1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University

2 Outline Introduction Architecture Performance Analysis Implementation Discussion

3 Introduction/Motivation 9/11 events  The Internet vs. Phone Network  Communication paths between the “important” sites and Emergency Response Teams Trends of DDoS Attacks  Previous Reactive Approaches  Proactive Mechanisms

4 Attack Trends [CERT’01] Trend 6 - Increasing threat from infrastructure attacks, type 1 Distributed denial of service, …. The degree of automation  Manual Attacks - early DDoS attacks  Semi-Automatic Attacks - Attacks with communications between masters and slaves  Automatic Attacks - Just issue a single command High-impact, low-effort

5 Distributed Denial of Service Attacks (DDOS) Attacker logs into Master and signals slaves to launch an attack on a specific target address (victim). Slaves then respond by initiating TCP, UDP, ICMP or Smurf attack on victim.

6 What makes DDoS attacks possible? Internet security is highly interdependent Internet resources are limited Power of many is greater that power few Intelligence and resources are not collocated

7 What to Do About DDoS? Detection  Intrusion detection systems Traceback (unfortunately, not to the attacks)  Link Testing  ICMP Traceback  Hash-based Traceback  Probabilistic Marking Prevention  Traffic monitoring e.g., ICMP packets, SYN packets  Ingress filtering on the routers  GovNet – A separate network

8 Objective of Secure Overlay Services Motivated by ERT scenario Focus on protecting a site that stores information that is difficult to replicate Secure communication on top of today’s existing IP infrastructure from DDoS attacks Does NOT solve the general DoS problems

9 Assumptions 4. The attacker can not acquire sufficient resources to severely disrupt large portions pf the backbone 1.Pre-determined subset of clients scattered through the wide-area network(WAN) 3. The attacker does not have unobstructed access to the network core 2. A set of users want to prevent access to this info and will launch DoS attack upon any network points whose jamming will archive this goal

10 Basic SOS Architecture

11 Architecture Descriptions SOS is a network overlay Nodes are known to the public Communications between overlay nodes are assumed to remain secure The user’s packets must be authenticated and authorized by SOS before traffic is allowed to flow though the overlay

12 Filtered region Establish filters at the ISP’s POP routers attaching to the ISP backbone Distinguish and drop illegitimate packets Issues  IP address changes and user roles changes  IP spoofing

13 Secret Servlets A subset of nods, N s, selected by the target to act as forwarding proxies The filters only allow packets whose source address matches n  N s Hide the identities of the proxies to prevent IP spoofing or attacks aiming at proxies Activated by the target’s message Challenge: reach a secret servlet without revealing the servlet’s ID to the nodes that wish to reach it. Random next hop O(N/Ns)

14 SOAP: Secure Overlay Access Point Receive and verify traffic Authentication tools: IPSec/TLS A large number of SOAPs make a distributed firewall Effects on DoS – increase the amount of resources/bandwidth to deny connectivity to legitimate clients How to map SOAPs to different users?

15 Routing through the Overlay Chord service ( Each Overlay node contains O(logN) identifiers Chord delivers the packet to one of several beacons, which knows the secret servlet’s identity. Beacon’s identifier is mapped by hashing the target’s IP address Multiple hash functions produce different paths.

16 Against the DoS attacks An access point is attacked. The source point can choose an alternative access point A node within the overlay is attacked Chord service self-heals A secret servlet’s identifier is discovered and the servlet is targeted as an attack point The target chooses an alternative set of secret servlets

17 Performance Analysis (1) Varying number of Attacks and nodes in the overlay # of nodes attacked P (Attack Success)

18 Load of attack traffic Performance Analysis (2) Blocking probability for legitimate traffic as a function of attack traffic load Blocking probability for legitimate traffic

19 Performance Analysis (3) Performance gains of increasing the capacity of the attacked node Bandwidth increase factor Bandwidth Gain

20 Performance Analysis (4) Performance gains of increasing the anonymity of the attacked node Size of the overlay Randomization Gain

21 Implementation Filtering  high and medium routers(performance & cost)  high-speed packet classification Authentication and authorization of sources  IPSec  Public Key Infrastructure/Certificate Tunneling  IP-in-IP encapsulation  GRE encapsulation  IPSec in tunnel mode

22 Discussions Attacks from inside the overlay  security management oversights  development bugs  potential damage from inside A shared overlay  multiple organizations utilize a shared overlay  A breach in one org. security would not lead to breaches in other networks Timely delivery  Latency (10 times lager, preliminary simulations)  Trade security with performance

23 Thanks!

24

25

26

27

28

29