Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 TPAC 10/10/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of Computer Science.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 TPAC 10/10/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of Computer Science."— Presentation transcript:

1 1 TPAC 10/10/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs SCOLD: Secure Collective Internet Defense http://cs.uccs.edu/~scold/ A NISSC Sponsored Project Part of this work is based on research sponsored by the Air Force Research Laboratory, under agreement number F49620-03-1-0207. It was sponsored by a NISSC Summer 2003 grant.

2 2 TPAC 10/10/2003 chow Outline of the Talk Network Security Research in UCCS Network Lab Secure Collective Internet Defense, the Basic Idea. Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm SCOLDv0.1 implementation and testbed Secure DNS update with indirect routing entries Indirect routing protocol based on IP tunnel Performance Evaluation of SCOLDv0.1 Conclusion and Future Directions Network Security Research in UCCS Network Lab Secure Collective Internet Defense, the Basic Idea. Secure Collective Internet Defense, SCOLDv0.1. A technique based Intrusion Tolerance paradigm SCOLDv0.1 implementation and testbed Secure DNS update with indirect routing entries Indirect routing protocol based on IP tunnel Performance Evaluation of SCOLDv0.1 Conclusion and Future Directions

3 3 TPAC 10/10/2003 chow New UCCS IA Degree/Certificate Master of Engineering Degree in Information Assurance Certificate in Information Assurance (First program offered to officers of SPACECOM at Peterson AFB through NISSC and UCCS Continue Education, 2002-3) Certificate in Information Assurance It includes four courses: Computer Networks; Fundamental of Security; Cryptography; Advanced System Security Design Master of Engineering Degree in Information Assurance Certificate in Information Assurance (First program offered to officers of SPACECOM at Peterson AFB through NISSC and UCCS Continue Education, 2002-3) Certificate in Information Assurance It includes four courses: Computer Networks; Fundamental of Security; Cryptography; Advanced System Security Design

4 4 TPAC 10/10/2003 chow UCCS Network/System Research Lab Director: Dr. C. Edward Chow Network System Research Seminar: Every Tuesday EAS177 5-6pm, open to public Network System Research Seminar New CS Faculty: Dr. Xiaobo Zhou (Differential Service; QoS; Degraded DDoS Defense) Graduate students: John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability (Two US Patents) Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari (Ph.D.): Linux based Secure Web Switch; Secure Groupware; First Responder Wireless Sensor Network Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch Yu Cai (Ph.D.): SCOLD: Indirect Routing, Multipath Routing Jianhua Xie (Ph.D.): Secure Storage Networks Frank Watson: Content Switch for Email Security Paul Fong: Wireless AODV Routing for sensor networks Nirmala Belusu: Wireless Network Security PEAP vs. TTLS apply to ad hoc network access control David Wikinson: SCOLD: Secure DNS Update. Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN; Disaster Recovery based on iSCSI. Research Projects with Local Companies: MCI on Network Restoration/Survivability. Two Patents Awarded. Beta test Northrop Grumman’s MIND enhanced network analysis tool. CASI-Omnipoint on Wireless Antenna Placement Tool. Director: Dr. C. Edward Chow Network System Research Seminar: Every Tuesday EAS177 5-6pm, open to public Network System Research Seminar New CS Faculty: Dr. Xiaobo Zhou (Differential Service; QoS; Degraded DDoS Defense) Graduate students: John Bicknell/Steve McCaughey/Anders Hansmat: Distributed Network Restoration/Network Survivability (Two US Patents) Hekki Julkunen: Dynamic Packet Filter Chandra Prakash: High Available Linux kernel-based Content Switch Ganesh Godavari (Ph.D.): Linux based Secure Web Switch; Secure Groupware; First Responder Wireless Sensor Network Angela Cearns: Autonomous Anti-DDoS (A2D2) Testbed Longhua Li: IXP-based Content Switch Yu Cai (Ph.D.): SCOLD: Indirect Routing, Multipath Routing Jianhua Xie (Ph.D.): Secure Storage Networks Frank Watson: Content Switch for Email Security Paul Fong: Wireless AODV Routing for sensor networks Nirmala Belusu: Wireless Network Security PEAP vs. TTLS apply to ad hoc network access control David Wikinson: SCOLD: Secure DNS Update. Murthy Andukuri/Jing Wu: Enhanced BGP/MPLS-based VPN; Disaster Recovery based on iSCSI. Research Projects with Local Companies: MCI on Network Restoration/Survivability. Two Patents Awarded. Beta test Northrop Grumman’s MIND enhanced network analysis tool. CASI-Omnipoint on Wireless Antenna Placement Tool.

5 5 TPAC 10/10/2003 chow UCCS Network Lab Setup Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP: 8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall*, 8VPN gateway*, 8 Intel 7112 SSL accelerators*; 4 7820 XML directors*. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*. Workstations/PCs: 8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 9.0; Window XP/2000 * Equipment donated by Intel Gigabit fiber connection to UCCS backbone Router/Switch/Firewall/Wireless AP: 8 Routers*, 4 Express 420 switches, 2HP 4000 switches, 8 Linksys/Dlink Switches. Sonicwall Pro 300 Firewall*, 8VPN gateway*, 8 Intel 7112 SSL accelerators*; 4 7820 XML directors*. Cisco 1200 Aironet Dual Band Access Point and 350 client PC/PCI cards (both 802.11a and 802.11b cards). Intel IXP12EB network processor evaluation board Servers: Two Dell PowerEdge Servers*, 4 Cache appliance*. Workstations/PCs: 8 Dell PCs (3Ghz*-500Mhz); 12 HP PCs (500-233Mhz) 2 laptop PCs with Aironet 350 for mobile wireless OS: Linux Redhat 9.0; Window XP/2000 * Equipment donated by Intel

6 6 TPAC 10/10/2003 chow DDoS: Distributed Denial of Service Attack DDoS Major Victims: Yahoo/Amazon 2000 CERT 5/2001 DNS Root Servers 10/2002 DDoS Tools: Stacheldraht Trinoo Tribal Flood Network (TFN) Research by Moore et al of University of California at San Diego, 2001. 12,805 DoS in 3-week period Most of them are Home, small to medium sized organizations

7 7 TPAC 10/10/2003 chow Where is Cyber-Neighborhood Watch? When Neighbor Watch started? http://www.usaonwatch.org/history.asp How Old is this?

8 8 TPAC 10/10/2003 chow Secure Collective Internet Defense Internet “attacks” community seems to be better organized. How about Internet Secure Collective Defense? Report/exchange virus info and distribute anti-virus  not bad (need to pay Norton or Network Associate) Report/exchange spam info  not good (spambayes, spamassasin, email firewall, remove.org) Report attack (Have you ever done that? to your admin or FBI? 303-629-7171, http://www1.ifccfbi.gov/index.asp)  not good IP Traceback  difficult to negotiate even the use of one bit in IP header Push back attack  slow call to upstream ISP hard to find Intrusion Detection and Isolation Protocol spec! Form consortium and help each other during attacks  not exist! Internet “attacks” community seems to be better organized. How about Internet Secure Collective Defense? Report/exchange virus info and distribute anti-virus  not bad (need to pay Norton or Network Associate) Report/exchange spam info  not good (spambayes, spamassasin, email firewall, remove.org) Report attack (Have you ever done that? to your admin or FBI? 303-629-7171, http://www1.ifccfbi.gov/index.asp)  not good IP Traceback  difficult to negotiate even the use of one bit in IP header Push back attack  slow call to upstream ISP hard to find Intrusion Detection and Isolation Protocol spec! Form consortium and help each other during attacks  not exist!

9 9 TPAC 10/10/2003 chow Intrusion Related Research Areas Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Honey pot Host-based IDS Tripwire; Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance Intrusion Prevention General Security Policy Ingress/Egress Filtering Intrusion Detection Honey pot Host-based IDS Tripwire; Anomaly Detection Misuse Detection Intrusion Response Identification/Traceback/Pushback Intrusion Tolerance

10 10 TPAC 10/10/2003 chow Wouldn’t it be Nice to Have Alternate Routes? DNS1... Victim AAAAAAAA net-a.comnet-b.comnet-c.com DNS2 DNS3... RRR R R2 R1 R3 Alternate Gateways DNS DDoS Attack Traffic Client Traffic How to reroute clients traffic through R1-R3? Multi-homing

11 11 TPAC 10/10/2003 chow Secure Collective Defense Main Idea  Explore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path (Indirect) Routing Secure DNS extension: how to inform client DNS servers to add alternate new entries (Not your normal DNS name/IP address mapping entry). Secure DNS extension Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. How to partition clients to come at different proxy servers?  may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?  Use Sock protocol, modify resolver library Main Idea  Explore secure alternate paths for clients to come in; Utilize geographically separated proxy servers. Goal: Provide secure alternate routes Hide IP addresses of alternate gateways Techniques: Multiple Path (Indirect) Routing Secure DNS extension: how to inform client DNS servers to add alternate new entries (Not your normal DNS name/IP address mapping entry). Secure DNS extension Utilize a consortium of Proxy servers with IDS that hides the IP address of alternate gateways. How to partition clients to come at different proxy servers?  may help identify the attacker! How clients use the new DNS entries and route traffic through proxy server?  Use Sock protocol, modify resolver library

12 12 TPAC 10/10/2003 chow Implement Alternate Routes DNS1... Victim AAAAAAAA net-a.comnet-b.comnet-c.com DNS2 DNS3... RRR R R2 R1 R3 Alternate Gateways DNS DDoS Attack Traffic Client Traffic Need to Inform Clients or Client DNS servers! But how to tell which Clients are not compromised? How to hide IP addresses of Alternate Gateways?

13 13 TPAC 10/10/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RRR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 block Reroute Coordinator Attack Traffic Client Traffic 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator block

14 14 TPAC 10/10/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RRR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 block Attack Traffic Client Traffic 1. IDS detects intrusion Blocks Attack Traffic Sends distress call to Reroute Coordinator Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS

15 15 TPAC 10/10/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RR R Proxy1 Proxy2 Proxy3 R2R2 R1 R3 Attack Traffic Client Traffic Reroute Coordinator 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) to DNS 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 3. New route via Proxy1 to R1 R block

16 16 TPAC 10/10/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... R Proxy1 Proxy2 Proxy3 R1 Attack Traffic Client Traffic Reroute Coordinator 3. New route via Proxy3 to R3 3. New route via Proxy2 to R2 3. New route via Proxy1 to R1 R block 4a. Attack traffic detected by IDS block by Firewall 4. Attack traffic detected by IDS block by Firewall RR R3 R2R2

17 17 TPAC 10/10/2003 chow SCOLD DNS1... Victim AAAAAAAA net-a.com net-b.comnet-c.com DNS2 DNS3... RRR R 1.distress call Proxy1 Proxy2 Proxy3 4a. Attack traffic detected by IDS block by Firewall R2R2 R1 R3 block 3. New route via Proxy2 to R2 Reroute Coordinator Attack Traffic Client Traffic 3. New route via Proxy3 to R3 4. Attack traffic detected by IDS block by Firewall 4b. Client traffic comes in via alternate route 2. Sends Reroute Command with (DNS Name, IP Addr. Of victim, Proxy Server(s)) 3. New route via Proxy1 to R1

18 18 TPAC 10/10/2003 chow SCOLD Secure DNS Update with New Indirect DNS Entries (target.targetnet.com, 133.41.96.71, ALT 203.55.57.102 203.55.57.103 185.11.16.49 221.46.56.38 A set of alternate proxy servers for indirect routes New Indirect DNS Entries: Modified Bind9 Modified Client Resolve Library Major Work New Protocol

19 19 TPAC 10/10/2003 chow SCOLD Indirect Routing IP tunnel

20 20 TPAC 10/10/2003 chow Performance of SCOLD v0.1 Table 1: Ping Response Time (on 3 hop route) Table 2: SCOLD FTP/HTTP download Test (from client to target) Table 1: Ping Response Time (on 3 hop route) Table 2: SCOLD FTP/HTTP download Test (from client to target) No DDoS attack direct route DDoS attack direct route No DDoS attack indirect route DDoS attack indirect route 0.49 ms225 ms0.65 ms

21 21 TPAC 10/10/2003 chow A2D2 Multi-Level Adaptive Rate Limiting For Anti-DDos Defense

22 22 TPAC 10/10/2003 chow Future Directions Modify TCP to utilize the multiple geographically diverse routes set up with IP tunnels. Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. Email me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium. We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool. The network status information collected and analyzed by the MIND can be used for selecting proxy server sites. Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem. SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND. SCOLD can be used to provide additional Internet bandwidth dynamically when there is sudden bandwidth and connection need. Not just a security tool. A company can deploy SCOLD by using its branch offices to provide proxy servers. Modify TCP to utilize the multiple geographically diverse routes set up with IP tunnels. Recruit sites for wide area network SCOLD experiments. Northrop Grumman, Air Force Academy's IA Lab, and University of Texas are initial potential partners. Email me if you would like to be part of the SCOLD beta test sites and members of the SCOLD consortium. We are currently working with Northrop Grumman researchers to beta test their new MIND network analysis tool. The network status information collected and analyzed by the MIND can be used for selecting proxy server sites. Pick and choose a geographically diverse set of proxy servers for indirect routing is a challenging research problem. SCOLD technologies can be used as a potential solution for bottlenecks detected by MIND. SCOLD can be used to provide additional Internet bandwidth dynamically when there is sudden bandwidth and connection need. Not just a security tool. A company can deploy SCOLD by using its branch offices to provide proxy servers.

23 23 TPAC 10/10/2003 chow Conclusion Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities. SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate clients come in through a set of proxy servers and alternate gateways. Can be used to provide additional Internet bandwidth (nice side effect!) Multiple indirect routes can also be used for improving the performance of Internet connections by using the proxy servers of an organization as connection relay servers. If you would like to fund this project or commercialize it, let me know. Secure Collective Internet Defense needs significant helps from community. Tremendous research and development opportunities. SCOLD v.01 demonstrated DDoS defense via use of secure DNS updates with new indirect routing IP-tunnel based indirect routing to let legitimate clients come in through a set of proxy servers and alternate gateways. Can be used to provide additional Internet bandwidth (nice side effect!) Multiple indirect routes can also be used for improving the performance of Internet connections by using the proxy servers of an organization as connection relay servers. If you would like to fund this project or commercialize it, let me know.

Download ppt "1 TPAC 10/10/2003 chow C. Edward Chow Department of Computer Science University of Colorado at Colorado Springs C. Edward Chow Department of Computer Science."

Similar presentations

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.

All rights reserved © 2000, Alcatel 1 CPE-based VPNs Hans De Neve Alcatel Network Strategy Group.
Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.

Module 13: Implementing ISA Server 2004 Enterprise Edition: Site-to-Site VPN Scenario.
On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.

On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 12/2003 University of Colorado at Colorado Springs.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
9/26/2001Godavari Thesis Proposal SSL Proxy1 The Design and Implementation of a SSL Proxy for Content Switch Thesis Proposal by Ganesh Kumar Godavari Department.

9/26/2001Godavari Thesis Proposal SSL Proxy1 The Design and Implementation of a SSL Proxy for Content Switch Thesis Proposal by Ganesh Kumar Godavari Department.
Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.

Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.
On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 10/2003 University of Colorado at Colorado Springs.

On Proxy Server based Multipath Connections (PSMC) PhD Proposal Yu Cai 10/2003 University of Colorado at Colorado Springs.
Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………

Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.

Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.

PSMC Proxy Server-based Multipath Connection CS 526 Advanced Networking - Richard White.
ChowSCID1 Secure Collective Internet Defense (SCID) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

ChowSCID1 Secure Collective Internet Defense (SCID) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.
ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.
Multipath Routing: Proxy Selection By Joseph A LaConte CS 591 – Semester Project December 07, 2005.

Multipath Routing: Proxy Selection By Joseph A LaConte CS 591 – Semester Project December 07, 2005.
1 Pfleeger Visit 4/13/2004 UCCS Network/System Security C. Edward Chow Xiaobo Joe Zhou Yu Cai Ganesh Godavari Department of Computer Science University.

1 Pfleeger Visit 4/13/2004 UCCS Network/System Security C. Edward Chow Xiaobo Joe Zhou Yu Cai Ganesh Godavari Department of Computer Science University.

Similar presentations

Ads by Google