1 TPAC 10/10/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs SCOLD: Secure Collective Internet Defense A NISSC Sponsored Project Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreement number F It was sponsored by a NISSC Summer 2003 grant.

2 TPAC 10/10/2003 chow Outline of the Talk Network Security Research in UCCS Network Lab Secure Collective Internet Defense, the Basic Idea. Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm SCOLDv0.1 implementation and testbed Secure DNS update with indirect routing entries Indirect routing protocol based on IP tunnel Performance Evaluation of SCOLDv0.1 Conclusion and Future Directions Network Security Research in UCCS Network Lab Secure Collective Internet Defense, the Basic Idea. Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm SCOLDv0.1 implementation and testbed Secure DNS update with indirect routing entries Indirect routing protocol based on IP tunnel Performance Evaluation of SCOLDv0.1 Conclusion and Future Directions

3 TPAC 10/10/2003 chow New UCCS IA Degree/Certificate Master of Engineering Degree in Information Assurance Certificate in Information Assurance (First program offered to officers of SPACECOM at Peterson AFB through NISSC and UCCS Continue Education, ) Certificate in Information Assurance It includes four courses: Computer Networks; Fundamental of Security; Cryptography; Advanced System Security Design Master of Engineering Degree in Information Assurance Certificate in Information Assurance (First program offered to officers of SPACECOM at Peterson AFB through NISSC and UCCS Continue Education, ) Certificate in Information Assurance It includes four courses: Computer Networks; Fundamental of Security; Cryptography; Advanced System Security Design

4 TPAC 10/10/2003 chow UCCS Network/System Research Lab Director: Dr. C. Edward Chow Network System Research Seminar: Every Tuesday EAS pm, open to public Network System Research Seminar New CS Faculty: Dr. Xiaobo Zhou (Differential Service; QoS; Degraded DDoS Defense) Graduate students: John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability (Two US Patents) Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari (Ph.D.): Linux based Secure Web Switch; Secure Groupware; First Responder Wireless Sensor Network Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch Yu Cai (Ph.D.): SCOLD: Indirect Routing, Multipath Routing Jianhua Xie (Ph.D.): Secure Storage Networks Frank Watson: Content Switch for Security Paul Fong: Wireless AODV Routing for sensor networks Nirmala Belusu: Wireless Network Security PEAP vs. TTLS apply to ad hoc network access control David Wikinson: SCOLD: Secure DNS Update. Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN; Disaster Recovery based on iSCSI. Research Projects with Local Companies: MCI on Network Restoration/Survivability. Two Patents Awarded. Beta test Northrop Grumman’s MIND enhanced network analysis tool. CASI-Omnipoint on Wireless Antenna Placement Tool. Director: Dr. C. Edward Chow Network System Research Seminar: Every Tuesday EAS pm, open to public Network System Research Seminar New CS Faculty: Dr. Xiaobo Zhou (Differential Service; QoS; Degraded DDoS Defense) Graduate students: John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability (Two US Patents) Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari (Ph.D.): Linux based Secure Web Switch; Secure Groupware; First Responder Wireless Sensor Network Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch Yu Cai (Ph.D.): SCOLD: Indirect Routing, Multipath Routing Jianhua Xie (Ph.D.): Secure Storage Networks Frank Watson: Content Switch for Security Paul Fong: Wireless AODV Routing for sensor networks Nirmala Belusu: Wireless Network Security PEAP vs. TTLS apply to ad hoc network access control David Wikinson: SCOLD: Secure DNS Update. Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN; Disaster Recovery based on iSCSI. Research Projects with Local Companies: MCI on Network Restoration/Survivability. Two Patents Awarded. Beta test Northrop Grumman’s MIND enhanced network analysis tool. CASI-Omnipoint on Wireless Antenna Placement Tool.

5 TPAC 10/10/2003 chow UCCS Network Lab Setup Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP: 8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall*, 8VPN gateway*, 8 Intel 7112 SSL accelerators*; XML directors*. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both a and b cards). Intel IXP12EB network processor evaluation board Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*. Workstations/PCs: 8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs ( Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 9.0; Window XP/2000 * Equipment donated by Intel Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP: 8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall*, 8VPN gateway*, 8 Intel 7112 SSL accelerators*; XML directors*. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both a and b cards). Intel IXP12EB network processor evaluation board Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*. Workstations/PCs: 8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs ( Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 9.0; Window XP/2000 * Equipment donated by Intel

6 TPAC 10/10/2003 chow DDoS: Distributed Denial of Service Attack DDoS Major Victims: Yahoo/Amazon 2000 CERT 5/2001 DNS Root Servers 10/2002 DDoS Tools: Stacheldraht Trinoo Tribal Flood Network (TFN) Research by Moore et al of University of California at San Diego, ,805 DoS in 3-week period Most of them are Home, small to medium sized organizations

7 TPAC 10/10/2003 chow Where is Cyber-Neighborhood Watch? When Neighbor Watch started? How Old is this?

8 TPAC 10/10/2003 chow Secure Collective Internet Defense Internet “attacks” community seems to be better organized. How about Internet Secure Collective Defense? Report/exchange virus info and distribute anti-virus  not bad (need to pay Norton or Network Associate) Report/exchange spam info  not good (spambayes, spamassasin, firewall, remove.org) Report attack (Have you ever done that? to your admin or FBI? ,  not good IP Traceback  difficult to negotiate even the use of one bit in IP header Push back attack  slow call to upstream ISP hard to find Intrusion Detection and Isolation Protocol spec! Form consortium and help each other during attacks  not exist! Internet “attacks” community seems to be better organized. How about Internet Secure Collective Defense? Report/exchange virus info and distribute anti-virus  not bad (need to pay Norton or Network Associate) Report/exchange spam info  not good (spambayes, spamassasin, firewall, remove.org) Report attack (Have you ever done that? to your admin or FBI? ,  not good IP Traceback  difficult to negotiate even the use of one bit in IP header Push back attack  slow call to upstream ISP hard to find Intrusion Detection and Isolation Protocol spec! Form consortium and help each other during attacks  not exist!

9 TPAC 10/10/2003 chow Intrusion Related Research Areas Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Honey pot Host-based IDS Tripwire; Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Honey pot Host-based IDS Tripwire; Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance

10 TPAC 10/10/2003 chow Wouldn’t it be Nice to Have Alternate Routes? DNS1... Victim AAAAAAAA net-a.comnet-b.comnet-c.com DNS2 DNS3... RRR R R2 R1 R3 Alternate Gateways DNS DDoS Attack Traffic Client Traffic How to reroute clients traffic through R1-R3? Multi-homing

11 TPAC 10/10/2003 chow Secure Collective Defense Main Idea  Explore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path (Indirect) Routing Secure DNS extension: how to inform client DNS servers to add alternate new entries (Not your normal DNS name/IP address mapping entry). Secure DNS extension Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. How to partition clients to come at different proxy servers?  may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?  Use Sock protocol, modify resolver library Main Idea  Explore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path (Indirect) Routing Secure DNS extension: how to inform client DNS servers to add alternate new entries (Not your normal DNS name/IP address mapping entry). Secure DNS extension Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. How to partition clients to come at different proxy servers?  may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?  Use Sock protocol, modify resolver library

12 TPAC 10/10/2003 chow Implement Alternate Routes DNS1... Victim AAAAAAAA net-a.comnet-b.comnet-c.com DNS2 DNS3... RRR R R2 R1 R3 Alternate Gateways DNS DDoS Attack Traffic Client Traffic Need to Inform Clients or Client DNS servers! But how to tell which Clients are not compromised? How to hide IP addresses of Alternate Gateways?

13 TPAC 10/10/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RRR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 block Reroute Coordinator Attack Traffic Client Traffic 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator block

14 TPAC 10/10/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RRR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 block Attack Traffic Client Traffic 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS

15 TPAC 10/10/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 Attack Traffic Client Traffic Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 3. New route via Proxy1 to R1 R block

16 TPAC 10/10/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... R Proxy1 Proxy2 Proxy3 R1 Attack Traffic Client Traffic Reroute Coordinator 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 3. New route via Proxy1 to R1 R block 4a. Attack traffic detected by IDS block by Firewall 4. Attack traffic detected by IDS block by Firewall RR R3 R2R2

17 TPAC 10/10/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RRR R 1.distress call Proxy1 Proxy2 Proxy3 4a. Attack traffic detected by IDS block by Firewall R2R2 R1 R3 block 3. New route via Proxy2 to R2 Reroute Coordinator Attack Traffic Client Traffic 3. New route via Proxy3 to R3 4. Attack traffic detected by IDS block by Firewall 4b. Client traffic comes in via alternate route 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) 3. New route via Proxy1 to R1

18 TPAC 10/10/2003 chow SCOLD Secure DNS Update with New Indirect DNS Entries (target.targetnet.com, , ALT A set of alternate proxy servers for indirect routes New Indirect DNS Entries: Modified Bind9 Modified Client Resolve Library Major Work New Protocol

19 TPAC 10/10/2003 chow SCOLD Indirect Routing IP tunnel

20 TPAC 10/10/2003 chow Performance of SCOLD v0.1 Table 1: Ping Response Time (on 3 hop route) Table 2: SCOLD FTP/HTTP download Test (from client to target) Table 1: Ping Response Time (on 3 hop route) Table 2: SCOLD FTP/HTTP download Test (from client to target) No DDoS attack direct route DDoS attack direct route No DDoS attack indirect route DDoS attack indirect route 0.49 ms225 ms0.65 ms

21 TPAC 10/10/2003 chow A2D2 Multi-Level Adaptive Rate Limiting For Anti-DDos Defense

22 TPAC 10/10/2003 chow Future Directions Modify TCP to utilize the multiple geographically diverse routes set up with IP tunnels. Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium. We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool. The network status information collected and analyzed by the MIND can be used for selecting proxy server sites. Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem. SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND. SCOLD can be used to provide additional Internet bandwidth dynamically when there is sudden bandwidth and connection need. Not just a security tool. A company can deploy SCOLD by using its branch offices to provide proxy servers. Modify TCP to utilize the multiple geographically diverse routes set up with IP tunnels. Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium. We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool. The network status information collected and analyzed by the MIND can be used for selecting proxy server sites. Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem. SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND. SCOLD can be used to provide additional Internet bandwidth dynamically when there is sudden bandwidth and connection need. Not just a security tool. A company can deploy SCOLD by using its branch offices to provide proxy servers.

23 TPAC 10/10/2003 chow Conclusion Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities. SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate clients come in through a set of proxy servers and alternate gateways. Can be used to provide additional Internet bandwidth (nice side effect!) Multiple indirect routes can also be used for improving the performance of Internet connections by using the proxy servers of an organization as connection relay servers. If you would like to fund this project or commercialize it, let me know. Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities. SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate clients come in through a set of proxy servers and alternate gateways. Can be used to provide additional Internet bandwidth (nice side effect!) Multiple indirect routes can also be used for improving the performance of Internet connections by using the proxy servers of an organization as connection relay servers. If you would like to fund this project or commercialize it, let me know.