1

Protecting Network Quality of Service against Denial

of Service Attacks

Protecting Network Quality of Service against Denial

of Service Attacks

Douglas S. Reeves S. Felix Wu Chandru Sargor

N. C. State University / MCNC

October 6, 1999

Tolerant Networks Program

BAA99-10 Kickoff Meeting

2

Quality of Service - a New Capability for Packet-Switching

Quality of Service - a New Capability for Packet-Switching

New services Guaranteed minimum bandwidth Guaranteed maximum delay Guaranteed maximum loss rate

Guaranteeing QoS for a “flow” requires providing adequate resources

3

SRC DST

Tspec = 5M Tspec = 5M

ADspec = 5M

Reserve3M

Reserve3M

That looks fineto me…..

ADspec = 4M ADspec = 3M

PATH PATH messages

RESV messages

IntServ / RSVP OperationIntServ / RSVP Operation

4

DiffServDiffServ

SRC1 DST1

DST2SRC2

Service Agreementand Traffic Agreement

DATA flow

5

Quality of Service - A New VulnerabilityQuality of Service - A New Vulnerability

Normal users will try to get maximum QoS without regard to others

Malicious users will try to deny quality of service for others

6

The ARQOS ProjectThe ARQOS Project

Selective verification of reservation signaling (SVR)

Congestion pricing of scarce resources ($$$)

Monitoring of data flows, and integration with intrusion detection (IDS)

7

SVR: Attacking ADSpec SVR: Attacking ADSpec

Reserve200M

Reserve5M

That looks fineto me…..

SRC DST

ADSpec = 5M ADSpec = 200M

8

SVR: IETF RSVP SecurityCurrent solution proposed by Fred BakerSVR: IETF RSVP SecurityCurrent solution proposed by Fred Baker

All routers, even including those not on the path, share the same “key table”

Hop-by-hop authentication of messages– outsiders tampering with packets will be

detected, but corrupted insiders will not be detected

9

A & B trust each other; If A is compromised and sends a faulty ADSpec,there is no way for B to know about it

Sharing a secret keySharing a secret key

SVR: IETF RSVP Security (cont.)SVR: IETF RSVP Security (cont.)

BAADSpec

10

SVR: Our ApproachSVR: Our Approach

SRC DST

ADSpec = 5M ADSpec = 200M

Correlation and Verification of the Correctness Properties

12

SVR: Verification of ReservationsSVR: Verification of Reservations

No need to introduce new features to RSVP, other existing protocols

Do not need to install verification agents in every router

Capable of detecting insider attacks

14

SVR: StatusSVR: Status

Identified types of possible attacks on RSVP signals

Solutions for detecting the most important types of attacks

Now implementing attacks and solutions

15

$$$: Competing for Services$$$: Competing for Services

Network Resources

"You can have 5M, 2M, or 1M, at no cost; what do you want, and for how long?”

“We all want 5M5M, from now on!”

Users:

Service Provider:

5M 5M 5M 5M 5M 5M

17

$$$: Influencing Behavior$$$: Influencing Behavior

Disincentives for bad behavior -- users incur costs for resource usage

Incentives for good behavior -- profits for service providers

18

$$$: Competition (cont.)$$$: Competition (cont.)

“5M costs $3/min, 2M costs $2/min, 1M costs $1/min.”

Users:

Service Provider:

5M@$3

2M@$2

5M@$3

1M@$1

5M@$3

1M@$1

Network Resources

19

$$$: Pricing of Resources$$$: Pricing of Resources

Price is right when demand = supply

Flexibility – combinations of resources and services– User endowments for non-monetary goals

How are prices set, by whom, and how are they distributed?

21

$$$: Goals and Assumptions$$$: Goals and Assumptions

Fairness vs. “maximum aggregate utility”

The time and data scales for which this is useful

Real money, or play money?

Charging senders, or receivers

The overhead of billing and accounting

22

$$$: Status$$$: Status

Pricing method

Integration with RSVP

Integration with DiffServ

Infrastructure

23

IDS: Attacks on the Data FlowIDS: Attacks on the Data Flow

From a malicious host (external to network)– spoof high priority data flow packets– send large amounts of data to ingress router to

overload it

From a compromised ingress router– admit/discard traffic in violation of service

agreement– inappropriate marking of admitted traffic

24

IDS: Possible Attacks (cont.)IDS: Possible Attacks (cont.)

– delay/drop packets from selected flows– generate additional traffic to degrade

overall network QoS

From a compromised core router– randomly re-mark flows– delay/drop packets from selected flows– generate additional traffic to degrade

overall network QoS

25

IDS: Intrusion Detection System IDS: Intrusion Detection System

Filtering Engine

Profile-BasedAnalyzer

Decision Module

IDS MIB

SNMPv3

Rule-BasedAnalyzer

Network

SecurityManagementEntity

26

IDS: Detecting Re-marked PacketsIDS: Detecting Re-marked Packets

Downstream IDS will detect anomalous change in IP header – raise alarm via SNMP

Security management entity will receive alarms from IDS entities and correlate them

Security management entity will query other routers on the path to isolate compromised router

27

IDS: StatusIDS: Status

Enhance JiNao implementation to make it protocol independent – originally targeted for OSPF attack

detection – now can be used to detect attacks against

any protocol

Identification of data flow attacks

Preliminary design of IDS system

28

ConclusionsConclusions

Started August ‘99

Implementing RSVP / DiffServ testbed

Exploring collaborations with vendors