Upload
aleda
View
53
Download
0
Embed Size (px)
DESCRIPTION
Protecting Network Quality of Service against Denial of Service Attacks. Douglas S. Reeves S. Felix Wu Chandru Sargor N. C. State University / MCNC October 6, 1999 Tolerant Networks Program BAA99-10 Kickoff Meeting. Quality of Service - a New Capability for Packet-Switching. - PowerPoint PPT Presentation
Citation preview
1
Protecting Network Quality of Service against Denial
of Service Attacks
Protecting Network Quality of Service against Denial
of Service Attacks
Douglas S. Reeves S. Felix Wu Chandru Sargor
N. C. State University / MCNC
October 6, 1999
Tolerant Networks Program
BAA99-10 Kickoff Meeting
2
Quality of Service - a New Capability for Packet-Switching
Quality of Service - a New Capability for Packet-Switching
New services Guaranteed minimum bandwidth Guaranteed maximum delay Guaranteed maximum loss rate
Guaranteeing QoS for a “flow” requires providing adequate resources
3
SRC DST
Tspec = 5M Tspec = 5M
ADspec = 5M
Reserve3M
Reserve3M
That looks fineto me…..
ADspec = 4M ADspec = 3M
PATH PATH messages
RESV messages
IntServ / RSVP OperationIntServ / RSVP Operation
4
DiffServDiffServ
SRC1 DST1
DST2SRC2
Service Agreementand Traffic Agreement
DATA flow
5
Quality of Service - A New VulnerabilityQuality of Service - A New Vulnerability
Normal users will try to get maximum QoS without regard to others
Malicious users will try to deny quality of service for others
6
The ARQOS ProjectThe ARQOS Project
Selective verification of reservation signaling (SVR)
Congestion pricing of scarce resources ($$$)
Monitoring of data flows, and integration with intrusion detection (IDS)
7
SVR: Attacking ADSpec SVR: Attacking ADSpec
Reserve200M
Reserve5M
That looks fineto me…..
SRC DST
ADSpec = 5M ADSpec = 200M
8
SVR: IETF RSVP SecurityCurrent solution proposed by Fred BakerSVR: IETF RSVP SecurityCurrent solution proposed by Fred Baker
All routers, even including those not on the path, share the same “key table”
Hop-by-hop authentication of messages– outsiders tampering with packets will be
detected, but corrupted insiders will not be detected
9
A & B trust each other; If A is compromised and sends a faulty ADSpec,there is no way for B to know about it
Sharing a secret keySharing a secret key
SVR: IETF RSVP Security (cont.)SVR: IETF RSVP Security (cont.)
BAADSpec
10
SVR: Our ApproachSVR: Our Approach
SRC DST
ADSpec = 5M ADSpec = 200M
Correlation and Verification of the Correctness Properties
12
SVR: Verification of ReservationsSVR: Verification of Reservations
No need to introduce new features to RSVP, other existing protocols
Do not need to install verification agents in every router
Capable of detecting insider attacks
14
SVR: StatusSVR: Status
Identified types of possible attacks on RSVP signals
Solutions for detecting the most important types of attacks
Now implementing attacks and solutions
15
$$$: Competing for Services$$$: Competing for Services
Network Resources
"You can have 5M, 2M, or 1M, at no cost; what do you want, and for how long?”
“We all want 5M5M, from now on!”
Users:
Service Provider:
5M 5M 5M 5M 5M 5M
17
$$$: Influencing Behavior$$$: Influencing Behavior
Disincentives for bad behavior -- users incur costs for resource usage
Incentives for good behavior -- profits for service providers
18
$$$: Competition (cont.)$$$: Competition (cont.)
“5M costs $3/min, 2M costs $2/min, 1M costs $1/min.”
Users:
Service Provider:
5M@$3
2M@$2
5M@$3
1M@$1
5M@$3
1M@$1
Network Resources
19
$$$: Pricing of Resources$$$: Pricing of Resources
Price is right when demand = supply
Flexibility – combinations of resources and services– User endowments for non-monetary goals
How are prices set, by whom, and how are they distributed?
21
$$$: Goals and Assumptions$$$: Goals and Assumptions
Fairness vs. “maximum aggregate utility”
The time and data scales for which this is useful
Real money, or play money?
Charging senders, or receivers
The overhead of billing and accounting
22
$$$: Status$$$: Status
Pricing method
Integration with RSVP
Integration with DiffServ
Infrastructure
23
IDS: Attacks on the Data FlowIDS: Attacks on the Data Flow
From a malicious host (external to network)– spoof high priority data flow packets– send large amounts of data to ingress router to
overload it
From a compromised ingress router– admit/discard traffic in violation of service
agreement– inappropriate marking of admitted traffic
24
IDS: Possible Attacks (cont.)IDS: Possible Attacks (cont.)
– delay/drop packets from selected flows– generate additional traffic to degrade
overall network QoS
From a compromised core router– randomly re-mark flows– delay/drop packets from selected flows– generate additional traffic to degrade
overall network QoS
25
IDS: Intrusion Detection System IDS: Intrusion Detection System
Filtering Engine
Profile-BasedAnalyzer
Decision Module
IDS MIB
SNMPv3
Rule-BasedAnalyzer
Network
SecurityManagementEntity
26
IDS: Detecting Re-marked PacketsIDS: Detecting Re-marked Packets
Downstream IDS will detect anomalous change in IP header – raise alarm via SNMP
Security management entity will receive alarms from IDS entities and correlate them
Security management entity will query other routers on the path to isolate compromised router
27
IDS: StatusIDS: Status
Enhance JiNao implementation to make it protocol independent – originally targeted for OSPF attack
detection – now can be used to detect attacks against
any protocol
Identification of data flow attacks
Preliminary design of IDS system
28
ConclusionsConclusions
Started August ‘99
Implementing RSVP / DiffServ testbed
Exploring collaborations with vendors