design of an autonomous anti-ddos network (a2d2) angela cearns thesis defense thursday october 24,...
Post on 15-Jan-2016
214 views
TRANSCRIPT
Design of an Autonomous Anti-DDOS Network
(A2D2)
Angela CearnsThesis Defense
Thursday October 24, 2002
Master of Software EngineeringDepartment of Computer Science
University of Colorado, Colorado Springs
Design of an Autonomous Anti-DDOS Network
(A2D2)
Author: Angela Cearns
Committee Members:Dr. C. Edward ChowDr. Jugal K. Kalita
Dr. Charles M. Shub
DoS & DDoSProblem Domain Definition
DoS Denial of Service
Attack
DDoS Distributed Denial
of Service Attack
Yahoo
Amazon
CERT
Stacheldraht
Trinoo
Tribal Flood Network (TFN)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Handler(Middleman)
Agent(Attacker)
Handler(Middleman)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Client(Attack Commander)
MastermindIntruder
Mitigation - Commercial Commercial $ystems
Mitigation Commercial Cisco
SecureDragon IDS ISS
RealSecureCisco IPX Check
PointSidewinder Watchguard
Friebox
Primary Product Function
IDS IDS IDS Firewall Firewall Firewall Firewall
$ 3,500 - $6,100
Price $3,000 (10MB)$750 / host
$8,995 / server
$320 - $1300
$280 - $8,000
$4,995 - $17,495
$360 - $9,500
IntruVert NetworksIntruShield 4000
iPolicy NetworksIpEnforcer 6000
OneSecure TippingPoint Tech Unity One
Primary Product Function
Firewall, IDS Firewall, IDS, Anti-virus
Firewall, IDS IDS, Anti-virus, Vulnerability Assess
Price $100,000 Starts at $125,000 Starts at $16,500
$100,000
DDoS Target Audience Research by University of
California at San Diego
12,805 DoS in 3-week period Home, small to medium sized
networks
Mitigation A2D2 – This Thesis Autonomous Anti-DDoS Network (A2D2)
A2D2 Target Audience Home, small to medium sized networks
Design Principles Affordable Manageable Configurable Portable
Research-Oriented
A2D2 Background Research
3 main research areas: Intrusion Prevention
General Security Policy Ingress/Engress Filtering
Intrusion Detection Anomaly Detection Misuse Detection
Intrusion Response Source Identification Intrusion Tolerance
Intrusion Tolerance
A2D2 – Intrusion Tolerance Fault Tolerance
Quality of Service (QoS)
Intrusion Tolerant QoS Techniques Rate Limiting Class-Based Queuing (CBQ)
Intrusion Tolerant QoS Systems XenoService Pushback Mechanisms Cooperative Intrusion Traceback and Response
Architecture (CITRA)
Intrusion Tolerance Techniques- Rate Limiting
packetFilter: iptables
packet
DROP
Filter
packetpacket
packetpacketpacketpacket
packetpacketpacketpacket
packetpacketpacketpacket
packetpacketpacketpacket
packet packet
packet
packet
packet
packetpacketpacketpacket
packetpacketpacketpacket
packetpacketpacketpacket
packetpacketpacketpacket
7 56
121110
8 4
21
9 3
1 second7 56
121110
8 4
21
9 3
1 second
Internet
Internet
Internal Private Network
Intrusion Tolerance Techniques- Class-Based Queuing (CBQ)
Class-basedQueuing(CBQ)
First-In-First-Out (FIFO)
High Priority Queue
Queue 1 (HTTP)
Queue 2 (SMTP)
Queue 3 (NNTP)
packet
UDP
Otherpacket type
Filter: iptables
packet
HTTP - Mark 1
SMTP - Mark 2
NNTP - Mark 3
ICMP - Mark 4
Queue 4 (ICMP)
Low Priority Queue
Sch
edul
er
DROP
Filter/classifierQueues based on
Queuing Disciplines Scheduler
Internet
Internet
Internal Private Network
Intrusion Tolerance Systems- XenoService
InternetInternet
XenoServer
XenoServer
XenoServer
XenoServer
XenoServer
XenoServer
Intrusion Tolerance Systems- Pushback Mechanism
InternetInternet
IDSFirewall
ISP RouterAlertsRate Limiting
Upstream RouterUpstream Router
Upstream Router
Upstream Router
Upstream Router
Upstream Router
Rate Limiting
Rate LimitingRate Limiting
Pushback
Pushback
Pushback Pushback
Intrusion Tolerance Systems- CITRA Cooperative Intrusion Traceback and Response Architecture (CITRA) The Defense Advanced Research Projects Agency (DARPA) Intruder Detection and Isolation Protocol (IDIP)
CITRA Neighborhood B
CITRA Neighborhood C
CITRA Neighborhood A
IDS IDS
DiscoveryCoordinator
(DC)
BoundaryController
BoundaryController
BoundaryController
Attack
Attack
BoundaryController
PushbackRate Limiting
Info for DC
IDIP
IDIP
BoundaryController
Intrusion Tolerance Research Limitations Intrusion Tolerance Techniques
Not autonomous Time-consuming Require knowledgeable staff
Intrusion Tolerance Systems Expensive Worldwide agreements Extensive Collaboration
DDoS Defense (Macro vs Micro)
Internet
Internet/ISPBandwidth
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Handler(Middleman)
Agent(Attacker)
Handler(Middleman)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Client(Attack Commander)
MastermindIntruder
ISP
ISP
ISP
ISP
ISP
ISP
ISP
ISP
Internet
ISP www.victim.comBandwidth
Macro
Micro
Attack
Attack Attack
Private Subnet192.168.0
Attack Network128.198.61
IP: 128.198.61.12NM: 255.255.255.128
GW: 128.198.61.1
eth0
Pluto
Titan
DMZ
Multi-LevelRate Limiting
Class-BasedQueuing(CBQ)
as Linux Router
Firewall(iptables)
Security Policy
IP: 192.168.0.1NM: 255.255.0.0
GW: 128.198.61.12
eth1
RealServer
Re
alS
erv
er
Tra
ffic
IDS
Ale
rts
tr
igg
er
Mu
lti-L
eve
lR
ate
-Lim
itin
g
IDS
70
% H
TT
P,
Re
alP
laye
r
1
5%
SM
TP
, P
OP
3
1
0%
SS
H,
SF
TP
5
% S
YN
, IC
MP
, D
NS
10 Mbps Hub
eth0
IP: 192.168.0.2NM: 255.255.0.0GW: 192.168.0.1
Public Network128.198
Internet
Alpha128.198.61.15
DDoSAgent
Gamma128.198.61.17
DDoSAgent
Beta128.198.61.16
DDoSAgent
Delta128.198.61.18
DDoSAgent
SimulatedInternet
100Mpbs Switch
Master Client& Handler
DDoS
Saturn128.198.61.11
NM: 255.255.255.128GW: 128.198.61.1
Autonomous Anti-DDoS Network(A2D2)
Client1128.198.a.195
Real Player Client
Client2128.198.b.82
Real Player Client
Client3128.198.c.31
Real Player Client
100Mpbs Switch
A2D2 Firewall Policy #Set default policies to DROP
IPTABLES="/sbin/iptables" $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP
# Set up IP FORWARDing and Masquerading echo 1 > /proc/sys/net/ipv4/ip_forward $IPTABLES --table nat --append POSTROUTING --out-interface $INTERNET -j
MASQUERADE $IPTABLES --append FORWARD --in-interface $DMZ -j ACCEPT
# DNAT - translate incoming ftp (21), ssh (22), telnet (23) traffic to my internal hosts
iptables -t nat -A PREROUTING -p tcp --dport 21 -i $INTERNET -j DNAT --to 192.168.0.2:21
iptables -t nat -A PREROUTING -p tcp --dport 22 -i $INTERNET -j DNAT --to 192.168.0.2:22
iptables -t nat -A PREROUTING -p tcp --dport 23 -i $INTERNET -j DNAT --to 192.168.0.2:23
Intrusion Tolerance Techniques- Class-Based Queuing (CBQ)
Class-basedQueuing(CBQ)
First-In-First-Out (FIFO)
High Priority Queue
Queue 1 (HTTP)
Queue 2 (SMTP)
Queue 3 (NNTP)
packet
UDP
Otherpacket type
Filter: iptables
packet
HTTP - Mark 1
SMTP - Mark 2
NNTP - Mark 3
ICMP - Mark 4
Queue 4 (ICMP)
Low Priority Queue
Sch
edul
er
DROP
Filter/classifierQueues based on
Queuing Disciplines Scheduler
Internet
Internet
Internal Private Network
A2D2 CBQ Implementation # Classify icmp traffic to be queue class 1
$IPTABLES -A FORWARD -p icmp -o $DMZ -t mangle -j MARK --set-mark 1
# Mark incoming mail traffic from smtp with mark value 2 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport smtp -d 0/0 -t mangle
-j MARK --set-mark 2
# Mark incoming ftp traffic with mark value 3 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 21 -d 0/0 -t mangle -j
MARK --set-mark 3
# Mark incoming www and Real Server traffic with mark value 4 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 80 -d 0/0 -t mangle -j
MARK --set-mark 4 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 7070 -d 0/0 -t mangle
-j MARK --set-mark 4 $IPTABLES -A FORWARD -p tcp -o $DMZ -s 0/0 --dport 8080 -d 0/0 -t mangle
-j MARK --set-mark 4 $IPTABLES -A FORWARD -p udp -o $DMZ -s 0/0 --dport 8080 -d 0/0 -t
mangle -j MARK --set-mark 4
Intrusion Tolerance Techniques- Class-Based Queuing (CBQ)
Class-basedQueuing(CBQ)
First-In-First-Out (FIFO)
High Priority Queue
Queue 1 (HTTP)
Queue 2 (SMTP)
Queue 3 (NNTP)
packet
UDP
Otherpacket type
Filter: iptables
packet
HTTP - Mark 1
SMTP - Mark 2
NNTP - Mark 3
ICMP - Mark 4
Queue 4 (ICMP)
Low Priority Queue
Sch
edul
er
DROP
Filter/classifierQueues based on
Queuing Disciplines Scheduler
Internet
Internet
Internal Private Network
A2D2 CBQ Implementation TC="/sbin/tc“
Set up the queue with the specific network interface $TC qdisc add dev $DMZ root handle 10: cbq bandwidth 10Mbit avpkt 1000
Create the root class and initialized it with the queue $TC class add dev $DMZ parent 10:0 classid 10:1 cbq bandwidth 10Mbit rate 64kbit allot 1514 weight 6.4kbit prio 8
maxburst 20 avpkt 1000 bounded
Create different classes of queus with different bandwidth allocation add_class() {
# $1=parent class $2=classid $3=hiband $4=lowband $5=handle $6=style$TC class add dev $DMZ parent $1 classid $2 cbq bandwidth 10Mbit rate $3 allot 1514 weight $4 prio 5 maxburst 20
avpkt 1000 $6$TC qdisc add dev $DMZ parent $2 cbq 1514b$TC filter add dev $DMZ protocol ip prio 3 handle $5 fw classid $2
}
# First type of traffic ICMP marked '1' by the firewall code gets 5% of our internal bandwidth (10240*0.05=5120.0) add_class 10:1 10:100 512kbit 51.2kbit 1 bounded
# Second type of traffic SMTP marked '2' by the firewalling code gets 15% of our internal bandwidth (10240*0.15=1536.0)
add_class 10:1 10:200 1536kbit 153.6kbit 2
# Third type of traffic ftp marked '3' by the firewalling code gets 10% of our internal bandwidth (10240*0.1=1024.0)
add_class 10:1 10:300 1024kbit 102.4kbit 3
# Last type of traffic is interactive traffic (marked '4‘) gets 70% of our internal bandwidth (10240*0.70=7168.0) add_class 10:1 10:400 7168kbit 716.8kbit 4
A2D2 IDSSnort Flood Preprocessor
IDS
Detection Engine(Rule Based)
Preprocessor(Perform logic)
A2D2 IDSSnort Flood Preprocessor Prepare the snort plugbase.h file
#include “spp_flood.h” Prepare the Snort plugbase.c file
void InitPreprocessor(){
SetupFlood ();
} Prepare the snort.conf file
preprocessor flood: $HOME_NET <threshold # packets> <threshold # time period> <logfilename>
void InitPreprocessor() Create two flood-plugin files:
spp_flood.h spp_flood.c
In spp_flood.h, add void SetupFlood(); void FloodInit(u_char *); # The FloodInit function creates the preprocessor data structure
In spp_flood.c, register the preprocessors: void SetupFlood(void)
{
RegisterPreprocessor("flood", FloodInit); }
A2D2 IDSSnort Flood Preprocessor Additional Features
FloodIgnoreHosts Preprocessor
FloodRateLimiter Preprocessor
A2D2 Multi-Level Rate Limiting
IP: 128.198.61.12NM: 255.255.255.128
GW: 128.198.61.1
eth0
Firewall Gateway
Multi-LevelRate Limiting
as Linux Router
IP: 192.168.0.1NM: 255.255.0.0
GW: 128.198.61.12
eth1
IDS
snort.confFloodPreprocessor
Threshold
snort.confFloodRateLimiter
PreprocessorThresholds
rateif.conflevels, rate,expiration,port # etc.
./snort -A UNSOCK
report.c./alert
rateif.pl
Level 4
Open(5 days)
Level 3
100 p/s
Level 2
50 p/s
Level 1
Block(2 hrs)
Level 0
Block(2 days)
Level 1Expires
Attack
Attack Attack
Private Subnet192.168.0
Attack Network128.198.61
IP: 128.198.61.12NM: 255.255.255.128
GW: 128.198.61.1
eth0
Pluto
Titan
DMZ
Multi-LevelRate Limiting
Class-BasedQueuing(CBQ)
as Linux Router
Firewall(iptables)
Security Policy
IP: 192.168.0.1NM: 255.255.0.0
GW: 128.198.61.12
eth1
RealServer
Re
alS
erv
er
Tra
ffic
IDS
Ale
rts
tr
igg
er
Mu
lti-L
eve
lR
ate
-Lim
itin
g
IDS
70
% H
TT
P,
Re
alP
laye
r
1
5%
SM
TP
, P
OP
3
1
0%
SS
H,
SF
TP
5
% S
YN
, IC
MP
, D
NS
10 Mbps Hub
eth0
IP: 192.168.0.2NM: 255.255.0.0GW: 192.168.0.1
Public Network128.198
Internet
Alpha128.198.61.15
DDoSAgent
Gamma128.198.61.17
DDoSAgent
Beta128.198.61.16
DDoSAgent
Delta128.198.61.18
DDoSAgent
SimulatedInternet
100Mpbs Switch
Master Client& Handler
DDoS
Saturn128.198.61.11
NM: 255.255.255.128GW: 128.198.61.1
Autonomous Anti-DDoS Network(A2D2)
Client1128.198.a.195
Real Player Client
Client2128.198.b.82
Real Player Client
Client3128.198.c.31
Real Player Client
100Mpbs Switch
A2D2 Results - Baseline
10-min Video
Packets Received: Around 23,000
(23,445)
QoS Experienced at A2D2 Client
A2D2 Results – 1-min Attack Packets Received:
17,869
Retransmission Request: 1,929
Retransmission Received: 121
Lost: 1,808
QoS Experienced at A2D2 Client
A2D2 Results – Non-stop Attack Packets Received:
8,039
Retransmission Request: 2,592
Retransmission Received: 35
Lost: 2,557
Connection Timed-out
QoS Experienced at A2D2 Client
A2D2 Results – UDP AttackMitigation: Firewall Policy
Packets Received: 23,407
Retransmission Request: 0
Retransmission Received: 0
Lost: 0
QoS Experienced at A2D2 Client
A2D2 Results – ICMP AttackMitigation: Firewall Policy Packets Received:
7,127
Retransmission Request: 2,105
Retransmission Received: 4
Lost: 2,101
Connection Timed-out
QoS Experienced at A2D2 Client
A2D2 Results – ICMP AttackMitigation: Firewall Policy & CBQ Packets Received:
23,438
Retransmission Request: 0
Retransmission Received: 0
Lost: 0
QoS Experienced at A2D2 Client
A2D2 Results – TCP AttackMitigation: Policy+CBQ Packets Received:
22,179
Retransmission Request: 4,090
Retransmission Received: 2,641
Lost: 1,449
Screen Quality Impact
QoS Experienced at A2D2 Client
A2D2 Results – TCP AttackMitigation: Policy+CBQ+Rate Packets Received:
23,444
Retransmission Request: 49 – 1,376
Retransmission Received: 40 – 776
Lost: 9 – 600QoS Experienced at A2D2
Client
A2D2 Future Works TCP – SYN Attack
Firewall Processing Speed
Alternate Routing
Scalability More Services
Anomaly Detection
Fault Tolerant
A2D2 Software Engineering Process
ISO/IEC 12207(Software Life Cycle Processes)
Evolutionary Model
R: Requirements D: DesignC/T: Coding and TestingI/AS: Installation and Acceptance Support
Information Flow (Refinements)
Build 1 D C/T I/ASR1
R2D C/T I/AS
Build 2
R3 D C/T I/ASBuild 3
Rn D C/T I/ASBuild n
A2D2 Conclusion
Intrusion ToleranceA2D2 Clients Enjoy QoS
During Various Types of Attack
Questions?
References: Please refer to Thesis
Documenthttp://cs.uccs.edu/~chow/master/acearns/doc/angThesis-
1022.doc
Mitigation A2D2
Check Please.