security related research projects at uccs network research lab
DESCRIPTION
Security Related Research Projects at UCCS Network Research Lab. C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs. Outline of the Talk. Brief Introduction to the Network/Protocol Research Lab at UCCS - PowerPoint PPT PresentationTRANSCRIPT
1Security Research 2/7/2003 chow
C. Edward Chow
Department of Computer ScienceUniversity of Colorado at Colorado Springs
C. Edward Chow
Department of Computer ScienceUniversity of Colorado at Colorado Springs
Security Related Research Projects at UCCS Network Research Lab
Security Related Research Projects at UCCS Network Research Lab
2Security Research 2/7/2003 chow
Outline of the TalkOutline of the Talk
Brief Introduction to the Network/Protocol Research Lab at UCCS
Network security related research projects at UCCS Network/Protocol Research Lab
Autonomous Anti-DDoS Project
Secure Collective Defense Project
BGP/MPLS based VPN Project
Discussion on Innerwall-UCCS Joint Research Project
STTR N03-T010 TITLE: Intrusion Monitoring, Detection and Reporting
Brief Introduction to the Network/Protocol Research Lab at UCCS
Network security related research projects at UCCS Network/Protocol Research Lab
Autonomous Anti-DDoS Project
Secure Collective Defense Project
BGP/MPLS based VPN Project
Discussion on Innerwall-UCCS Joint Research Project
STTR N03-T010 TITLE: Intrusion Monitoring, Detection and Reporting
3Security Research 2/7/2003 chow
UCCS Network Research LabUCCS Network Research Lab Director: Dr. C. Edward Chow Graduate students:
– John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability
– Hekki Julkunen: Dynamic Packet Filter– Chandra Prakash: High Available Linux kernel-based Content Switch– Ganesh Godavari: Linux based Secure Web Switch– Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed– Longhua Li: IXP-based Content Switch– Yu Cai (Ph.D. research assistant): Multipath Routing– Jianhua Xie (Ph.D.): Secure Storage Networks– Frank Watson: Content Switch for Email Security– Paul Fong: Wireless AODV Routing for sensor networks– Nirmala Belusu: Wireless Network Security PEAP vs. TTLS– David Wikinson/Sonali Patankar: Secure Collective Defense– Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN– Patricia Ferrao/Merlin Vincent: Web-based Collaborative System Support
Director: Dr. C. Edward Chow Graduate students:
– John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability
– Hekki Julkunen: Dynamic Packet Filter– Chandra Prakash: High Available Linux kernel-based Content Switch– Ganesh Godavari: Linux based Secure Web Switch– Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed– Longhua Li: IXP-based Content Switch– Yu Cai (Ph.D. research assistant): Multipath Routing– Jianhua Xie (Ph.D.): Secure Storage Networks– Frank Watson: Content Switch for Email Security– Paul Fong: Wireless AODV Routing for sensor networks– Nirmala Belusu: Wireless Network Security PEAP vs. TTLS– David Wikinson/Sonali Patankar: Secure Collective Defense– Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN– Patricia Ferrao/Merlin Vincent: Web-based Collaborative System Support
4Security Research 2/7/2003 chow
UCCS Network Lab SetupUCCS Network Lab Setup
Gigabit fiber connection to UCCS backbone Switch/Firewall/Wireless AP:
HP 4000 switch; 4 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated
by Intel. Cisco 1200 Aironet Dual Band Access Point and 350 client
PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board
Servers: Two Dell PowerEdge Servers. Workstations/PCs:
8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 8.0; Window XP/2000
Gigabit fiber connection to UCCS backbone Switch/Firewall/Wireless AP:
HP 4000 switch; 4 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall 8 Intel 7112 SSL accelerators; 4 7820 XML directors donated
by Intel. Cisco 1200 Aironet Dual Band Access Point and 350 client
PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board
Servers: Two Dell PowerEdge Servers. Workstations/PCs:
8 Dell PCs (3Ghz-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 8.0; Window XP/2000
5Security Research 2/7/2003 chow
HP4000SWGigibit Fiber to UCCS Backbone&WorkstationDell ServerIntel IXP Network Processor
HP4000SWGigibit Fiber to UCCS Backbone&WorkstationDell ServerIntel IXP Network Processor
6Security Research 2/7/2003 chow
Intel 7110 SSL Accelerators 7280 XML Director
Intel 7110 SSL Accelerators 7280 XML Director
7Security Research 2/7/2003 chow
DDoS: Distributed Denial of Service AttackDDoS: Distributed Denial of Service Attack
DDoS Victims:Yahoo/Amazon
2000CERT
5/2001DNS Root Servers
10/2002
DDoS Tools:Stacheldraht
TrinooTribal Flood Network (TFN)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Handler(Middleman)
Agent(Attacker)
Handler(Middleman)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Agent(Attacker)
Client(Attack
Commander)
MastermindIntruder
8Security Research 2/7/2003 chow
How wide spread is DDoS?How wide spread is DDoS?
Research by Moore et al of University of California at San Diego, 2001. 12,805 DoS in 3-week periodMost of them are Home, small to medium sized
organizations
Research by Moore et al of University of California at San Diego, 2001. 12,805 DoS in 3-week periodMost of them are Home, small to medium sized
organizations
9Security Research 2/7/2003 chow
Intrusion Related Research AreasIntrusion Related Research Areas
Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering
Intrusion DetectionAnomaly DetectionMisuse Detection
Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance
Intrusion PreventionGeneral Security Policy Ingress/Egress Filtering
Intrusion DetectionAnomaly DetectionMisuse Detection
Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance
10Security Research 2/7/2003 chow
Security Related Research ProjectsSecurity Related Research Projects
Secure Content Switch Autonomous Anti-DDoS Project
Deal with Intrusion Detection and Handling; Techniques:
– IDS-Firewall Integration
– Adaptive Firewall Rules
– Easy to use/manage. Secure Collective Defense Project
Deal with Intrusion Tolerance; How to tolerate the attack Techniques (main ideaExplore secure alternate paths for clients to come in)
– Multiple Path Routing
– Secure DNS extension: how to inform client DNS servers to add alternate new entries
– Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways.
BGP/MPLS based VPN Project Content Switch for Email Security.
Secure Content Switch Autonomous Anti-DDoS Project
Deal with Intrusion Detection and Handling; Techniques:
– IDS-Firewall Integration
– Adaptive Firewall Rules
– Easy to use/manage. Secure Collective Defense Project
Deal with Intrusion Tolerance; How to tolerate the attack Techniques (main ideaExplore secure alternate paths for clients to come in)
– Multiple Path Routing
– Secure DNS extension: how to inform client DNS servers to add alternate new entries
– Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways.
BGP/MPLS based VPN Project Content Switch for Email Security.
11Security Research 2/7/2003 chow
Design of an Autonomous Anti-DDOS Network (A2D2)
Design of an Autonomous Anti-DDOS Network (A2D2)
Graduate Student: Angela Cearns Goals:
Study Linux Snort IDS/Firewall systemDevelop Snort-Plug-in for Generic Flood Detection Investigate Rate Limiting and Class Based Queueing
for Effective Firewall Protection Intrusion Detection automatically triggers adaptive
firewall rule update.Study QoS impact with/without A2D2 system.
http://cs.uccs.edu/~chow/pub/master/acearns/doc/
Graduate Student: Angela Cearns Goals:
Study Linux Snort IDS/Firewall systemDevelop Snort-Plug-in for Generic Flood Detection Investigate Rate Limiting and Class Based Queueing
for Effective Firewall Protection Intrusion Detection automatically triggers adaptive
firewall rule update.Study QoS impact with/without A2D2 system.
http://cs.uccs.edu/~chow/pub/master/acearns/doc/
12Security Research 2/7/2003 chow
Attack
Attack Attack
Private Subnet192.168.0
Attack Network128.198.61
IP: 128.198.61.12NM: 255.255.255.128
GW: 128.198.61.1
eth0
Pluto
Titan
DMZ
Multi-LevelRate Limiting
Class-BasedQueuing
(CBQ)
as Linux Router
Firewall(iptables)
Security Policy
IP: 192.168.0.1NM: 255.255.0.0
GW: 128.198.61.12
eth1
RealServer
Re
alS
erv
er
Tra
ffic
IDS
Ale
rts
trig
ge
r M
ulti-
Le
ve
lR
ate
-Lim
itin
g
IDS
70
% H
TT
P,
Re
alP
laye
r
15
% S
MT
P,
PO
P3
10
% S
SH
, S
FT
P
5%
SY
N,
ICM
P, D
NS
10 Mbps Hub
eth0
IP: 192.168.0.2NM: 255.255.0.0GW: 192.168.0.1
Public Network128.198
Internet
Alpha128.198.61.15
DDoSAgent
Gamma128.198.61.17
DDoSAgent
Beta128.198.61.16
DDoSAgent
Delta128.198.61.18
DDoSAgent
SimulatedInternet
100Mpbs Switch
Master Client& Handler
DDoS
Saturn128.198.61.11
NM: 255.255.255.128GW: 128.198.61.1
AutonomousAnti-DDoS
Network (A2D2)
Client1128.198.a.195
Real Player Client
Client2128.198.b.82
Real Player Client
Client3128.198.c.31
Real Player Client
100Mpbs Switch
13Security Research 2/7/2003 chow
A2D2 Multi-Level Adaptive Rate
Limiting
A2D2 Multi-Level Adaptive Rate
Limiting
IP: 128.198.61.12NM: 255.255.255.128
GW: 128.198.61.1
eth0
Firewall Gateway
Multi-LevelRate Limiting
as Linux Router
IP: 192.168.0.1NM: 255.255.0.0
GW: 128.198.61.12
eth1
IDS
snort.confFloodPreprocessor
Threshold
snort.confFloodRateLimiter
PreprocessorThresholds
rateif.conflevels, rate,expiration,port # etc.
./snort -A UNSOCK
report.c./alert
rateif.pl
Level 4
Open(5 days)
Level 3
100 p/s
Level 2
50 p/s
Level 1
Block(2 hrs)
Level 0
Block(2 days)
Level 1Expires
14Security Research 2/7/2003 chow
A2D2 QoS Results - BaselineA2D2 QoS Results - Baseline
10-min Video Stream betweenReal Player &Real Server
Packets Received: Around 23,000
(23,445)
No DDoS Attack
10-min Video Stream betweenReal Player &Real Server
Packets Received: Around 23,000
(23,445)
No DDoS Attack
QoS Experienced at A2D2 by Real Player Client with No DDoS
Playout Buffering to Avoid Jitter
15Security Research 2/7/2003 chow
A2D2 Results – Non-stop AttackA2D2 Results – Non-stop Attack
Packets Received: 8,039
Retransmission Request: 2,592
Retransmission Received: 35
Lost: 2,557
Connection Timed-out
Packets Received: 8,039
Retransmission Request: 2,592
Retransmission Received: 35
Lost: 2,557
Connection Timed-out
QoS Experienced at A2D2 Client
Lost of Packets
16Security Research 2/7/2003 chow
A2D2 Results – UDP AttackMitigation: Firewall Policy
A2D2 Results – UDP AttackMitigation: Firewall Policy
Packets Received: 23,407
Retransmission Request: 0 Retransmission Received: 0 Lost: 0
Look like we just need plainold Firewall rules, no fancy Rate Limiting/CBQ?
Packets Received: 23,407
Retransmission Request: 0 Retransmission Received: 0 Lost: 0
Look like we just need plainold Firewall rules, no fancy Rate Limiting/CBQ?
QoS Experienced at A2D2 Client
17Security Research 2/7/2003 chow
A2D2 Results – ICMP AttackMitigation: Firewall Policy
A2D2 Results – ICMP AttackMitigation: Firewall Policy
Packets Received: 7,127
Retransmission Request: 2,105
Retransmission Received: 4
Lost: 2,101
Connection Timed-out
Just plain old firewall ruleis not good enough!
Packets Received: 7,127
Retransmission Request: 2,105
Retransmission Received: 4
Lost: 2,101
Connection Timed-out
Just plain old firewall ruleis not good enough!
QoS Experienced at A2D2 Client
Packet/Connection Loss
18Security Research 2/7/2003 chow
A2D2 Results – TCP AttackMitigation: Policy+CBQ
A2D2 Results – TCP AttackMitigation: Policy+CBQ
Turn on CBQ Packets Received: 22,179
Retransmission Request: 4,090
Retransmission Received: 2,641
Lost: 1,449
Screen Quality Impact!
Turn on CBQ Packets Received: 22,179
Retransmission Request: 4,090
Retransmission Received: 2,641
Lost: 1,449
Screen Quality Impact!
QoS Experienced at A2D2 Client
Look OK But Quality Degrade
19Security Research 2/7/2003 chow
A2D2 Results – TCP AttackMitigation: Policy+CBQ+RateLimiting
A2D2 Results – TCP AttackMitigation: Policy+CBQ+RateLimiting
Turn on Both CBQ & Rate Limiting
Packets Received: 23,444
Retransmission Request: 49 – 1,376
Retransmission Received: 40 – 776
Lost: 9 – 600
No image quality degradation
Turn on Both CBQ & Rate Limiting
Packets Received: 23,444
Retransmission Request: 49 – 1,376
Retransmission Received: 40 – 776
Lost: 9 – 600
No image quality degradation
QoS Experienced at A2D2 Client
20Security Research 2/7/2003 chow
A2D2 Future WorksA2D2 Future Works
Extend to include IDIP/Pushback Precise Anomaly Detection Improve Firewall/IDS Processing Speed Scalability Issues
Tests with More Services TypesTests with Heavy Client Traffic Volume
Fault Tolerant (Multiple Firewall Devices) Alternate Routing
Extend to include IDIP/Pushback Precise Anomaly Detection Improve Firewall/IDS Processing Speed Scalability Issues
Tests with More Services TypesTests with Heavy Client Traffic Volume
Fault Tolerant (Multiple Firewall Devices) Alternate Routing
21Security Research 2/7/2003 chow
Wouldn’t it be Nice to Have Alternate Routes?Wouldn’t it be Nice to Have Alternate Routes?
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
R2 R1R3
Alternate Gateways
DNS
DDoS Attack Traffic
Client Traffic
How to reroute clients traffic through R1-R3?
22Security Research 2/7/2003 chow
Implement Alternate RoutesImplement Alternate Routes
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
R2 R1R3
Alternate Gateways
DNS
DDoS Attack Traffic
Client Traffic
Need to Inform Clients or Client DNS servers!
But how to tell which Clients are not compromised?
How to hide IP addresses of
Alternate Gateways?
23Security Research 2/7/2003 chow
SCODSCOD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
Proxy1
Proxy2Proxy3
R2
R1 R3
block
RerouteCoordinato
rAttack TrafficClient Traffic
1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator
block
24Security Research 2/7/2003 chow
SCODSCOD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
Proxy1
Proxy2Proxy3
R2
R1 R3
block
Attack TrafficClient Traffic
1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator
RerouteCoordinato
r
2. Sends Reroute Command with (DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
25Security Research 2/7/2003 chow
SCODSCOD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R
R
Proxy1
Proxy2Proxy3
R2
R1 R3
Attack TrafficClient Traffic
RerouteCoordinato
r
2. Sends Reroute Command with (DNS Name, IP Addr. Of victim,
Proxy Server(s)) to DNS
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
R
block
26Security Research 2/7/2003 chow
SCODSCOD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R
Proxy1
Proxy2Proxy3
R1
Attack TrafficClient Traffic
RerouteCoordinato
r
3. New route via Proxy3 to R3
3. New route via Proxy2 to R2
3. New route via Proxy1 to R1
R
block4a. Attack traffic detected by IDSblock by Firewall
4. Attack traffic detected by IDSblock by Firewall
R R
R3R2
27Security Research 2/7/2003 chow
SCODSCOD
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
1.distress call
Proxy1Proxy2 Proxy3
4a. Attack traffic detected by IDSblock by Firewall
R2
R1 R3
block
3. New route via Proxy2 to R2
RerouteCoordinato
rAttack TrafficClient Traffic
3. New route via Proxy3 to R3
4. Attack traffic detected by IDSblock by Firewall
4b. Client traffic comes in via alternate route 2. Sends Reroute Command with
(DNS Name, IP Addr. Of victim, Proxy Server(s))
3. New route via Proxy1 to R1
28Security Research 2/7/2003 chow
Secure Collective DefenseSecure Collective Defense Main IdeaExplore secure alternate paths for clients to come in; Utilize
geographically separated proxy servers. Goal:
Provide secure alternate routes Hide IP addresses of alternate gateways
Techniques: Multiple Path Routing Secure DNS extension: how to inform client DNS servers to add alternate
new entries (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of
alternate gateways. How to partition clients to come at different proxy servers?
may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?
Use Sock protocol, modify resolver library?
Main IdeaExplore secure alternate paths for clients to come in; Utilize geographically separated proxy servers.
Goal: Provide secure alternate routes Hide IP addresses of alternate gateways
Techniques: Multiple Path Routing Secure DNS extension: how to inform client DNS servers to add alternate
new entries (Not your normal DNS name/IP address mapping entry). Utilize a consortium of Proxy servers with IDS that hides the IP address of
alternate gateways. How to partition clients to come at different proxy servers?
may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?
Use Sock protocol, modify resolver library?
29Security Research 2/7/2003 chow
New UCCS IA Degree/CertificateNew UCCS IA Degree/Certificate
Master of Engineering Degree in Information Assurance Certificate in Information Assurance (offered to Peterson
AFB through NISSC)Computer Networks; Fundamental of Security;
Cryptography; Advanced System Security Design
Master of Engineering Degree in Information Assurance Certificate in Information Assurance (offered to Peterson
AFB through NISSC)Computer Networks; Fundamental of Security;
Cryptography; Advanced System Security Design
30Security Research 2/7/2003 chow
New CS691 Course on Advanced System Security Design
New CS691 Course on Advanced System Security Design
Use Matt Bishop new Computer Security Text Spring 2003: With one class at UCCS; one at Peterson
AFB. Enhanced by Demo/Hand-on exercises at Distribute
Security Lab of Northorp Grumman. Integrate security research results into course material
such as A2D2, Secure Collective Defense, MPLS-VPN projects.
Invite speakers from Industry such as Innerwall and AFA?
Looking for potential joint exercises with other institutions such as AFA, Northorp Grumman, Innerwall.
Use Matt Bishop new Computer Security Text Spring 2003: With one class at UCCS; one at Peterson
AFB. Enhanced by Demo/Hand-on exercises at Distribute
Security Lab of Northorp Grumman. Integrate security research results into course material
such as A2D2, Secure Collective Defense, MPLS-VPN projects.
Invite speakers from Industry such as Innerwall and AFA?
Looking for potential joint exercises with other institutions such as AFA, Northorp Grumman, Innerwall.
31Security Research 2/7/2003 chow
Joint Research/Development EffortJoint Research/Development Effort
STTR N03-T010 TITLE: Intrusion Monitoring, Detection and Reporting
Penetration Analysis/Testing projects?
Intrusion Detection/Handling projects?
Other Cyberwarfare related projects?
Security Forum organized by Dean Haefner/Dr. Ayen
Security Seminar Series with CITTI funding support
Look for Speakers (suggestion?)
STTR N03-T010 TITLE: Intrusion Monitoring, Detection and Reporting
Penetration Analysis/Testing projects?
Intrusion Detection/Handling projects?
Other Cyberwarfare related projects?
Security Forum organized by Dean Haefner/Dr. Ayen
Security Seminar Series with CITTI funding support
Look for Speakers (suggestion?)