1. UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon Dr. C. Edward Chow, UCCS 18 February 2004

2. Page 2 UNCLASSIFIED 2/18/2004 Intrusion Detection and Tolerance Mobile ad hoc networks have little or no physical security protection. Mobile networks may connect to larger networks, including the GIG. Hence mobile networks provide ready access points for intrusion into critical networks and Distributed Denial of Service (DDoS). Since intrusion will be difficult to deny, the best strategy is to develop techniques that can detect intrusions and be able to restructure networks in a manner that isolates the point(s) of intrusion while maintaining network connectivity for other legitimate users. Intrusion Detection and Network Restructuring is best strategy!

3. Page 3 UNCLASSIFIED 2/18/2004 The DDoS Problem Distributed Denial of Service – ICMP, SYN, UDP, Smurf Floods – Code Red and Slammer worms The victim is “flooded” from multiple compromised sources on net-a.mil and net-c.mil via multiple compromised paths and gateways Legitimate users on net-b.mil attempting to communicate with the victim are denied service Objective is to detect which paths and clients are NOT compromised. But how do you hide IP addresses of alternative gateways? Can not prevent DDoS Attacks on MANETs! DDoS attack without alternate routes

4. Page 4 UNCLASSIFIED 2/18/2004 Secure Indirect Routing as a Solution UDP-based Worms such as Slammer propagate in minutes— too fast to detect and prevent. Strategy is to determine uninfected routes and re-route traffic around infected nodes, and disconnect infected paths automatically. – Determine uninfected routes – Use proxy servers for alternate routing – Shield these routes from future attacks by hiding IP addresses – Use intrusion detection to block DDoS traffic into proxy servers. Exploit alternative routing options to circumvent DDoS attacks. DDoS attack with alternate routes

5. Page 5 UNCLASSIFIED 2/18/2004 Benefits of Secure Indirect Routing Security – When attacked, users switch to different routes dynamically – Urgent/critical packets sent over multiple routes simultaneously – Encrypted content sent over multiple routes – Information on DDoS attacks used to isolate source of attacks Reliability: – Users can choose most reliable route dynamically – Packet content spread over multiple routes – Use redundant transmission or error correction to reduce PLR Performance: – Multiple indirect routes provide additional bandwidth – Can be used for dynamic bandwidth provisioning Secure Indirect Routing has additional benefits!

6. Page 6 UNCLASSIFIED 2/18/2004 Why Intrusion Tolerance is an Ideal Strategy for Mobile ad hoc Networks It exploits the natural characteristics of mobile ad hoc networks offering multiple independent routing paths. When a site is attacked, intrusion detection systems generate alarms that initiate secure DNS updates. System exploits encryption inherent in military systems Intrusion detection is easier and faster than intrusion prevention, and can be applied to insider attacks and RF jamming as well. The use of multiple paths can be exploited to enhance the reliability, security and effective bandwidth of the system. Intrusion Tolerance is an Ideal Strategy for Mobile ad hoc Networks

7. UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks Backup

8. Page 8 UNCLASSIFIED 2/18/2004 Autonomous Anti-DDoS

9. Page 9 UNCLASSIFIED 2/18/2004 How DDOS Works The intruder loads cracking tools available on the Internet on multiple -- sometimes thousands of – compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service. DDoS Victims: Yahoo/Amazon 2000 CERT 5/2001 DNS Root Servers 10/2002 DDoS Tools: Stacheldraht Trinoo Tribal Flood Network (TFN) A hacker begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS "master." It is from the master system that the intruder identifies and communicates with other systems that can be compromised.

10. Page 10 UNCLASSIFIED 2/18/2004 Autonomous Enterprise DDoS Defense An effective enterprise DDoS defense requires – Fast coordinated intrusion detection and isolation. – Tight secure access and compromise detection. – Secure and reliable mechanisms for establishing or reconnecting legitimate connections during DDoS attacks. Key techniques to be investigated for improving enterprise DDoS defense: – Secure indirect routing – Fast effective intrusion detection and tracking. – Efficient integration coordination between IDS and firewall devices – Responsive adaptive rating limiting – Secure access authentication and challenging response. – Efficient group rekeying system – Carefully designed routing protocols against wormhole and sinkhole attacks.