1Security Research 1/10/2003 chow

C. Edward Chow

Department of Computer ScienceUniversity of Colorado at Colorado Springs

C. Edward Chow

Department of Computer ScienceUniversity of Colorado at Colorado Springs

Security Related Research Projects at UCCS Network Research Lab

Security Related Research Projects at UCCS Network Research Lab

2Security Research 1/10/2003 chow

Outline of the TalkOutline of the Talk Brief Introduction to the Network/Protocol Research Lab at

UCCS Network security related research projects at UCCS

Network/Protocol Research Lab Autonomous Anti-DDoS Project Secure Collective Defense Project BGP/MPLS based VPN Project

Discussion on AFA-UCCS Joint Research/Teaching Projects on Information Assurance Penetration Analysis/Testing exercises? Intrusion Detection/Handling exercises? Other Cyberwarfare related projects? Security Form/Seminar Series

Brief Introduction to the Network/Protocol Research Lab at UCCS

Network security related research projects at UCCS Network/Protocol Research Lab Autonomous Anti-DDoS Project Secure Collective Defense Project BGP/MPLS based VPN Project

Discussion on AFA-UCCS Joint Research/Teaching Projects on Information Assurance Penetration Analysis/Testing exercises? Intrusion Detection/Handling exercises? Other Cyberwarfare related projects? Security Form/Seminar Series

3Security Research 1/10/2003 chow

UCCS Network Research LabUCCS Network Research Lab

Personnel: Director: Dr. C. Edward Chow Graduate students:

– Chandra Prakash: High Available Linux kernel-based Content Switch

– Ganesh Godavari: Linux based Secure Web Switch– Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed– Longhua Li: IXP-based Content Switch– Yu Cai (Ph.D. research assistant): Multipath Routing– Jianhua Xie (Ph.D.): Secure Storage Networks– Frank Watson: Content Switch for Email Security– Paul Fong: Wireless AODV Routing for sensor networks– Nirmala Belusu: Wireless Network Security PEAP vs. TTLS– David Wikinson/Sonali Patankar: Secure Collective Defense– Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN– Patricia Ferrao: Web-based Collaborative System Support

Personnel: Director: Dr. C. Edward Chow Graduate students:

– Chandra Prakash: High Available Linux kernel-based Content Switch

– Ganesh Godavari: Linux based Secure Web Switch– Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed– Longhua Li: IXP-based Content Switch– Yu Cai (Ph.D. research assistant): Multipath Routing– Jianhua Xie (Ph.D.): Secure Storage Networks– Frank Watson: Content Switch for Email Security– Paul Fong: Wireless AODV Routing for sensor networks– Nirmala Belusu: Wireless Network Security PEAP vs. TTLS– David Wikinson/Sonali Patankar: Secure Collective Defense– Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN– Patricia Ferrao: Web-based Collaborative System Support

4Security Research 1/10/2003 chow

UCCS Network Lab SetupUCCS Network Lab Setup

Gigabit fiber connection to UCCS backbone Switch/Firewall/Wireless AP:

HP 4000 switch; 4 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated

by Intel. Cisco 1200 Aironet Dual Band Access Point and 350 client

PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board

Servers: Two Dell PowerEdge Servers. Workstations/PCs:

8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 8.0; Window XP/2000

Gigabit fiber connection to UCCS backbone Switch/Firewall/Wireless AP:

HP 4000 switch; 4 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated

by Intel. Cisco 1200 Aironet Dual Band Access Point and 350 client

PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board

Servers: Two Dell PowerEdge Servers. Workstations/PCs:

8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 8.0; Window XP/2000

5Security Research 1/10/2003 chow

HP4000SWGigibit Fiber to UCCS Backbone&WorkstationDell ServerIntel IXP Network Processor

HP4000SWGigibit Fiber to UCCS Backbone&WorkstationDell ServerIntel IXP Network Processor

6Security Research 1/10/2003 chow

Intel 7110 SSL Accelerators 7280 XML Director

Intel 7110 SSL Accelerators 7280 XML Director

7Security Research 1/10/2003 chow

DDoS: Distributed Denial of Service AttackDDoS: Distributed Denial of Service Attack

DDoS Victims:Yahoo/Amazon

2000CERT

5/2001DNS Root Servers

10/2002

DDoS Tools:Stacheldraht

TrinooTribal Flood Network (TFN)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Handler(Middleman)

Agent(Attacker)

Handler(Middleman)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Client(Attack Commander)

MastermindIntruder

8Security Research 1/10/2003 chow

How wide spread is DDoS?How wide spread is DDoS?

Research by Moore et al of University of California at San Diego, 2001. 12,805 DoS in 3-week periodMost of them are Home, small to medium sized

organizations

Research by Moore et al of University of California at San Diego, 2001. 12,805 DoS in 3-week periodMost of them are Home, small to medium sized

organizations

9Security Research 1/10/2003 chow

Intrusion Related Research AreasIntrusion Related Research Areas

Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering

Intrusion DetectionAnomaly DetectionMisuse Detection

Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance

Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering

Intrusion DetectionAnomaly DetectionMisuse Detection

Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance

10Security Research 1/10/2003 chow

Security Related Research ProjectsSecurity Related Research Projects

Secure Content Switch Autonomous Anti-DDoS Project

Deal with Intrusion Detection and Handling; Techniques:

– IDS-Firewall Integration

– Adaptive Firewall Rules

– Easy to use/manage. Secure Collective Defense Project

Deal with Intrusion Tolerance; How to tolerate the attack Techniques (main ideaExplore secure alternate paths for clients to come in)

– Multiple Path Routing

– Secure DNS extension: how to inform client DNS servers to add alternate new entries

– Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways.

BGP/MPLS based VPN Project Content Switch for Email Security.

Secure Content Switch Autonomous Anti-DDoS Project

Deal with Intrusion Detection and Handling; Techniques:

– IDS-Firewall Integration

– Adaptive Firewall Rules

– Easy to use/manage. Secure Collective Defense Project

Deal with Intrusion Tolerance; How to tolerate the attack Techniques (main ideaExplore secure alternate paths for clients to come in)

– Multiple Path Routing

– Secure DNS extension: how to inform client DNS servers to add alternate new entries

– Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways.

BGP/MPLS based VPN Project Content Switch for Email Security.

11Security Research 1/10/2003 chow

Design of an Autonomous Anti-DDOS Network (A2D2)

Design of an Autonomous Anti-DDOS Network (A2D2)

Graduate Student: Angela Cearns Goals:

Study Linux Snort IDS/Firewall systemDevelop Snort-Plug-in for Generic Flood Detection Investigate Rate Limiting and Class Based Queueing

for Effective Firewall Protection Intrusion Detection automatically trigger adaptive

firewall rule update.Study QoS impact with/without A2D2 system.

http://cs.uccs.edu/~chow/pub/master/acearns/doc/

Graduate Student: Angela Cearns Goals:

Study Linux Snort IDS/Firewall systemDevelop Snort-Plug-in for Generic Flood Detection Investigate Rate Limiting and Class Based Queueing

for Effective Firewall Protection Intrusion Detection automatically trigger adaptive

firewall rule update.Study QoS impact with/without A2D2 system.

http://cs.uccs.edu/~chow/pub/master/acearns/doc/

12Security Research 1/10/2003 chow

Attack

Attack Attack

Private Subnet192.168.0

Attack Network128.198.61

IP: 128.198.61.12NM: 255.255.255.128

GW: 128.198.61.1

eth0

Pluto

Titan

DMZ

Multi-LevelRate Limiting

Class-BasedQueuing

(CBQ)

as Linux Router

Firewall(iptables)

Security Policy

IP: 192.168.0.1NM: 255.255.0.0

GW: 128.198.61.12

eth1

RealServer

Re

alS

erv

er

Tra

ffic

IDS

Ale

rts

trig

ge

r M

ulti-

Le

ve

lR

ate

-Lim

itin

g

IDS

70

% H

TT

P,

Re

alP

laye

r

15

% S

MT

P,

PO

P3

10

% S

SH

, S

FT

P

5%

SY

N,

ICM

P, D

NS

10 Mbps Hub

eth0

IP: 192.168.0.2NM: 255.255.0.0GW: 192.168.0.1

Public Network128.198

Internet

Alpha128.198.61.15

DDoSAgent

Gamma128.198.61.17

DDoSAgent

Beta128.198.61.16

DDoSAgent

Delta128.198.61.18

DDoSAgent

SimulatedInternet

100Mpbs Switch

Master Client& Handler

DDoS

Saturn128.198.61.11

NM: 255.255.255.128GW: 128.198.61.1

AutonomousAnti-DDoS

Network (A2D2)

Client1128.198.a.195

Real Player Client

Client2128.198.b.82

Real Player Client

Client3128.198.c.31

Real Player Client

100Mpbs Switch

13Security Research 1/10/2003 chow

A2D2 Multi-Level Adaptive Rate

Limiting

A2D2 Multi-Level Adaptive Rate

Limiting

IP: 128.198.61.12NM: 255.255.255.128

GW: 128.198.61.1

eth0

Firewall Gateway

Multi-LevelRate Limiting

as Linux Router

IP: 192.168.0.1NM: 255.255.0.0

GW: 128.198.61.12

eth1

IDS

snort.confFloodPreprocessor

Threshold

snort.confFloodRateLimiter

PreprocessorThresholds

rateif.conflevels, rate,expiration,port # etc.

./snort -A UNSOCK

report.c./alert

rateif.pl

Level 4

Open(5 days)

Level 3

100 p/s

Level 2

50 p/s

Level 1

Block(2 hrs)

Level 0

Block(2 days)

Level 1Expires

14Security Research 1/10/2003 chow

A2D2 QoS Results - BaselineA2D2 QoS Results - Baseline

10-min Video Stream betweenReal Player &Real Server

Packets Received: Around 23,000

(23,445)

No DDoS Attack

10-min Video Stream betweenReal Player &Real Server

Packets Received: Around 23,000

(23,445)

No DDoS Attack

QoS Experienced at A2D2 by Real Player Client with No DDoS

Playout Buffering to Avoid Jitter

15Security Research 1/10/2003 chow

A2D2 Results – Non-stop AttackA2D2 Results – Non-stop Attack

Packets Received: 8,039

Retransmission Request: 2,592

Retransmission Received: 35

Lost: 2,557

Connection Timed-out

Packets Received: 8,039

Retransmission Request: 2,592

Retransmission Received: 35

Lost: 2,557

Connection Timed-out

QoS Experienced at A2D2 Client

Lost of Packets

16Security Research 1/10/2003 chow

A2D2 Results – UDP AttackMitigation: Firewall Policy

A2D2 Results – UDP AttackMitigation: Firewall Policy

Packets Received: 23,407

Retransmission Request: 0 Retransmission Received: 0 Lost: 0

Look like we just need plainold Firewall rules, no fancy Rate Limiting/CBQ?

Packets Received: 23,407

Retransmission Request: 0 Retransmission Received: 0 Lost: 0

Look like we just need plainold Firewall rules, no fancy Rate Limiting/CBQ?

QoS Experienced at A2D2 Client

17Security Research 1/10/2003 chow

A2D2 Results – ICMP AttackMitigation: Firewall Policy

A2D2 Results – ICMP AttackMitigation: Firewall Policy

Packets Received: 7,127

Retransmission Request: 2,105

Retransmission Received: 4

Lost: 2,101

Connection Timed-out

Just plain old firewall ruleis not good enough!

Packets Received: 7,127

Retransmission Request: 2,105

Retransmission Received: 4

Lost: 2,101

Connection Timed-out

Just plain old firewall ruleis not good enough!

QoS Experienced at A2D2 Client

Packet/Connection Loss

18Security Research 1/10/2003 chow

A2D2 Results – TCP AttackMitigation: Policy+CBQ

A2D2 Results – TCP AttackMitigation: Policy+CBQ

Turn on CBQ Packets Received: 22,179

Retransmission Request: 4,090

Retransmission Received: 2,641

Lost: 1,449

Screen Quality Impact!

Turn on CBQ Packets Received: 22,179

Retransmission Request: 4,090

Retransmission Received: 2,641

Lost: 1,449

Screen Quality Impact!

QoS Experienced at A2D2 Client

Look OK But Quality Degrade

19Security Research 1/10/2003 chow

A2D2 Results – TCP AttackMitigation: Policy+CBQ+RateLimiting

A2D2 Results – TCP AttackMitigation: Policy+CBQ+RateLimiting

Turn on Both CBQ & Rate Limiting

Packets Received: 23,444

Retransmission Request: 49 – 1,376

Retransmission Received: 40 – 776

Lost: 9 – 600

No image quality degradation

Turn on Both CBQ & Rate Limiting

Packets Received: 23,444

Retransmission Request: 49 – 1,376

Retransmission Received: 40 – 776

Lost: 9 – 600

No image quality degradation

QoS Experienced at A2D2 Client

20Security Research 1/10/2003 chow

A2D2 Future WorksA2D2 Future Works

Extend to include IDIP/Pushback Anomaly Detection Improve Firewall/IDS Processing Speed Scalability Issues

Tests with More Services TypesTests with Heavy Client Traffic Volume

Fault Tolerant (Multiple Firewall Devices) Alternate Routing

Extend to include IDIP/Pushback Anomaly Detection Improve Firewall/IDS Processing Speed Scalability Issues

Tests with More Services TypesTests with Heavy Client Traffic Volume

Fault Tolerant (Multiple Firewall Devices) Alternate Routing

21Security Research 1/10/2003 chow

Wouldn’t it be Nice to Have Alternate Routes?Wouldn’t it be Nice to Have Alternate Routes?

DNS1

...

Victim

AA A A A A A A

net-a.com net-b.com net-c.com

DNS2 DNS3

... ......

R R R

R

R2 R1R3

Alternate Gateways

DNS

DDoS Attack Traffic

Client Traffic

How to reroute clients traffic through R1-R3?

22Security Research 1/10/2003 chow

Implement Alternate RoutesImplement Alternate Routes

DNS1

...

Victim

AA A A A A A A

net-a.com net-b.com net-c.com

DNS2 DNS3

... ......

R R R

R

R2 R1R3

Alternate Gateways

DNS

DDoS Attack Traffic

Client Traffic

Need to Inform Clients or Client DNS servers!

But how to tell which Clients are not compromised?

How to hide IP addresses of

Alternate Gateways?

23Security Research 1/10/2003 chow

Possible Solution for Alternate RoutesPossible Solution for Alternate Routes

DNS1

...

Victim

AA A A A A A A

net-a.com net-b.com net-c.com

DNS2 DNS3

... ......

R R R

R

Sends Reroute Command with DNS/IP Addr. Of Proxy and Victim

distress call

Proxy1Proxy2 Proxy3

Blocked by IDS

R2R1 R3

blockAttack msgs blocked by IDS

New route via Proxy3 to R3

24Security Research 1/10/2003 chow

Secure Collective DefenseSecure Collective Defense Main IdeaExplore secure alternate paths for clients to come in; Utilize

geographically separated proxy servers. Goal:

Provide secure alternate routes Hide IP addresses of alternate gateways

Techniques: Multiple Path Routing Secure DNS extension: how to inform client DNS servers to add alternate new

entries (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of

alternate gateways. How to partition clients to come at different proxy servers?

may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?

Use Sock protocol, modify resolver library?

Main IdeaExplore secure alternate paths for clients to come in; Utilize geographically separated proxy servers.

Goal: Provide secure alternate routes Hide IP addresses of alternate gateways

Techniques: Multiple Path Routing Secure DNS extension: how to inform client DNS servers to add alternate new

entries (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of

alternate gateways. How to partition clients to come at different proxy servers?

may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?

Use Sock protocol, modify resolver library?

25Security Research 1/10/2003 chow

New UCCS IA Degree/CertificateNew UCCS IA Degree/Certificate

Master of Engineering Degree in Information Assurance Certificate in Information Assurance (offered to Peterson

AFB through NISSC)Computer Networks; Fundamental of Security;

Cryptography; Advanced System Security Design

Master of Engineering Degree in Information Assurance Certificate in Information Assurance (offered to Peterson

AFB through NISSC)Computer Networks; Fundamental of Security;

Cryptography; Advanced System Security Design

26Security Research 1/10/2003 chow

New CS691 Course on Advanced System Security Design

New CS691 Course on Advanced System Security Design

Use Matt Bishop new Computer Security Text Spring 2003: With one class at UCCS; one at Peterson

AFB. Potential use/cooperation with Distribute Security Lab of

Ratheon? Integrate security research results into course material

such as A2D2, Secure Collective Defense, MPLS-VPN projects.

Invite speakers from Industry such as Innerwall and AFA?

Looking for potential joint exercises with other institutions such as AFA.

Use Matt Bishop new Computer Security Text Spring 2003: With one class at UCCS; one at Peterson

AFB. Potential use/cooperation with Distribute Security Lab of

Ratheon? Integrate security research results into course material

such as A2D2, Secure Collective Defense, MPLS-VPN projects.

Invite speakers from Industry such as Innerwall and AFA?

Looking for potential joint exercises with other institutions such as AFA.

27Security Research 1/10/2003 chow

Joint Research/Teaching Effort on Information Assurance

Joint Research/Teaching Effort on Information Assurance

Penetration Analysis/Testing exercises?

Intrusion Detection/Handling exercises?

Other Cyberwarfare related projects?

Security Forum organized by Dean Haefner/Dr. Ayen

Security Seminar Series with CITTI funding support

Look for Speakers (suggestion?)

Penetration Analysis/Testing exercises?

Intrusion Detection/Handling exercises?

Other Cyberwarfare related projects?

Security Forum organized by Dean Haefner/Dr. Ayen

Security Seminar Series with CITTI funding support

Look for Speakers (suggestion?)