3/30/2005 Auburn University Information Assurance Lab
1
Simulating Simulating Secure Overlay Secure Overlay
ServicesServices
3/30/2005 2Auburn University Information Assurance Lab
OutlineOutline SOS OverviewSOS Overview Communication ArchitectureCommunication Architecture Ideas and Assumptions Ideas and Assumptions ModelsModels ExperimentsExperiments ResultsResults Future WorkFuture Work Questions?Questions?
3/30/2005 3Auburn University Information Assurance Lab
SOS OverviewSOS Overview
Target SiteTarget Site High-Speed RoutersHigh-Speed Routers Secret ServletSecret Servlet BeaconBeacon Secure Overlay Access Point (SOAP)Secure Overlay Access Point (SOAP)
3/30/2005 4Auburn University Information Assurance Lab
SOS OverviewSOS Overview
Target SiteTarget Site The machine enlisting the protection of The machine enlisting the protection of
the overlay networkthe overlay network High-Speed Filter RoutersHigh-Speed Filter Routers
Routers that govern all access to the Routers that govern all access to the protected siteprotected site
Must have the capacity to repel a Must have the capacity to repel a sizeable attacksizeable attack
3/30/2005 5Auburn University Information Assurance Lab
SOS OverviewSOS Overview
Secret ServletSecret Servlet The only Node that is allowed to send The only Node that is allowed to send
data directly to the Target Sitedata directly to the Target Site BeaconBeacon
The ultimate destination as far as the The ultimate destination as far as the overlay is concernedoverlay is concerned
Secure Overlay Access Point (SOAP)Secure Overlay Access Point (SOAP) The point at the edge of the overlay The point at the edge of the overlay
through which users are authenticated, through which users are authenticated, and their traffic forwardedand their traffic forwarded
3/30/2005 6Auburn University Information Assurance Lab
Design Philosophy and Design Philosophy and AssumptionsAssumptions
SimplicitySimplicity Communication ProtocolCommunication Protocol
Inter-node communication is reduced to single Inter-node communication is reduced to single packet instructions and acknowledgementspacket instructions and acknowledgements
User-target communication is very simple stop-User-target communication is very simple stop-and-wait protocol, allows us to make simple and-wait protocol, allows us to make simple measurements of round trip time, loss rates, etc.measurements of round trip time, loss rates, etc.
Network ModelsNetwork Models The models should be as functionally pure as The models should be as functionally pure as
possiblepossible The network should not be overburdened with The network should not be overburdened with
excessively complex routingexcessively complex routing
3/30/2005 7Auburn University Information Assurance Lab
Design Philosophy and Design Philosophy and AssumptionsAssumptions
Simplicity (cont’d)Simplicity (cont’d) Attacks are simulated by intermittently Attacks are simulated by intermittently
failing nodes as opposed to generating failing nodes as opposed to generating large amounts of traffic to overwhelm themlarge amounts of traffic to overwhelm them
Attacker AssumptionsAttacker Assumptions Attackers do not know the function of Attackers do not know the function of
nodes in the network, only that they are nodes in the network, only that they are participatingparticipating
Attackers have the strength to shut down n Attackers have the strength to shut down n nodes in a single strokenodes in a single stroke
3/30/2005 8Auburn University Information Assurance Lab
ModelsModels
SOS Node ModelSOS Node Model Secret ServletSecret Servlet BeaconBeacon SOAPSOAP Intermediate NodeIntermediate Node
Target SiteTarget Site Accepts authenticated traffic and Accepts authenticated traffic and
repliesreplies
3/30/2005 9Auburn University Information Assurance Lab
ModelsModels
RouterRouter Filters what it is told to filter, forwards Filters what it is told to filter, forwards
everything elseeverything else User (Traffic Generator)User (Traffic Generator)
Injects data into the network and waits Injects data into the network and waits patiently for ACKspatiently for ACKs
3/30/2005 10Auburn University Information Assurance Lab
ModelsModels
The NetworkThe Network 25 Subnets25 Subnets Each Subnet contains (at least) a router Each Subnet contains (at least) a router
and an SOS nodeand an SOS node
3/30/2005 18Auburn University Information Assurance Lab
Experimental DesignExperimental Design Unsophisticated Random AttackerUnsophisticated Random Attacker
That attacker knows which nodes are That attacker knows which nodes are participating in the network, but does not participating in the network, but does not know their roles.know their roles.
The attacker can fail any node in the network The attacker can fail any node in the network with probability with probability pp. After a random amount of . After a random amount of downtime, the node will rejoin the network.downtime, the node will rejoin the network.
Unsophisticated Targeted AttackerUnsophisticated Targeted Attacker The attacker can use all of her resources to The attacker can use all of her resources to
bring down bring down nn nodes simultaneously. These nodes simultaneously. These nodes do not have the chance to rejoin the nodes do not have the chance to rejoin the network.network.
3/30/2005 19Auburn University Information Assurance Lab
Experimental DesignExperimental Design
Sophisticated (Overinformed) Sophisticated (Overinformed) AttackerAttacker This attacker can divine the identity of This attacker can divine the identity of
the overlay’s most guarded secret, the the overlay’s most guarded secret, the identity of the secret servlet.identity of the secret servlet.
This discovery takes a short and near This discovery takes a short and near constant amount of time.constant amount of time.
3/30/2005 20Auburn University Information Assurance Lab
ResultsResults
Unsophisticated Unsophisticated Random AttackerRandom Attacker For small values of For small values of pp the overlay is the overlay is hardly effectedhardly effected
Anything larger Anything larger than 0.5 creates than 0.5 creates long periods of long periods of down time for down time for recovery.recovery.
P = 0.25
0
0.1
0.2
0.3
0.4
0.5
0.6
0 100 200 300 400 500 600 700
Delay
P = 0.5
0
0.1
0.2
0.3
0.4
0.5
0.6
0 100 200 300 400 500 600 700
Delay
3/30/2005 21Auburn University Information Assurance Lab
ResultsResults
Unsophisticated Unsophisticated Targeted attacker Targeted attacker AttackerAttacker Again, once 50% of Again, once 50% of
the nodes are the nodes are susceptible to susceptible to failure, recovery failure, recovery becomes very becomes very difficult, if not difficult, if not impossibleimpossible
n Avg. Recovery Time 3 (12%) 4.226 sec. 6 (24%) 9.681 sec. 9 (36%) 12.681sec.
12 (48%) 56.09 sec. 15 (60%) 145.03 sec.
3/30/2005 22Auburn University Information Assurance Lab
ResultsResults
Sophisticated AttackerSophisticated Attacker Recovery time for losing a secret servlet is Recovery time for losing a secret servlet is
near constant no matter how many times it near constant no matter how many times it happeneshappenes
Delay
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0 50 100 150 200 250 300 350 400 450 500
Delay
3/30/2005 23Auburn University Information Assurance Lab
ConclusionsConclusions
The ease with which attackers can recruit a The ease with which attackers can recruit a zombie hoard make DDoS a large and zombie hoard make DDoS a large and realistic threat to the communication realistic threat to the communication infrastructure.infrastructure.
Secure Overlay Services represents a Secure Overlay Services represents a creative solution to a complicated problem.creative solution to a complicated problem.
With a large enough number of participating With a large enough number of participating nodes, and very high speed links, SOS nodes, and very high speed links, SOS provides adequate protection and real-time provides adequate protection and real-time recoverability in the face of a bandwidth recoverability in the face of a bandwidth denial of service attack.denial of service attack.
3/30/2005 24Auburn University Information Assurance Lab
Future WorkFuture Work
More Accurate Network ModelMore Accurate Network Model TCP/IP StackTCP/IP Stack Dynamic RoutingDynamic Routing
ImplementationImplementation Ask Adam…Ask Adam…
3/30/2005 25Auburn University Information Assurance Lab
ResourcesResources A. D. Keromytis, V. Misra, and D. Rubenstein. A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure SOS: Secure
Overlay ServicesOverlay Services. . In Proceedings of ACM SIGCOMMIn Proceedings of ACM SIGCOMM, pages , pages 61--72, August 2002. 61--72, August 2002.
I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan. Chord: A Scalable Peer-To-Peer Lookup Service Balakrishnan. Chord: A Scalable Peer-To-Peer Lookup Service for Internet Applications. for Internet Applications. In Proceedings of ACM SIGCOMMIn Proceedings of ACM SIGCOMM, , 2001.2001.
Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, V., Rubenstein, D.: Using Graphic Turing Tests to Counter V., Rubenstein, D.: Using Graphic Turing Tests to Counter Automated DDoS Attacks Against Web Servers. Automated DDoS Attacks Against Web Servers. In: In: Proceedings of the 10th ACM International Conference on Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS).Computer and Communications Security (CCS). (2003) 8-19. (2003) 8-19.
D. Karger, E. Lehman, F. Leighton, R. Panigrahy, M. Levine, D. Karger, E. Lehman, F. Leighton, R. Panigrahy, M. Levine, and D. Lewin. Consistent Hashing and Random Trees: and D. Lewin. Consistent Hashing and Random Trees: Distributed Caching Protocols for Relieving Hot Spots on the Distributed Caching Protocols for Relieving Hot Spots on the World Wide Web. World Wide Web. In Proceedings of ACM Symposium on In Proceedings of ACM Symposium on Theory of Computing (STOC),Theory of Computing (STOC), pages 654–663, May 1997. pages 654–663, May 1997.
H. W. Fletcher, K. Richardson, M. C. Carlisle, J. A. Hamilton. H. W. Fletcher, K. Richardson, M. C. Carlisle, J. A. Hamilton. Simulation Experimentation with Secure Overlay Services. In Simulation Experimentation with Secure Overlay Services. In review for SES Summer Simulation Conference, 2005.review for SES Summer Simulation Conference, 2005.