Upload
milton-matthews
View
219
Download
0
Embed Size (px)
Citation preview
1Security Research 1/10/2003 chow
C. Edward Chow
Department of Computer ScienceUniversity of Colorado at Colorado Springs
C. Edward Chow
Department of Computer ScienceUniversity of Colorado at Colorado Springs
Security Related Research Projects at UCCS Network Research Lab
Security Related Research Projects at UCCS Network Research Lab
2Security Research 1/10/2003 chow
Outline of the TalkOutline of the Talk Brief Introduction to the Network/Protocol Research Lab at
UCCS Network security related research projects at UCCS
Network/Protocol Research Lab Autonomous Anti-DDoS Project Secure Collective Defense Project BGP/MPLS based VPN Project
Discussion on AFA-UCCS Joint Research/Teaching Projects on Information Assurance Penetration Analysis/Testing exercises? Intrusion Detection/Handling exercises? Other Cyberwarfare related projects? Security Form/Seminar Series
Brief Introduction to the Network/Protocol Research Lab at UCCS
Network security related research projects at UCCS Network/Protocol Research Lab Autonomous Anti-DDoS Project Secure Collective Defense Project BGP/MPLS based VPN Project
Discussion on AFA-UCCS Joint Research/Teaching Projects on Information Assurance Penetration Analysis/Testing exercises? Intrusion Detection/Handling exercises? Other Cyberwarfare related projects? Security Form/Seminar Series
3Security Research 1/10/2003 chow
UCCS Network Research LabUCCS Network Research Lab
Personnel: Director: Dr. C. Edward Chow Graduate students:
– Chandra Prakash: High Available Linux kernel-based Content Switch
– Ganesh Godavari: Linux based Secure Web Switch– Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed– Longhua Li: IXP-based Content Switch– Yu Cai (Ph.D. research assistant): Multipath Routing– Jianhua Xie (Ph.D.): Secure Storage Networks– Frank Watson: Content Switch for Email Security– Paul Fong: Wireless AODV Routing for sensor networks– Nirmala Belusu: Wireless Network Security PEAP vs. TTLS– David Wikinson/Sonali Patankar: Secure Collective Defense– Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN– Patricia Ferrao: Web-based Collaborative System Support
Personnel: Director: Dr. C. Edward Chow Graduate students:
– Chandra Prakash: High Available Linux kernel-based Content Switch
– Ganesh Godavari: Linux based Secure Web Switch– Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed– Longhua Li: IXP-based Content Switch– Yu Cai (Ph.D. research assistant): Multipath Routing– Jianhua Xie (Ph.D.): Secure Storage Networks– Frank Watson: Content Switch for Email Security– Paul Fong: Wireless AODV Routing for sensor networks– Nirmala Belusu: Wireless Network Security PEAP vs. TTLS– David Wikinson/Sonali Patankar: Secure Collective Defense– Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN– Patricia Ferrao: Web-based Collaborative System Support
4Security Research 1/10/2003 chow
UCCS Network Lab SetupUCCS Network Lab Setup
Gigabit fiber connection to UCCS backbone Switch/Firewall/Wireless AP:
HP 4000 switch; 4 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated
by Intel. Cisco 1200 Aironet Dual Band Access Point and 350 client
PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board
Servers: Two Dell PowerEdge Servers. Workstations/PCs:
8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 8.0; Window XP/2000
Gigabit fiber connection to UCCS backbone Switch/Firewall/Wireless AP:
HP 4000 switch; 4 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated
by Intel. Cisco 1200 Aironet Dual Band Access Point and 350 client
PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board
Servers: Two Dell PowerEdge Servers. Workstations/PCs:
8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 8.0; Window XP/2000
5Security Research 1/10/2003 chow
HP4000SWGigibit Fiber to UCCS Backbone&WorkstationDell ServerIntel IXP Network Processor
HP4000SWGigibit Fiber to UCCS Backbone&WorkstationDell ServerIntel IXP Network Processor
6Security Research 1/10/2003 chow
Intel 7110 SSL Accelerators 7280 XML Director
Intel 7110 SSL Accelerators 7280 XML Director
7Security Research 1/10/2003 chow
DDoS: Distributed Denial of Service AttackDDoS: Distributed Denial of Service Attack
DDoS Victims:Yahoo/Amazon
2000CERT
5/2001DNS Root Servers
10/2002
DDoS Tools:Stacheldraht
TrinooTribal Flood Network (TFN)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Handler(Middleman)
Agent(Attacker)
Handler(Middleman)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Client(Attack Commander)
MastermindIntruder
8Security Research 1/10/2003 chow
How wide spread is DDoS?How wide spread is DDoS?
Research by Moore et al of University of California at San Diego, 2001. 12,805 DoS in 3-week periodMost of them are Home, small to medium sized
organizations
Research by Moore et al of University of California at San Diego, 2001. 12,805 DoS in 3-week periodMost of them are Home, small to medium sized
organizations
9Security Research 1/10/2003 chow
Intrusion Related Research AreasIntrusion Related Research Areas
Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering
Intrusion DetectionAnomaly DetectionMisuse Detection
Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance
Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering
Intrusion DetectionAnomaly DetectionMisuse Detection
Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance
10Security Research 1/10/2003 chow
Security Related Research ProjectsSecurity Related Research Projects
Secure Content Switch Autonomous Anti-DDoS Project
Deal with Intrusion Detection and Handling; Techniques:
– IDS-Firewall Integration
– Adaptive Firewall Rules
– Easy to use/manage. Secure Collective Defense Project
Deal with Intrusion Tolerance; How to tolerate the attack Techniques (main ideaExplore secure alternate paths for clients to come in)
– Multiple Path Routing
– Secure DNS extension: how to inform client DNS servers to add alternate new entries
– Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways.
BGP/MPLS based VPN Project Content Switch for Email Security.
Secure Content Switch Autonomous Anti-DDoS Project
Deal with Intrusion Detection and Handling; Techniques:
– IDS-Firewall Integration
– Adaptive Firewall Rules
– Easy to use/manage. Secure Collective Defense Project
Deal with Intrusion Tolerance; How to tolerate the attack Techniques (main ideaExplore secure alternate paths for clients to come in)
– Multiple Path Routing
– Secure DNS extension: how to inform client DNS servers to add alternate new entries
– Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways.
BGP/MPLS based VPN Project Content Switch for Email Security.
11Security Research 1/10/2003 chow
Design of an Autonomous Anti-DDOS Network (A2D2)
Design of an Autonomous Anti-DDOS Network (A2D2)
Graduate Student: Angela Cearns Goals:
Study Linux Snort IDS/Firewall systemDevelop Snort-Plug-in for Generic Flood Detection Investigate Rate Limiting and Class Based Queueing
for Effective Firewall Protection Intrusion Detection automatically trigger adaptive
firewall rule update.Study QoS impact with/without A2D2 system.
http://cs.uccs.edu/~chow/pub/master/acearns/doc/
Graduate Student: Angela Cearns Goals:
Study Linux Snort IDS/Firewall systemDevelop Snort-Plug-in for Generic Flood Detection Investigate Rate Limiting and Class Based Queueing
for Effective Firewall Protection Intrusion Detection automatically trigger adaptive
firewall rule update.Study QoS impact with/without A2D2 system.
http://cs.uccs.edu/~chow/pub/master/acearns/doc/
12Security Research 1/10/2003 chow
Attack
Attack Attack
Private Subnet192.168.0
Attack Network128.198.61
IP: 128.198.61.12NM: 255.255.255.128
GW: 128.198.61.1
eth0
Pluto
Titan
DMZ
Multi-LevelRate Limiting
Class-BasedQueuing
(CBQ)
as Linux Router
Firewall(iptables)
Security Policy
IP: 192.168.0.1NM: 255.255.0.0
GW: 128.198.61.12
eth1
RealServer
Re
alS
erv
er
Tra
ffic
IDS
Ale
rts
trig
ge
r M
ulti-
Le
ve
lR
ate
-Lim
itin
g
IDS
70
% H
TT
P,
Re
alP
laye
r
15
% S
MT
P,
PO
P3
10
% S
SH
, S
FT
P
5%
SY
N,
ICM
P, D
NS
10 Mbps Hub
eth0
IP: 192.168.0.2NM: 255.255.0.0GW: 192.168.0.1
Public Network128.198
Internet
Alpha128.198.61.15
DDoSAgent
Gamma128.198.61.17
DDoSAgent
Beta128.198.61.16
DDoSAgent
Delta128.198.61.18
DDoSAgent
SimulatedInternet
100Mpbs Switch
Master Client& Handler
DDoS
Saturn128.198.61.11
NM: 255.255.255.128GW: 128.198.61.1
AutonomousAnti-DDoS
Network (A2D2)
Client1128.198.a.195
Real Player Client
Client2128.198.b.82
Real Player Client
Client3128.198.c.31
Real Player Client
100Mpbs Switch
13Security Research 1/10/2003 chow
A2D2 Multi-Level Adaptive Rate
Limiting
A2D2 Multi-Level Adaptive Rate
Limiting
IP: 128.198.61.12NM: 255.255.255.128
GW: 128.198.61.1
eth0
Firewall Gateway
Multi-LevelRate Limiting
as Linux Router
IP: 192.168.0.1NM: 255.255.0.0
GW: 128.198.61.12
eth1
IDS
snort.confFloodPreprocessor
Threshold
snort.confFloodRateLimiter
PreprocessorThresholds
rateif.conflevels, rate,expiration,port # etc.
./snort -A UNSOCK
report.c./alert
rateif.pl
Level 4
Open(5 days)
Level 3
100 p/s
Level 2
50 p/s
Level 1
Block(2 hrs)
Level 0
Block(2 days)
Level 1Expires
14Security Research 1/10/2003 chow
A2D2 QoS Results - BaselineA2D2 QoS Results - Baseline
10-min Video Stream betweenReal Player &Real Server
Packets Received: Around 23,000
(23,445)
No DDoS Attack
10-min Video Stream betweenReal Player &Real Server
Packets Received: Around 23,000
(23,445)
No DDoS Attack
QoS Experienced at A2D2 by Real Player Client with No DDoS
Playout Buffering to Avoid Jitter
15Security Research 1/10/2003 chow
A2D2 Results – Non-stop AttackA2D2 Results – Non-stop Attack
Packets Received: 8,039
Retransmission Request: 2,592
Retransmission Received: 35
Lost: 2,557
Connection Timed-out
Packets Received: 8,039
Retransmission Request: 2,592
Retransmission Received: 35
Lost: 2,557
Connection Timed-out
QoS Experienced at A2D2 Client
Lost of Packets
16Security Research 1/10/2003 chow
A2D2 Results – UDP AttackMitigation: Firewall Policy
A2D2 Results – UDP AttackMitigation: Firewall Policy
Packets Received: 23,407
Retransmission Request: 0 Retransmission Received: 0 Lost: 0
Look like we just need plainold Firewall rules, no fancy Rate Limiting/CBQ?
Packets Received: 23,407
Retransmission Request: 0 Retransmission Received: 0 Lost: 0
Look like we just need plainold Firewall rules, no fancy Rate Limiting/CBQ?
QoS Experienced at A2D2 Client
17Security Research 1/10/2003 chow
A2D2 Results – ICMP AttackMitigation: Firewall Policy
A2D2 Results – ICMP AttackMitigation: Firewall Policy
Packets Received: 7,127
Retransmission Request: 2,105
Retransmission Received: 4
Lost: 2,101
Connection Timed-out
Just plain old firewall ruleis not good enough!
Packets Received: 7,127
Retransmission Request: 2,105
Retransmission Received: 4
Lost: 2,101
Connection Timed-out
Just plain old firewall ruleis not good enough!
QoS Experienced at A2D2 Client
Packet/Connection Loss
18Security Research 1/10/2003 chow
A2D2 Results – TCP AttackMitigation: Policy+CBQ
A2D2 Results – TCP AttackMitigation: Policy+CBQ
Turn on CBQ Packets Received: 22,179
Retransmission Request: 4,090
Retransmission Received: 2,641
Lost: 1,449
Screen Quality Impact!
Turn on CBQ Packets Received: 22,179
Retransmission Request: 4,090
Retransmission Received: 2,641
Lost: 1,449
Screen Quality Impact!
QoS Experienced at A2D2 Client
Look OK But Quality Degrade
19Security Research 1/10/2003 chow
A2D2 Results – TCP AttackMitigation: Policy+CBQ+RateLimiting
A2D2 Results – TCP AttackMitigation: Policy+CBQ+RateLimiting
Turn on Both CBQ & Rate Limiting
Packets Received: 23,444
Retransmission Request: 49 – 1,376
Retransmission Received: 40 – 776
Lost: 9 – 600
No image quality degradation
Turn on Both CBQ & Rate Limiting
Packets Received: 23,444
Retransmission Request: 49 – 1,376
Retransmission Received: 40 – 776
Lost: 9 – 600
No image quality degradation
QoS Experienced at A2D2 Client
20Security Research 1/10/2003 chow
A2D2 Future WorksA2D2 Future Works
Extend to include IDIP/Pushback Anomaly Detection Improve Firewall/IDS Processing Speed Scalability Issues
Tests with More Services TypesTests with Heavy Client Traffic Volume
Fault Tolerant (Multiple Firewall Devices) Alternate Routing
Extend to include IDIP/Pushback Anomaly Detection Improve Firewall/IDS Processing Speed Scalability Issues
Tests with More Services TypesTests with Heavy Client Traffic Volume
Fault Tolerant (Multiple Firewall Devices) Alternate Routing
21Security Research 1/10/2003 chow
Wouldn’t it be Nice to Have Alternate Routes?Wouldn’t it be Nice to Have Alternate Routes?
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
R2 R1R3
Alternate Gateways
DNS
DDoS Attack Traffic
Client Traffic
How to reroute clients traffic through R1-R3?
22Security Research 1/10/2003 chow
Implement Alternate RoutesImplement Alternate Routes
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
R2 R1R3
Alternate Gateways
DNS
DDoS Attack Traffic
Client Traffic
Need to Inform Clients or Client DNS servers!
But how to tell which Clients are not compromised?
How to hide IP addresses of
Alternate Gateways?
23Security Research 1/10/2003 chow
Possible Solution for Alternate RoutesPossible Solution for Alternate Routes
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
Sends Reroute Command with DNS/IP Addr. Of Proxy and Victim
distress call
Proxy1Proxy2 Proxy3
Blocked by IDS
R2R1 R3
blockAttack msgs blocked by IDS
New route via Proxy3 to R3
24Security Research 1/10/2003 chow
Secure Collective DefenseSecure Collective Defense Main IdeaExplore secure alternate paths for clients to come in; Utilize
geographically separated proxy servers. Goal:
Provide secure alternate routes Hide IP addresses of alternate gateways
Techniques: Multiple Path Routing Secure DNS extension: how to inform client DNS servers to add alternate new
entries (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of
alternate gateways. How to partition clients to come at different proxy servers?
may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?
Use Sock protocol, modify resolver library?
Main IdeaExplore secure alternate paths for clients to come in; Utilize geographically separated proxy servers.
Goal: Provide secure alternate routes Hide IP addresses of alternate gateways
Techniques: Multiple Path Routing Secure DNS extension: how to inform client DNS servers to add alternate new
entries (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of
alternate gateways. How to partition clients to come at different proxy servers?
may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?
Use Sock protocol, modify resolver library?
25Security Research 1/10/2003 chow
New UCCS IA Degree/CertificateNew UCCS IA Degree/Certificate
Master of Engineering Degree in Information Assurance Certificate in Information Assurance (offered to Peterson
AFB through NISSC)Computer Networks; Fundamental of Security;
Cryptography; Advanced System Security Design
Master of Engineering Degree in Information Assurance Certificate in Information Assurance (offered to Peterson
AFB through NISSC)Computer Networks; Fundamental of Security;
Cryptography; Advanced System Security Design
26Security Research 1/10/2003 chow
New CS691 Course on Advanced System Security Design
New CS691 Course on Advanced System Security Design
Use Matt Bishop new Computer Security Text Spring 2003: With one class at UCCS; one at Peterson
AFB. Potential use/cooperation with Distribute Security Lab of
Ratheon? Integrate security research results into course material
such as A2D2, Secure Collective Defense, MPLS-VPN projects.
Invite speakers from Industry such as Innerwall and AFA?
Looking for potential joint exercises with other institutions such as AFA.
Use Matt Bishop new Computer Security Text Spring 2003: With one class at UCCS; one at Peterson
AFB. Potential use/cooperation with Distribute Security Lab of
Ratheon? Integrate security research results into course material
such as A2D2, Secure Collective Defense, MPLS-VPN projects.
Invite speakers from Industry such as Innerwall and AFA?
Looking for potential joint exercises with other institutions such as AFA.
27Security Research 1/10/2003 chow
Joint Research/Teaching Effort on Information Assurance
Joint Research/Teaching Effort on Information Assurance
Penetration Analysis/Testing exercises?
Intrusion Detection/Handling exercises?
Other Cyberwarfare related projects?
Security Forum organized by Dean Haefner/Dr. Ayen
Security Seminar Series with CITTI funding support
Look for Speakers (suggestion?)
Penetration Analysis/Testing exercises?
Intrusion Detection/Handling exercises?
Other Cyberwarfare related projects?
Security Forum organized by Dean Haefner/Dr. Ayen
Security Seminar Series with CITTI funding support
Look for Speakers (suggestion?)