1

SOS: Secure Overlay Services

A. D. KeromytisV. Misra

D. Runbenstein

Columbia University

2

Outline Introduction Architecture Performance Analysis Implementation Discussion

3

Introduction/Motivation

9/11 events The Internet vs. Phone Network Communication paths between

the “important” sites and Emergency Response Teams

Trends of DDoS Attacks Previous Reactive Approaches Proactive Mechanisms

4

Attack Trends [CERT’01] Trend 6 - Increasing threat from infrastructure attacks, type 1

Distributed denial of service, ….

The degree of automation Manual Attacks - early DDoS attacks Semi-Automatic Attacks - Attacks with communications between

masters and slaves Automatic Attacks - Just issue a single command

High-impact, low-effort

5

Distributed Denial of Service Attacks (DDOS)

Attacker logs into Master and signals slaves to launch an attack on a specific target address (victim).

Slaves then respond by initiating TCP, UDP, ICMP or Smurf attack on victim.

6

What makes DDoS attacks possible?

Internet security is highly interdependent

Internet resources are limited Power of many is greater that

power few Intelligence and resources are not

collocated

7

What to Do About DDoS? Detection

Intrusion detection systems Traceback (unfortunately, not to the attacks)

Link Testing ICMP Traceback Hash-based Traceback Probabilistic Marking

Prevention Traffic monitoring e.g., ICMP packets, SYN

packets Ingress filtering on the routers GovNet – A separate network

8

Objective of Secure Overlay Services

Motivated by ERT scenario Focus on protecting a site that

stores information that is difficult to replicate

Secure communication on top of today’s existing IP infrastructure from DDoS attacks

Does NOT solve the general DoS problems

9

Assumptions

4. The attacker can not acquire sufficient resources to severely disrupt large portions pf the backbone

1. Pre-determined subset of clients scattered

through the wide-area network(WAN)

3. The attacker does not have unobstructed access to the network core

2. A set of users want to prevent access to this info and will launch DoS attack upon any network points whose jamming will archive this goal

10

Basic SOS Architecture

11

Architecture Descriptions SOS is a network overlay Nodes are known to the public Communications between overlay

nodes are assumed to remain secure

The user’s packets must be authenticated and authorized by SOS before traffic is allowed to flow though the overlay

12

Filtered region Establish filters at the ISP’s POP

routers attaching to the ISP backbone

Distinguish and drop illegitimate packets

Issues IP address changes and user

roles changes IP spoofing

13

Secret Servlets A subset of nods, Ns, selected by the target

to act as forwarding proxies The filters only allow packets whose source

address matches n Ns

Hide the identities of the proxies to prevent IP spoofing or attacks aiming at proxies

Activated by the target’s message Challenge: reach a secret servlet without

revealing the servlet’s ID to the nodes that wish to reach it.

Random next hopO(N/Ns)

14

SOAP: Secure Overlay Access Point

Receive and verify traffic Authentication tools: IPSec/TLS A large number of SOAPs make a

distributed firewall Effects on DoS – increase the amount

of resources/bandwidth to deny connectivity to legitimate clients

How to map SOAPs to different users?

15

Routing through the Overlay Chord service (www.cs.umn.edu/~he/iss/) Each Overlay node contains O(logN)

identifiers Chord delivers the packet to one of

several beacons, which knows the secret servlet’s identity.

Beacon’s identifier is mapped by hashing the target’s IP address

Multiple hash functions produce different paths.

16

Against the DoS attacks An access point is attacked.

The source point can choose an alternative access point

A node within the overlay is attackedChord service self-heals

A secret servlet’s identifier is discovered and the servlet is targeted as an attack pointThe target chooses an alternative set of secret servlets

17

Performance Analysis (1)Varying number of Attacks and nodes in the overlay

# of nodes attacked

P(AttackSucces

s)

18

Load of attack traffic

Performance Analysis (2)Blocking probability for legitimate traffic as a function of attack traffic load

Blockingprobability

for legitimate

traffic

19

Performance Analysis (3)Performance gains of increasing the capacity of the attacked node

Bandwidth increase factor

Bandwidth Gain

20

Performance Analysis (4)Performance gains of increasing the anonymity of the attacked node

Size of the overlay

RandomizationGain

21

Implementation Filtering

high and medium routers(performance & cost) high-speed packet classification

Authentication and authorization of sources IPSec Public Key Infrastructure/Certificate

Tunneling IP-in-IP encapsulation GRE encapsulation IPSec in tunnel mode

22

Discussions Attacks from inside the overlay

security management oversights development bugs potential damage from inside

A shared overlay multiple organizations utilize a shared overlay A breach in one org. security would not lead to

breaches in other networks Timely delivery

Latency (10 times lager, preliminary simulations) Trade security with performance

23

Thanks!

24

25

26

27

28

29