1 roaming honeypots for mitigating service-level denial-of-service attacks written by: sherif m....
DESCRIPTION
3 Denial-of-Service Defenses: Replication – useful in protecting service front-ends Firewalls – strategy for prohibiting illegal flow of data Intrusion Detection Services – detection of tampering Honeypots – may be used for any number of purposesTRANSCRIPT
1
Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by:Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami MelhemTaieb Znati
Presented by:Theodor RichardsonAni Starrenburg
2
Denial-of-Service Attacks:
• Links – exceeding link capacity
• Routers – congesting router buffers
• Front-Ends – consuming front-end processing with requests.
• Servers – requesting services at a high rate
3
Denial-of-Service Defenses:
• Replication – useful in protecting service front-ends
• Firewalls – strategy for prohibiting illegal flow of data
• Intrusion Detection Services – detection of tampering
• Honeypots – may be used for any number of purposes
4
Honeypots
A security resource who’s value lies in being probed, attacked or compromised.
Properties
Environment: Production Research
Complexity: Low Medium High
Purpose: Deception Deterrence Detection
Attacker Profile: Script Kiddie Professional Blackhat
5
Roaming Honeypot Properties
Properties
Environment: Production
Complexity: Low Medium
Purpose: Deception Deterrence Detection
Attacker Profile: Script Kiddie +
…A mechanism that allows the locations of honeypots to be unpredictable, continuously-changing and disguised within a server pool
6
Proactive Server Roaming Background:
Back-EndServers
FirewallClients
Attacker
Idle Servers
One ActiveServer
Firewall
7
Proactive Server Roaming Background
One server is active. At end of Epoch Ei of duration Ri server Si
assumes role of active server. Client must store information locally Service must track and process legitimate
users.
8
Proactive Server Roaming Background
Backward chain of hashed keys Ki is built where (0<i<n)
Ri = MSBm (H’(Ki))
Si = servers MSBlg NH’’(Ki))
9
Roaming Honeypots:
AGNBack-EndServersFirewallClients
Attacker
Honeypots & Active Servers
Firewall
10
Roaming Honeypots Uses similar selection algorithms
selects for each in a set of servers
introduces a lower bound, m, on the epoch
Uses k out of N servers as active servers, the remainder of which are honeypots
Offloads processing from client and server to Access Gateway
11
Roaming Honeypot Properties
Properties
Environment: Production
Complexity: Low Medium
Purpose: Deception Deterrence Detection
Attacker Profile: Script Kiddie +
Attack Type: Fixed Target Follower
Benefits: Filtering EffectConnection-Dropping
EffectDegrading Attack
Detection
12
Service Model
Subscription-based service
Protection of a pool of N back-end servers
Packet-filtering firewall and IDS deployed
AGN as layer of indirection
13
Access Gateway Network
Provides level of indirection between client and back-end server
Decouples authentication and authorization from service provision
Only AGN follows server locations and status – forwards client packets
Roaming scheme is transparent to client
14
AGN Structure
Back-end server is considered tree root AG’s with higher resistance to attacks and lower
reconfiguration rates are closer to the back-end servers (lower in the tree)
AG is responsible for address registration and parent registration
AG’s closest to root handle connection migration
15
AGN: Address Registration
Each AG registers an <ID,Address> tuple with the AG node responsible for storing addresses
ID = (SID||L||Index)SID is a service identifierL is the level of the AG in the AGN Index is the AG index within L
16
AGN: Parent Registration
AG registers its IP address with its parent (the servers if at the root)
AG uses (SID||L-1||Index(parent)) to lookup the parent Address
Allows IP routing for migration messages
17
AGN: Connection Migration
AG forwards traffic client C messages to server Si
When servers change from active to inactive, AG chooses new Sj at random for client C
AG re-registers with parent Sj AG encapsulates state information from Si and
forwards to Sj in TCP SYN package
18
Roaming Protocol For a single active server:
Service time is divided into epochs – random intervals of activity/inactivity for servers
Length of epoch Ei is calculated by long hash chain Ri = H(Ki) where K is a random key and Ri is the number of seconds
Location of epoch Si = servers[MSB H’(Ki)] where MSB is Most Significant Bits of hash function H’ (such as MD5)
Out of N servers, k are active at any time Set of active servers is Pk(S)
19
Network Model
AGNBack-EndServersFirewallClients
Attacker
Honeypot
ActiveServer
20
Simulation Model
Tested on the ns-2 Discrete event simulator aimed at network
testing Simulates routing, TCP, and multicast
protocol Supports wired and wireless networks http://www.isi.edu/nsnam/ns/
21
Simulation Model Tested under ns-2
simulation against Average Response Time
(ART) is considered as primary metric
Comparison of: Nonroaming (Load Sharing) Roaming w/o Filtering
(Attacker traffic is not dropped)
Roaming w/ Filtering (Attacker traffic is dropped)
22
Effect of Migration Interval
Restarting TCP must be balanced with migration interval timing to balance the overhead cost of re-establishing TCP with the new server set
23
Effect of Client Load
Under small attack loads, the nonroaming scheme performs better because of the overhead of roaming
24
Effect of Attack Load
Using filtering, the ART does not change as the attack load increases once the attacker is detected
25
Effect of Follow Delay
In Roaming w/ Filter, clients experience an attack free window as the attacker experiences follow delay
26
Conclusions
Strengths:Under high attack load, roaming scheme
performs better than load sharingUndetectable honeypot locationsTransparent to client traffic
27
Conclusions
Weaknesses:Must balance TCP overhead of resetting
connectionsWastes a large amount of server resources
with inactivity (as honeypot) Idea of logical roaming is underdeveloped in
paper, but could save resources and reduce overhead
28
Conclusions
Vulnerability remains that malicious code can be installed on legitimate servers
Periodic reinstall suggested, but service can be compromised before reinstall if attack is sophisticated
Violates property of honeypots that they should not adversely affect operation of standard service if compromised