sos: secure overlay service (+mayday) a. d. keromytis, v. misra, d. runbenstein
DESCRIPTION
. SOS: Secure Overlay Service (+Mayday) A. D. Keromytis, V. Misra, D. Runbenstein Columbia University Presented by Yingfei Dong. Motivations. Goal: Proactively Prevent DOS attacks to allow legitimate users to communicate with a critical target DOS attacks try to stop the communication - PowerPoint PPT PresentationTRANSCRIPT
1
.
SOS: Secure Overlay Service (+Mayday)
A. D. Keromytis, V. Misra, D. RunbensteinColumbia University
Presented by Yingfei Dong
2
Motivations
Goal: Proactively Prevent DOS attacks to allow legitimate users to communicate with a critical target DOS attacks try to stop the communication The target is difficult to replicate
– e.g., high security or dynamic contents Legitimate users are mobile ( IP addresses are not fixed )
Motivation Applications: Emergency Response Teams (ERTs) Phone Networks are easy to be crashed FBI/Police/Fire dept contacts with a center database
Bank users / stock brokers access their accountsOn-line transactions
Application Requirements– Protect private communications on top of public
networks– Authenticated Mobile Users
3
Denial Of Service (DOS) Attacks
DOS Select a target to degrade its performance Generate “high volume” traffic to the target
– Use up network resources bandwidth, buffers* Packet flooding: for a 10Mbps-link, 830 1500-byte packets
– Overload CPU with security-checking or kernel resources
* Security Handshaking* TCP SYN flooding: holding all TCP control blocks* Force to a server fork many processes
SOS is not for general DOS attacks Not for global traffic analysis A number of authenticated users to communicate with a
selected target on a public network
4
Related Work
Participation Global Routers changes
Local filters atend-systems or routers
Detect/Prevent Spoofing
Router-based filtering,Ingress filtering
IP traceback
Identify/shutdown ongoing attacks
IP pushbackRate-limiting
Pattern matching and filtering
Proactively Prevent attacks
IPsec (in each step) SOS
Less implementation costs
More Secure
5
Players in SOS
Target Node / Server protected by SOS from DOS Fixed IP address, non-duplicable
Legitimate User Authenticated Users communicate with the
target Mobile IP address
Attacker Try to stop users to communicate with the target Limited Capability: not draging down core
routers
6
Basic Idea
Why DOS is effective? many-to-one Solution: hiding paths to the target through a large-
scale distributed filter Difficult to do because
– The Internet is an open architecture and will keep open– IP spoofing is easy and Ingress filters are not broadly
deployed, … Idea: Forwarding secure packets on a virtual overlay
network on top of the Internet– Secure packets are forwarded between overlay
nodes– Using a larger number of overlay nodes– Overlay network adapts to attacks quickly
Attackers must attack many nodes to be successful !
7
SOS Functionalities
Goals Allow legitimate users to communicate with
target Prevent packets from illegitimate attackers to
reach the target
Ideal Solution No changes required in intermediate routers No high-cost security checking near/at the
target
Assumptions Attackers have a limited number of resources Attackers cannot drag down core routers
– Does NOT solve the general DoS problem
8
Method 1: Source-Address Filtering
Routers near the target do simple filtering based on source IP addresses Only packets from legitimate nodes can reach the
target Packets from other sources
are dropped Fast Light-weight authenticator Routers are difficult to hack
Problems Attackers obtain an account on a legitimate node Attackers spoof packets with a legitimate src IP Legitimate users are mobile and don’t have fixed
IPs
9
Method 2: Filters + Proxy Servers
Idea: A proxy server between a legitimate user and the
target The proxy only forwards authenticated packets Only packets from the proxy can reach the target
Problems Once attackers know the IP of a proxy, x.x.x.x
they can spoof packets with x.x.x.x and reach the target
Attackers directly attack on the proxy to drag it down
10
Method 3: Filters + Secret Proxy Servers
Hiding the identity (IP address) of a proxy to prevent IP spoofing or attacks aiming at a proxy Secret Servlet is a hidden proxy is chosen by the
target A filter only allows packets whose source address
matches n Ns, a set of nodes selected
Only the target, secret servelets, and other few trusted nodes know the IP address of secret servlets
Attacker is not sure which node is a proxy for the target
11
Method 4: Filter + Secret Proxy + Overlay Routing + SOAP
Question: How to forward packets to a Secret Servlet without knowing its IP address?
Virtual Overlay Network Each node is an end host Only some nodes how to reach a proxy (Servlet) Indirect Assumption: large number of nodes
attackers couldn’t monitor all overlay nodes Service Overlay Access Points (SOAP’s)
Everyone knows a set of SOAP’s An SOAP is an entry node to the overlay network Receive and verify traffic via IPSec/TLS A large number of SOAPs as a distributed firewall
User SOAP across overlay Secret Servlet Target
12
Overlay Routing: SOAP Servlet Target
A Path from a SOAP to a Servlet must be hard to find
Random Walk: O(N/Ns) time, N is total # of overlay nodes, Ns is the # of
Servlet
Chord: O( log N )
A path must be resilient to attacks, fast recovery
13
Dynamic Hash Table (DHT)
Examples: Chord, CAN, PASTRY, Tapestry, …
Chord A distributed protocol with N homogenous overlay
nodes Each node has a node identifier Each object has an object key Distribute all object keys to N nodes:
the object with key T is mapped to node B, if H(T) = B,where object T is managed by node B
Chord Property: To find key T from any node to B is O(logN)
steps
14
A Beacon Connects a SOAP and a Servlet
An object key in SOS is the IP address of a target
Beacon B for IP address T is an overly node with an identifier B = H(T) Secret Servlet S finds Beacon B by B = H(T),
andtells it to forward packets with DST T from B to S SOAP A also finds Beacon B by B = H(T), and
forwards secure packets with DST T to B
Multiple hash functions produce different Beacons, i.e., different paths to the target.
15
Routing Summary
Target T randomly selects Secret Servlet S Secret Servlet S informs Beacon B to forward packets with DST
T to S SOAP A forwards authenticated packets with DST T to B
Overlay nodes are known to the public but their roles are secret Communications between overlay nodes are
secure/authenticated Packets are authenticated by SOAP before the overlay
16
Against the DoS attacks
Redundancy in SOS Every overlay node can be SOAP, Beacon or Servlet A target can select multiple Servlets Multiple beacons can be used by using different hashes Many SOAP’s
User SOAP Beacon Servlet Target
Attacks on an overlay nodeChord self-heals by removing the node from Chord
Attacks on all SOAP’s, otherwise an alternative SOAP exists Attacks on all Beacons: remove the nodes and change hash
functions Attacks on all Servlets
The target can real-time change the set of Servlets Target is protected by filters
17
Static Attack Analysis
N nodes in the overlay For a given target T
S is the number of Servlets B is the number of Beacons A is the number of SOAPs
Static Attacks: attackers randomly shutdown M out of N nodes
Pstatic = P(N, M, S, B, A) = P{stop communications with T}
P(n,b,c) = P{set of b nodes chosen randomly from set of n nodes, and set of b nodes contains set of c nodes} c
n
cb
bn
cbcn
C
C
C
CcbnP
),,(
18
Successfully Attack all Servlets or all Beacons or all SOAPs
Number of nodes attacked
Pstatic = P(N, M, S, B, A)= 1 – (1-P(N,M,S))(1-P(N,M,B))(1-P(N,M,A))
Prob Of Attack Success
19
Dynamic Attacks
Attack/Repair Battle The Overlay removes attacked nodes, taking
time TR
Attackers shifts attacking traffic from removed nodes to active nodes, taking time TA
Assume TR and TA are exponential distributed R.V., modeled as a birth-death process
Attacking rate Repairing rate Attack Load Ratio = /
20
Centralized Attacks and Centralized Recovery M/M/1/K
• 1000 nodes, 10 SOAP, 10 Beacons, 10 Servlets
• If repairing is faster then attacking, SOS can survive under large scale attacks
23
Distributed Attacks and Distributed Recovery, M/M///K
24
Conclusions
SOS protects a target from DOS Only legitimate traffic will reach the target
Approach Ingress Filtering Hidden Proxies Self-healing overlay networks to defeat attacks
Preliminary Analysis Static Attacks Dynamic Attacks
25
Mayday
Goal: protect critical servers Components
A Server: centralized resource A Filter Ring: around the server to protect it
– Edge routers of a domain An Overlay network
– An Overlay node can be * an ingress point of the overlay network (SOAP)* an egress point from the overlay network to
the filter ring (Servlet)* a forwarding node of the overlay network
A Client is authenticated by an overlay node but not trusted
26
Mayday Architecture
27
Generalizing the Idea of SOS
Packet Authenticators at a filter (mostly in IP header) Egress Sources IP Address (SOS) Server Destination Port: 1 to 65,536, large search
space Server Destination Address: 1 out of N reserved IP
addresses, (like VPN shield) Application-defined: ok with firewall, not core routers
Overlay routing schemes Proximity Routing: proxies close to client, filter is
known Singly-Indirect Routing: egress address is known Double-Indirect Routing (SOS) Random Walk Mix Routing: each node only know next step
28
Summary
SOS provides formal analysis Mayday discusses potential practical solutions
Discussion of Advanced attacking approaches
Questions: Long Delay in overlay routing Trust of overlay nodes Repair Speed v.s. Attacking Rate