQ Implementation TC="/sbin/tc“

Set up the queue with the specific network interface $TC qdisc add dev $DMZ root handle 10: cbq bandwidth 10Mbit avpkt 1000

Create the root class and initialized it with the queue $TC class add dev $DMZ parent 10:0 classid 10:1 cbq bandwidth 10Mbit rate 64kbit allot 1514 weight 6.4kbit prio 8

maxburst 20 avpkt 1000 bounded

Create different classes of queus with different bandwidth allocation add_class() {

# $1=parent class $2=classid $3=hiband $4=lowband $5=handle $6=style$TC class add dev $DMZ parent $1 classid $2 cbq bandwidth 10Mbit rate $3 allot 1514 weight $4 prio 5 maxburst 20

avpkt 1000 $6$TC qdisc add dev $DMZ parent $2 cbq 1514b$TC filter add dev $DMZ protocol ip prio 3 handle $5 fw classid $2

}

# First type of traffic ICMP marked '1' by the firewall code gets 5% of our internal bandwidth (10240*0.05=5120.0) add_class 10:1 10:100 512kbit 51.2kbit 1 bounded

# Second type of traffic SMTP marked '2' by the firewalling code gets 15% of our internal bandwidth (10240*0.15=1536.0)

add_class 10:1 10:200 1536kbit 153.6kbit 2

# Third type of traffic ftp marked '3' by the firewalling code gets 10% of our internal bandwidth (10240*0.1=1024.0)

add_class 10:1 10:300 1024kbit 102.4kbit 3

# Last type of traffic is interactive traffic (marked '4‘) gets 70% of our internal bandwidth (10240*0.70=7168.0) add_class 10:1 10:400 7168kbit 716.8kbit 4

A2D2 IDSSnort Flood Preprocessor

IDS

Detection Engine(Rule Based)

Preprocessor(Perform logic)

A2D2 IDSSnort Flood Preprocessor Prepare the snort plugbase.h file

#include “spp_flood.h” Prepare the Snort plugbase.c file

void InitPreprocessor(){

SetupFlood ();

} Prepare the snort.conf file

preprocessor flood: $HOME_NET <threshold # packets> <threshold # time period> <logfilename>

void InitPreprocessor() Create two flood-plugin files:

spp_flood.h spp_flood.c

In spp_flood.h, add void SetupFlood(); void FloodInit(u_char *); # The FloodInit function creates the preprocessor data structure

In spp_flood.c, register the preprocessors: void SetupFlood(void)

{

RegisterPreprocessor("flood", FloodInit); }

A2D2 IDSSnort Flood Preprocessor Additional Features

FloodIgnoreHosts Preprocessor

FloodRateLimiter Preprocessor

A2D2 Multi-Level Rate Limiting

IP: 128.198.61.12NM: 255.255.255.128

GW: 128.198.61.1

eth0

Firewall Gateway


as Linux Router

IP: 192.168.0.1NM: 255.255.0.0

GW: 128.198.61.12

eth1

IDS

snort.confFloodPreprocessor

Threshold

snort.confFloodRateLimiter

PreprocessorThresholds

rateif.conflevels, rate,expiration,port # etc.

./snort -A UNSOCK

report.c./alert

rateif.pl

Level 4

Open(5 days)

Level 3

100 p/s

Level 2

50 p/s

Level 1

Block(2 hrs)

Level 0

Block(2 days)

Level 1Expires

Attack

Attack Attack

Private Subnet192.168.0

Attack Network128.198.61

IP: 128.198.61.12NM: 255.255.255.128

GW: 128.198.61.1

eth0

Pluto

Titan

DMZ


Class-BasedQueuing(CBQ)

as Linux Router

Firewall(iptables)

Security Policy

IP: 192.168.0.1NM: 255.255.0.0

GW: 128.198.61.12

eth1

RealServer

Re

alS

erv

er

Tra

ffic

IDS

Ale

rts

tr

igg

er

Mu

lti-L

eve

lR

ate

-Lim

itin

g

IDS

70

% H

TT

P,

Re

alP

laye

r

1

5%

SM

TP

, P

OP

3

1

0%

SS

H,

SF

TP

5

% S

YN

, IC

MP

, D

NS

10 Mbps Hub

eth0

IP: 192.168.0.2NM: 255.255.0.0GW: 192.168.0.1

Public Network128.198

Internet

Alpha128.198.61.15

DDoSAgent

Gamma128.198.61.17

DDoSAgent

Beta128.198.61.16

DDoSAgent

Delta128.198.61.18

DDoSAgent

SimulatedInternet

100Mpbs Switch

Master Client& Handler

DDoS

Saturn128.198.61.11

NM: 255.255.255.128GW: 128.198.61.1

Autonomous Anti-DDoS Network(A2D2)

Client1128.198.a.195

Real Player Client

Client2128.198.b.82

Real Player Client

Client3128.198.c.31

Real Player Client

100Mpbs Switch

A2D2 Results - Baseline

10-min Video

Packets Received: Around 23,000

(23,445)

QoS Experienced at A2D2 Client

A2D2 Results – 1-min Attack Packets Received:

17,869

Retransmission Request: 1,929

Retransmission Received: 121

Lost: 1,808


A2D2 Results – Non-stop Attack Packets Received:

8,039



Lost: 2,557

Connection Timed-out


A2D2 Results – UDP AttackMitigation: Firewall Policy

Packets Received: 23,407

Retransmission Request: 0


Lost: 0


A2D2 Results – ICMP AttackMitigation: Firewall Policy Packets Received:

7,127



Lost: 2,101

Connection Timed-out


A2D2 Results – ICMP AttackMitigation: Firewall Policy & CBQ Packets Received:

23,438

Retransmission Request: 0


Lost: 0


A2D2 Results – TCP AttackMitigation: Policy+CBQ Packets Received:

22,179


Retransmission Received: 2,641

Lost: 1,449

Screen Quality Impact


A2D2 Results – TCP AttackMitigation: Policy+CBQ+Rate Packets Received:

23,444

Retransmission Request: 49 – 1,376

Retransmission Received: 40 – 776

Lost: 9 – 600QoS Experienced at A2D2

Client

A2D2 Future Works TCP – SYN Attack

Firewall Processing Speed

Alternate Routing

Scalability More Services

Anomaly Detection

Fault Tolerant

A2D2 Software Engineering Process

ISO/IEC 12207(Software Life Cycle Processes)

Evolutionary Model

R: Requirements D: DesignC/T: Coding and TestingI/AS: Installation and Acceptance Support

Information Flow (Refinements)

Build 1 D C/T I/ASR1

R2D C/T I/AS

Build 2

R3 D C/T I/ASBuild 3

Rn D C/T I/ASBuild n

A2D2 Conclusion

Intrusion ToleranceA2D2 Clients Enjoy QoS

During Various Types of Attack

Questions?

References: Please refer to Thesis

Documenthttp://cs.uccs.edu/~chow/master/acearns/doc/angThesis-

1022.doc

Mitigation A2D2

Check Please.

design of an autonomous anti-ddos network (a2d2) angela cearns thesis defense thursday october 24,...

Documents

nntp mark

icmp mark

smtp mark

smtp udppackethttp mark

colorado springsdesign

nntp queue

fifohigh priority queuequeue

angela cearnscommittee