Presentation is loading. Please wait.

Presentation is loading. Please wait.

3/30/2005 Auburn University Information Assurance Lab 1 Simulating Secure Overlay Services.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "3/30/2005 Auburn University Information Assurance Lab 1 Simulating Secure Overlay Services."— Presentation transcript:

1 3/30/2005 Auburn University Information Assurance Lab 1 Simulating Secure Overlay Services

2 3/30/2005 2 Auburn University Information Assurance Lab Outline SOS Overview SOS Overview Communication Architecture Communication Architecture Ideas and Assumptions Ideas and Assumptions Models Models Experiments Experiments Results Results Future Work Future Work Questions? Questions?

3 3/30/2005 3 Auburn University Information Assurance Lab SOS Overview Target Site Target Site High-Speed Routers High-Speed Routers Secret Servlet Secret Servlet Beacon Beacon Secure Overlay Access Point (SOAP) Secure Overlay Access Point (SOAP)

4 3/30/2005 4 Auburn University Information Assurance Lab SOS Overview Target Site Target Site The machine enlisting the protection of the overlay network The machine enlisting the protection of the overlay network High-Speed Filter Routers High-Speed Filter Routers Routers that govern all access to the protected site Routers that govern all access to the protected site Must have the capacity to repel a sizeable attack Must have the capacity to repel a sizeable attack

5 3/30/2005 5 Auburn University Information Assurance Lab SOS Overview Secret Servlet Secret Servlet The only Node that is allowed to send data directly to the Target Site The only Node that is allowed to send data directly to the Target Site Beacon Beacon The ultimate destination as far as the overlay is concerned The ultimate destination as far as the overlay is concerned Secure Overlay Access Point (SOAP) Secure Overlay Access Point (SOAP) The point at the edge of the overlay through which users are authenticated, and their traffic forwarded The point at the edge of the overlay through which users are authenticated, and their traffic forwarded

6 3/30/2005 6 Auburn University Information Assurance Lab Design Philosophy and Assumptions Simplicity Simplicity Communication Protocol Communication Protocol Inter-node communication is reduced to single packet instructions and acknowledgements Inter-node communication is reduced to single packet instructions and acknowledgements User-target communication is very simple stop-and-wait protocol, allows us to make simple measurements of round trip time, loss rates, etc. User-target communication is very simple stop-and-wait protocol, allows us to make simple measurements of round trip time, loss rates, etc. Network Models Network Models The models should be as functionally pure as possible The models should be as functionally pure as possible The network should not be overburdened with excessively complex routing The network should not be overburdened with excessively complex routing

7 3/30/2005 7 Auburn University Information Assurance Lab Design Philosophy and Assumptions Simplicity (cont’d) Simplicity (cont’d) Attacks are simulated by intermittently failing nodes as opposed to generating large amounts of traffic to overwhelm them Attacks are simulated by intermittently failing nodes as opposed to generating large amounts of traffic to overwhelm them Attacker Assumptions Attacker Assumptions Attackers do not know the function of nodes in the network, only that they are participating Attackers do not know the function of nodes in the network, only that they are participating Attackers have the strength to shut down n nodes in a single stroke Attackers have the strength to shut down n nodes in a single stroke

8 3/30/2005 8 Auburn University Information Assurance Lab Models SOS Node Model SOS Node Model Secret Servlet Secret Servlet Beacon Beacon SOAP SOAP Intermediate Node Intermediate Node Target Site Target Site Accepts authenticated traffic and replies Accepts authenticated traffic and replies

9 3/30/2005 9 Auburn University Information Assurance Lab Models Router Router Filters what it is told to filter, forwards everything else Filters what it is told to filter, forwards everything else User (Traffic Generator) User (Traffic Generator) Injects data into the network and waits patiently for ACKs Injects data into the network and waits patiently for ACKs

10 3/30/2005 10 Auburn University Information Assurance Lab Models The Network The Network 25 Subnets 25 Subnets Each Subnet contains (at least) a router and an SOS node Each Subnet contains (at least) a router and an SOS node

11 3/30/2005 11 Auburn University Information Assurance Lab Models

12 3/30/2005 12 Auburn University Information Assurance Lab Models

13 3/30/2005 13 Auburn University Information Assurance Lab Models

14 3/30/2005 14 Auburn University Information Assurance Lab Models

15 3/30/2005 15 Auburn University Information Assurance Lab Models

16 3/30/2005 16 Auburn University Information Assurance Lab Models

17 3/30/2005 17 Auburn University Information Assurance Lab Models

18 3/30/2005 18 Auburn University Information Assurance Lab Experimental Design Unsophisticated Random Attacker Unsophisticated Random Attacker That attacker knows which nodes are participating in the network, but does not know their roles. That attacker knows which nodes are participating in the network, but does not know their roles. The attacker can fail any node in the network with probability p. After a random amount of downtime, the node will rejoin the network. The attacker can fail any node in the network with probability p. After a random amount of downtime, the node will rejoin the network. Unsophisticated Targeted Attacker Unsophisticated Targeted Attacker The attacker can use all of her resources to bring down n nodes simultaneously. These nodes do not have the chance to rejoin the network. The attacker can use all of her resources to bring down n nodes simultaneously. These nodes do not have the chance to rejoin the network.

19 3/30/2005 19 Auburn University Information Assurance Lab Experimental Design Sophisticated (Overinformed) Attacker Sophisticated (Overinformed) Attacker This attacker can divine the identity of the overlay’s most guarded secret, the identity of the secret servlet. This attacker can divine the identity of the overlay’s most guarded secret, the identity of the secret servlet. This discovery takes a short and near constant amount of time. This discovery takes a short and near constant amount of time.

20 3/30/2005 20 Auburn University Information Assurance Lab Results Unsophisticated Random Attacker Unsophisticated Random Attacker For small values of p the overlay is hardly effected For small values of p the overlay is hardly effected Anything larger than 0.5 creates long periods of down time for recovery. Anything larger than 0.5 creates long periods of down time for recovery.

21 3/30/2005 21 Auburn University Information Assurance Lab Results Unsophisticated Targeted attacker Attacker Unsophisticated Targeted attacker Attacker Again, once 50% of the nodes are susceptible to failure, recovery becomes very difficult, if not impossible Again, once 50% of the nodes are susceptible to failure, recovery becomes very difficult, if not impossible

22 3/30/2005 22 Auburn University Information Assurance Lab Results Sophisticated Attacker Sophisticated Attacker Recovery time for losing a secret servlet is near constant no matter how many times it happenes Recovery time for losing a secret servlet is near constant no matter how many times it happenes

23 3/30/2005 23 Auburn University Information Assurance Lab Conclusions The ease with which attackers can recruit a zombie hoard make DDoS a large and realistic threat to the communication infrastructure. The ease with which attackers can recruit a zombie hoard make DDoS a large and realistic threat to the communication infrastructure. Secure Overlay Services represents a creative solution to a complicated problem. Secure Overlay Services represents a creative solution to a complicated problem. With a large enough number of participating nodes, and very high speed links, SOS provides adequate protection and real-time recoverability in the face of a bandwidth denial of service attack. With a large enough number of participating nodes, and very high speed links, SOS provides adequate protection and real-time recoverability in the face of a bandwidth denial of service attack.

24 3/30/2005 24 Auburn University Information Assurance Lab Future Work More Accurate Network Model More Accurate Network Model TCP/IP Stack TCP/IP Stack Dynamic Routing Dynamic Routing Implementation Implementation Ask Adam… Ask Adam…

25 3/30/2005 25 Auburn University Information Assurance Lab Resources A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In Proceedings of ACM SIGCOMM, pages 61--72, August 2002. A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure Overlay Services. In Proceedings of ACM SIGCOMM, pages 61--72, August 2002. I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan. Chord: A Scalable Peer-To-Peer Lookup Service for Internet Applications. In Proceedings of ACM SIGCOMM, 2001. I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan. Chord: A Scalable Peer-To-Peer Lookup Service for Internet Applications. In Proceedings of ACM SIGCOMM, 2001. Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, V., Rubenstein, D.: Using Graphic Turing Tests to Counter Automated DDoS Attacks Against Web Servers. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS). (2003) 8-19. Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, V., Rubenstein, D.: Using Graphic Turing Tests to Counter Automated DDoS Attacks Against Web Servers. In: Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS). (2003) 8-19. D. Karger, E. Lehman, F. Leighton, R. Panigrahy, M. Levine, and D. Lewin. Consistent Hashing and Random Trees: Distributed Caching Protocols for Relieving Hot Spots on the World Wide Web. In Proceedings of ACM Symposium on Theory of Computing (STOC), pages 654–663, May 1997. D. Karger, E. Lehman, F. Leighton, R. Panigrahy, M. Levine, and D. Lewin. Consistent Hashing and Random Trees: Distributed Caching Protocols for Relieving Hot Spots on the World Wide Web. In Proceedings of ACM Symposium on Theory of Computing (STOC), pages 654–663, May 1997. H. W. Fletcher, K. Richardson, M. C. Carlisle, J. A. Hamilton. Simulation Experimentation with Secure Overlay Services. In review for SES Summer Simulation Conference, 2005. H. W. Fletcher, K. Richardson, M. C. Carlisle, J. A. Hamilton. Simulation Experimentation with Secure Overlay Services. In review for SES Summer Simulation Conference, 2005.

Download ppt "3/30/2005 Auburn University Information Assurance Lab 1 Simulating Secure Overlay Services."

Similar presentations

Security in Mobile Ad Hoc Networks

Security in Mobile Ad Hoc Networks
2009-03-16 1 Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.

Countering DoS Attacks with Stateless Multipath Overlays Presented by Yan Zhang.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.

Ion Stoica, Robert Morris, David Karger, M. Frans Kaashoek, Hari Balakrishnan MIT and Berkeley presented by Daniel Figueiredo Chord: A Scalable Peer-to-peer.
CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.

CIS 459/659 – Introduction to Network Security – Spring 2005 – Class 13 – 4/5/05 1 D-WARD 1  Goal: detect attacks, reduce the attack traffic, recognize.
Clayton Sullivan PEER-TO-PEER NETWORKS. INTRODUCTION What is a Peer-To-Peer Network A Peer Application Overlay Network Network Architecture and System.

Clayton Sullivan PEER-TO-PEER NETWORKS. INTRODUCTION What is a Peer-To-Peer Network A Peer Application Overlay Network Network Architecture and System.
CHORD – peer to peer lookup protocol Shankar Karthik Vaithianathan & Aravind Sivaraman University of Central Florida.

CHORD – peer to peer lookup protocol Shankar Karthik Vaithianathan & Aravind Sivaraman University of Central Florida.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.

Phalanx: Withstanding Multimillion-Node Botnets Colin Dixon Arvind Krishnamurthy Tom Anderson University of Washington NSDI 2008.
Technische Universität Yimei Liao Chemnitz Kurt Tutschku Vertretung - Professur Rechner- netze und verteilte Systeme Chord - A Distributed Hash Table Yimei.

Technische Universität Yimei Liao Chemnitz Kurt Tutschku Vertretung - Professur Rechner- netze und verteilte Systeme Chord - A Distributed Hash Table Yimei.
Technische Universität Chemnitz Kurt Tutschku Vertretung - Professur Rechner- netze und verteilte Systeme Chord - A Distributed Hash Table Yimei Liao.

Technische Universität Chemnitz Kurt Tutschku Vertretung - Professur Rechner- netze und verteilte Systeme Chord - A Distributed Hash Table Yimei Liao.
124.09.2012 1 Lecture 5 - Routing On the Flat Labels M.Sc Ilya Nikolaevskiy Helsinki Institute for Information Technology (HIIT)

Lecture 5 - Routing On the Flat Labels M.Sc Ilya Nikolaevskiy Helsinki Institute for Information Technology (HIIT)
Robert Morris, M. Frans Kaashoek, David Karger, Hari Balakrishnan, Ion Stoica, David Liben-Nowell, Frank Dabek Chord: A scalable peer-to-peer look-up protocol.

Robert Morris, M. Frans Kaashoek, David Karger, Hari Balakrishnan, Ion Stoica, David Liben-Nowell, Frank Dabek Chord: A scalable peer-to-peer look-up protocol.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.

Zhang Fu, Marina Papatriantafilou, Philippas Tsigas Chalmers University of Technology, Sweden 1 ACM SAC 2010 ACM SAC 2011.
You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.

You should worry if you are below this point.  Your projected and optimistically projected grades should be in the grade center soon o Projected:  Your.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.

Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
15-441: Computer Networking Lecture 26: Networking Future.

15-441: Computer Networking Lecture 26: Networking Future.

Similar presentations

Ads by Google