1. SOS: Secure Overlay Service (+Mayday) A. D. Keromytis, V. Misra, D. Runbenstein Columbia University Presented by Yingfei Dong

2 Motivations  Goal: Proactively Prevent DOS attacks to allow legitimate users to communicate with a critical target  DOS attacks try to stop the communication  The target is difficult to replicate –e.g., high security or dynamic contents  Legitimate users are mobile ( IP addresses are not fixed )  Motivation Applications: Emergency Response Teams (ERTs)  Phone Networks are easy to be crashed  FBI/Police/Fire dept contacts with a center database Bank users / stock brokers access their accounts On-line transactions  Application Requirements –Protect private communications on top of public networks –Authenticated Mobile Users

3 Denial Of Service (DOS) Attacks  DOS  Select a target to degrade its performance  Generate “high volume” traffic to the target –Use up network resources bandwidth, buffers *Packet flooding: for a 10Mbps-link, byte packets –Overload CPU with security-checking or kernel resources *Security Handshaking *TCP SYN flooding: holding all TCP control blocks *Force to a server fork many processes  SOS is not for general DOS attacks  Not for global traffic analysis  A number of authenticated users to communicate with a selected target on a public network

4 Related Work ParticipationGlobal Routers changesLocal filters at end-systems or routers Detect/Prevent Spoofing Router-based filtering, Ingress filtering IP traceback Identify/shutdown ongoing attacks IP pushback Rate-limiting Pattern matching and filtering Proactively Prevent attacks IPsec (in each step)SOS Less implementation costs More Secure

5 Players in SOS  Target  Node / Server protected by SOS from DOS  Fixed IP address, non-duplicable  Legitimate User  Authenticated Users communicate with the target  Mobile IP address  Attacker  Try to stop users to communicate with the target  Limited Capability: not draging down core routers

6 Basic Idea  Why DOS is effective? many-to-one  Solution: hiding paths to the target through a large- scale distributed filter  Difficult to do because –The Internet is an open architecture and will keep open –IP spoofing is easy and Ingress filters are not broadly deployed, …  Idea: Forwarding secure packets on a virtual overlay network on top of the Internet –Secure packets are forwarded between overlay nodes –Using a larger number of overlay nodes –Overlay network adapts to attacks quickly  Attackers must attack many nodes to be successful !

7 SOS Functionalities  Goals  Allow legitimate users to communicate with target  Prevent packets from illegitimate attackers to reach the target  Ideal Solution  No changes required in intermediate routers  No high-cost security checking near/at the target  Assumptions  Attackers have a limited number of resources  Attackers cannot drag down core routers –Does NOT solve the general DoS problem

8 Method 1: Source-Address Filtering  Routers near the target do simple filtering based on source IP addresses  Only packets from legitimate nodes can reach the target  Packets from other sources are dropped  Fast Light-weight authenticator  Routers are difficult to hack  Problems  Attackers obtain an account on a legitimate node  Attackers spoof packets with a legitimate src IP  Legitimate users are mobile and don’t have fixed IPs

9 Method 2: Filters + Proxy Servers  Idea:  A proxy server between a legitimate user and the target  The proxy only forwards authenticated packets  Only packets from the proxy can reach the target  Problems  Once attackers know the IP of a proxy, x.x.x.x they can spoof packets with x.x.x.x and reach the target  Attackers directly attack on the proxy to drag it down

10 Method 3: Filters + Secret Proxy Servers  Hiding the identity (IP address) of a proxy to prevent IP spoofing or attacks aiming at a proxy  Secret Servlet is a hidden proxy is chosen by the target  A filter only allows packets whose source address matches n  N s, a set of nodes selected  Only the target, secret servelets, and other few trusted nodes know the IP address of secret servlets  Attacker is not sure which node is a proxy for the target

11 Method 4: Filter + Secret Proxy + Overlay Routing + SOAP  Question: How to forward packets to a Secret Servlet without knowing its IP address?  Virtual Overlay Network  Each node is an end host  Only some nodes how to reach a proxy (Servlet)  Indirect Assumption: large number of nodes  attackers couldn’t monitor all overlay nodes  Service Overlay Access Points (SOAP’s)  Everyone knows a set of SOAP’s  An SOAP is an entry node to the overlay network  Receive and verify traffic via IPSec/TLS  A large number of SOAPs as a distributed firewall User  SOAP  across overlay  Secret Servlet  Target

12 Overlay Routing: SOAP  Servlet  Target  A Path from a SOAP to a Servlet must be hard to find  Random Walk: O(N/N s ) time, N is total # of overlay nodes, Ns is the # of Servlet  Chord: O( log N )  A path must be resilient to attacks, fast recovery

13 Dynamic Hash Table (DHT)  Examples: Chord, CAN, PASTRY, Tapestry, …  Chord  A distributed protocol with N homogenous overlay nodes  Each node has a node identifier  Each object has an object key  Distribute all object keys to N nodes: the object with key T is mapped to node B, if H(T) = B, where object T is managed by node B  Chord Property: To find key T from any node to B is O(logN) steps

14 A Beacon Connects a SOAP and a Servlet  An object key in SOS is the IP address of a target  Beacon B for IP address T is an overly node with an identifier B = H(T)  Secret Servlet S finds Beacon B by B = H(T), and tells it to forward packets with DST T from B to S  SOAP A also finds Beacon B by B = H(T), and forwards secure packets with DST T to B  Multiple hash functions produce different Beacons, i.e., different paths to the target.

15 Routing Summary  Target T randomly selects Secret Servlet S  Secret Servlet S informs Beacon B to forward packets with DST T to S  SOAP A forwards authenticated packets with DST T to B  Overlay nodes are known to the public but their roles are secret  Communications between overlay nodes are secure/authenticated  Packets are authenticated by SOAP before the overlay

16 Against the DoS attacks  Redundancy in SOS  Every overlay node can be SOAP, Beacon or Servlet  A target can select multiple Servlets  Multiple beacons can be used by using different hashes  Many SOAP’s User  SOAP  Beacon  Servlet  Target  Attacks on an overlay node Chord self-heals by removing the node from Chord  Attacks on all SOAP’s, otherwise an alternative SOAP exists  Attacks on all Beacons: remove the nodes and change hash functions  Attacks on all Servlets The target can real-time change the set of Servlets  Target is protected by filters

17 Static Attack Analysis  N nodes in the overlay  For a given target T  S is the number of Servlets  B is the number of Beacons  A is the number of SOAPs  Static Attacks: attackers randomly shutdown M out of N nodes  P static = P(N, M, S, B, A) = P{stop communications with T}  P(n,b,c) = P{set of b nodes chosen randomly from set of n nodes, and set of b nodes contains set of c nodes}

18 Successfully Attack all Servlets or all Beacons or all SOAPs Number of nodes attacked P static = P(N, M, S, B, A)= 1 – (1-P(N,M,S))(1-P(N,M,B))(1-P(N,M,A)) Prob Of Attack Success

19 Dynamic Attacks  Attack/Repair Battle  The Overlay removes attacked nodes, taking time T R  Attackers shifts attacking traffic from removed nodes to active nodes, taking time T A  Assume T R and T A are exponential distributed R.V., modeled as a birth-death process  Attacking rate  Repairing rate   Attack Load Ratio  = / 

20 Centralized Attacks and Centralized Recovery M/M/1/K 1000 nodes, 10 SOAP, 10 Beacons, 10 Servlets If repairing is faster then attacking, SOS can survive under large scale attacks

21 Centralized Attacks and Distributed, M/M/K/K

22 Distributed Attacks and Centralized Recovery M/M/1//K

23 Distributed Attacks and Distributed Recovery, M/M///K

24 Conclusions  SOS protects a target from DOS  Only legitimate traffic will reach the target  Approach  Ingress Filtering  Hidden Proxies  Self-healing overlay networks to defeat attacks  Preliminary Analysis  Static Attacks  Dynamic Attacks

25 Mayday  Goal: protect critical servers  Components  A Server: centralized resource  A Filter Ring: around the server to protect it –Edge routers of a domain  An Overlay network –An Overlay node can be *an ingress point of the overlay network (SOAP) *an egress point from the overlay network to the filter ring (Servlet) *a forwarding node of the overlay network  A Client is authenticated by an overlay node but not trusted

26 Mayday Architecture

27 Generalizing the Idea of SOS  Packet Authenticators at a filter (mostly in IP header)  Egress Sources IP Address (SOS)  Server Destination Port: 1 to 65,536, large search space  Server Destination Address: 1 out of N reserved IP addresses, (like VPN shield)  Application-defined: ok with firewall, not core routers  Overlay routing schemes  Proximity Routing: proxies close to client, filter is known  Singly-Indirect Routing: egress address is known  Double-Indirect Routing (SOS)  Random Walk  Mix Routing: each node only know next step

28 Summary  SOS provides formal analysis  Mayday discusses potential practical solutions  Discussion of Advanced attacking approaches  Questions:  Long Delay in overlay routing  Trust of overlay nodes  Repair Speed v.s. Attacking Rate