Security Related Research Projects at UCCS Network Research Lab C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs Security Research 2/7/2003 chow.
Download ReportTranscript Security Related Research Projects at UCCS Network Research Lab C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs Security Research 2/7/2003 chow.
Security Related Research Projects at UCCS Network Research Lab C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs Security Research 2/7/2003 1 chow Outline of the Talk Brief Introduction to the Network/Protocol Research Lab at UCCS Network security related research projects at UCCS Network/Protocol Research Lab Autonomous Anti-DDoS Project Secure Collective Defense Project BGP/MPLS based VPN Project Discussion on Innerwall-UCCS Joint Research Project STTR N03-T010 TITLE: Intrusion Monitoring, Detection and Reporting Security Research 2/7/2003 2 chow UCCS Network Research Lab Director: Dr. C. Edward Chow Graduate students: – John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability – Hekki Julkunen: Dynamic Packet Filter – Chandra Prakash: High Available Linux kernel-based Content Switch – Ganesh Godavari: Linux based Secure Web Switch – Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed – Longhua Li: IXP-based Content Switch – Yu Cai (Ph.D. research assistant): Multipath Routing – Jianhua Xie (Ph.D.): Secure Storage Networks – Frank Watson: Content Switch for Email Security – Paul Fong: Wireless AODV Routing for sensor networks – Nirmala Belusu: Wireless Network Security PEAP vs. TTLS – David Wikinson/Sonali Patankar: Secure Collective Defense – Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN – Patricia Ferrao/Merlin Vincnet: Web-based Collaborative System Support Security Research 2/7/2003 3 chow UCCS Network Lab Setup Gigabit fiber connection to UCCS backbone Switch/Firewall/Wireless AP: HP 4000 switch; 4 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated by Intel. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board Servers: Two Dell PowerEdge Servers. Workstations/PCs: 8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 8.0; Window XP/2000 Security Research 2/7/2003 4 chow HP4000SW Gigibit Fiber to UCCS Backbone& Workstation Dell Server Intel IXP Network Processor Security Research 2/7/2003 5 chow Intel 7110 SSL Accelerators 7280 XML Director Security Research 2/7/2003 6 chow DDoS: Distributed Denial of Service Attack DDoS Victims: Yahoo/Amazon 2000 CERT 5/2001 DNS Root Servers 10/2002 DDoS Tools: Stacheldraht Trinoo Tribal Flood Network (TFN) Security Research 2/7/2003 7 chow How wide spread is DDoS? Research by Moore et al of University of California at San Diego, 2001. 12,805 DoS in 3-week period Most of them are Home, small to medium sized organizations Security Research 2/7/2003 8 chow Intrusion Related Research Areas Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance Security Research 2/7/2003 9 chow Security Related Research Projects Secure Content Switch Autonomous Anti-DDoS Project Deal with Intrusion Detection and Handling; Techniques: – IDS-Firewall Integration – Adaptive Firewall Rules – Easy to use/manage. Secure Collective Defense Project Deal with Intrusion Tolerance; How to tolerate the attack Techniques (main ideaExplore secure alternate paths for clients to come in) – Multiple Path Routing – Secure DNS extension: how to inform client DNS servers to add alternate new entries – Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. BGP/MPLS based VPN Project Content Switch for Email Security. Security Research 2/7/2003 10 chow Design of an Autonomous Anti-DDOS Network (A2D2) Graduate Student: Angela Cearns Goals: Study Linux Snort IDS/Firewall system Develop Snort-Plug-in for Generic Flood Detection Investigate Rate Limiting and Class Based Queueing for Effective Firewall Protection Intrusion Detection automatically triggers adaptive firewall rule update. Study QoS impact with/without A2D2 system. http://cs.uccs.edu/~chow/pub/master/acearns/doc/ Security Research 2/7/2003 11 chow RealServer DMZ Client1 128.198.a.195 Client2 128.198.b.82 Client3 128.198.c.31 Public Network 128.198 eth0 Pluto DDoS Agent Internet Autonomous Anti-DDoS Network (A2D2) Alpha 128.198.61.15 Firewall (iptables) Security Policy Attack 100Mpbs Switch Simulated Internet DDoS Agent Attack Attack Gamma 128.198.61.17 Master Client & Handler DDoS DDoS Agent Beta 128.198.61.16 100Mpbs Switch IDS IP: 192.168.0.2 NM: 255.255.0.0 GW: 192.168.0.1 Private Subnet 192.168.0 10 Mbps Hub Multi-Level Rate Limiting Class-Based Queuing (CBQ) eth0 eth1 IP: 128.198.61.12 NM: 255.255.255.128 GW: 128.198.61.1 IP: 192.168.0.1 NM: 255.255.0.0 GW: 128.198.61.12 HTTP, RealPlayer SMTP, POP3 SSH, SFTP SYN, ICMP, DNS Real Player Client 70% 15% 10% 5% Real Player Client RealServer Traffic IDS Alerts trigger Multi-Level Rate-Limiting Real Player Client DDoS Agent Delta 128.198.61.18 Titan Saturn 128.198.61.11 NM: 255.255.255.128 GW: 128.198.61.1 Attack Network 128.198.61 Security Research 2/7/2003 as Linux Router 12 chow A2D2 Multi-Level Adaptive Rate Limiting Security Research 2/7/2003 13 chow A2D2 QoS Results - Baseline Playout Buffering to Avoid Jitter 10-min Video Stream between Real Player & Real Server Packets Received: Around 23,000 (23,445) No DDoS Attack QoS Experienced at A2D2 by Real Player Client with No DDoS Security Research 2/7/2003 14 chow A2D2 Results – Non-stop Attack Packets Received: 8,039 Retransmission Request: 2,592 Retransmission Received: 35 Lost: 2,557 Lost of Packets Connection Timed-out QoS Experienced at A2D2 Client Security Research 2/7/2003 15 chow A2D2 Results – UDP Attack Mitigation: Firewall Policy Packets Received: 23,407 Retransmission Request: 0 Retransmission Received: 0 Lost: 0 Look like we just need plain old Firewall rules, no fancy Rate Limiting/CBQ? QoS Experienced at A2D2 Client Security Research 2/7/2003 16 chow A2D2 Results – ICMP Attack Mitigation: Firewall Policy Packets Received: 7,127 Retransmission Request: 2,105 Retransmission Received: 4 Lost: 2,101 Connection Timed-out Just plain old firewall rule is not good enough! Packet/Connection Loss QoS Experienced at A2D2 Client Security Research 2/7/2003 17 chow A2D2 Results – TCP Attack Mitigation: Policy+CBQ Turn on CBQ Packets Received: 22,179 Retransmission Request: 4,090 Retransmission Received: 2,641 Lost: 1,449 Look OK But Quality Degrade Screen Quality Impact! QoS Experienced at A2D2 Client Security Research 2/7/2003 18 chow A2D2 Results – TCP Attack Mitigation: Policy+CBQ+RateLimiting Turn on Both CBQ & Rate Limiting Packets Received: 23,444 Retransmission Request: 49 – 1,376 Retransmission Received: 40 – 776 Lost: 9 – 600 No image quality degradation QoS Experienced at A2D2 Client Security Research 2/7/2003 19 chow A2D2 Future Works Extend to include IDIP/Pushback Precise Anomaly Detection Improve Firewall/IDS Processing Speed Scalability Issues Tests with More Services Types Tests with Heavy Client Traffic Volume Fault Tolerant (Multiple Firewall Devices) Alternate Routing Security Research 2/7/2003 20 chow Wouldn’t it be Nice to Have Alternate Routes? net-a.com A A net-b.com A ... A ... DNS1 R net-c.com A R How to reroute clients traffic through R1-R3? R R3 DDoS Attack Traffic Client Traffic Security Research 2/7/2003 Victim A ... A DNS3 DNS2 R DNS A ... R2 R1 Alternate Gateways 21 chow Implement Alternate Routes net-a.com A A net-b.com A ... A ... DNS1 R net-c.com A A A ... A ... DNS3 DNS2 R R Need to Inform Clients or Client DNS servers! DNS R R3 DDoS Attack Traffic Client Traffic Security Research 2/7/2003 Victim R2 Alternate Gateways 22 R1 But how to tell which Clients are not compromised? How to hide IP addresses of Alternate Gateways? chow net-b.com net-a.com net-c.com ... A A A ... ... A SCOD Victim Security Research 2/7/2003 A Proxy3 Proxy1 Attack Traffic Client Traffic ... R Proxy2 block A DNS3 R R1 A DNS2 DNS1 R A block R 2 R R3 Reroute Coordinator 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator 23 chow net-b.com net-a.com net-c.com ... A A A ... ... A SCOD Proxy1 block Victim Security Research 2/7/2003 ... A R Proxy3 Proxy2 Attack Traffic Client Traffic A DNS3 R R1 A DNS2 DNS1 R A R 2 R 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS R3 Reroute Coordinator 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator 24 chow net-b.com net-a.com net-c.com ... A A A ... ... A 3. New route via Proxy1 to R1 R A ... A DNS3 DNS2 R R Proxy2 Proxy3 Proxy1 block R1 A 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 DNS1 SCOD A R 2 R Attack Traffic Client Traffic R3 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS Reroute Coordinator Victim Security Research 2/7/2003 25 chow net-b.com net-a.com net-c.com ... A A A ... ... A 3. New route via Proxy1 to R1 R ... A R Proxy2 Proxy3 Proxy1 block R1 A DNS3 DNS2 R 4a. Attack traffic detected by IDS block by Firewall A 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 DNS1 SCOD A R 2 R Attack Traffic Client Traffic R3 4. Attack traffic detected by IDS block by Firewall Reroute Coordinator Victim Security Research 2/7/2003 26 chow net-b.com net-a.com net-c.com ... A A A ... ... A 3. New route via Proxy1 to R1 R A R Proxy3 Proxy1 block R 2 R 4b. Client traffic Attack Traffic in via Client Traffic comes alternate route Victim Security Research 2/7/2003 ... DNS3 Proxy2 R1 A DNS2 R 4a. Attack traffic detected by IDS block by Firewall A 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 DNS1 SCOD A 27 R3 1.distress call 4. Attack traffic detected by IDS block by Firewall Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) chow Secure Collective Defense Main IdeaExplore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path Routing Secure DNS extension: how to inform client DNS servers to add alternate new entries (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. How to partition clients to come at different proxy servers? may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server? Use Sock protocol, modify resolver library? Security Research 2/7/2003 28 chow New UCCS IA Degree/Certificate Master of Engineering Degree in Information Assurance Certificate in Information Assurance (offered to Peterson AFB through NISSC) Computer Networks; Fundamental of Security; Cryptography; Advanced System Security Design Security Research 2/7/2003 29 chow New CS691 Course on Advanced System Security Design Use Matt Bishop new Computer Security Text Spring 2003: With one class at UCCS; one at Peterson AFB. Enhanced by Demo/Hand-on exercises at Distribute Security Lab of Northorp Grumman. Integrate security research results into course material such as A2D2, Secure Collective Defense, MPLS-VPN projects. Invite speakers from Industry such as Innerwall and AFA? Looking for potential joint exercises with other institutions such as AFA, Northorp Grumman, Innerwall. Security Research 2/7/2003 30 chow Joint Research/Development Effort STTR N03-T010 TITLE: Intrusion Monitoring, Detection and Reporting Penetration Analysis/Testing projects? Intrusion Detection/Handling projects? Other Cyberwarfare related projects? Security Forum organized by Dean Haefner/Dr. Ayen Security Seminar Series with CITTI funding support Look for Speakers (suggestion?) Security Research 2/7/2003 31 chow