1

Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by:Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami MelhemTaieb Znati

Presented by:Theodor RichardsonAni Starrenburg

2

Denial-of-Service Attacks:

• Links – exceeding link capacity

• Routers – congesting router buffers

• Front-Ends – consuming front-end processing with requests.

• Servers – requesting services at a high rate

3

Denial-of-Service Defenses:

• Replication – useful in protecting service front-ends

• Firewalls – strategy for prohibiting illegal flow of data

• Intrusion Detection Services – detection of tampering

• Honeypots – may be used for any number of purposes

4

Honeypots

A security resource who’s value lies in being probed, attacked or compromised.

Properties      

Environment: Production Research  

Complexity: Low Medium High

Purpose: Deception Deterrence Detection

Attacker Profile: Script Kiddie Professional Blackhat

5

Roaming Honeypot Properties

Properties      

Environment: Production  

Complexity: Low Medium

Purpose: Deception Deterrence Detection

Attacker Profile: Script Kiddie +

…A mechanism that allows the locations of honeypots to be unpredictable, continuously-changing and disguised within a server pool

6

Proactive Server Roaming Background:

Back-EndServers

FirewallClients

Attacker

Idle Servers

One ActiveServer

Firewall

7

Proactive Server Roaming Background

One server is active. At end of Epoch Ei of duration Ri server Si

assumes role of active server. Client must store information locally Service must track and process legitimate

users.

8

Proactive Server Roaming Background

Backward chain of hashed keys Ki is built where (0<i<n)

Ri = MSBm (H’(Ki))

Si = servers MSBlg NH’’(Ki))

9

Roaming Honeypots:

AGNBack-EndServersFirewallClients

Attacker

Honeypots & Active Servers

Firewall

10

Roaming Honeypots Uses similar selection algorithms

selects for each in a set of servers

introduces a lower bound, m, on the epoch

Uses k out of N servers as active servers, the remainder of which are honeypots

Offloads processing from client and server to Access Gateway

11

Roaming Honeypot Properties

Properties      

Environment: Production  

Complexity: Low Medium

Purpose: Deception Deterrence Detection

Attacker Profile: Script Kiddie +

Attack Type: Fixed Target Follower

Benefits: Filtering EffectConnection-Dropping

EffectDegrading Attack

Detection

12

Service Model

Subscription-based service

Protection of a pool of N back-end servers

Packet-filtering firewall and IDS deployed

AGN as layer of indirection

13

Access Gateway Network

Provides level of indirection between client and back-end server

Decouples authentication and authorization from service provision

Only AGN follows server locations and status – forwards client packets

Roaming scheme is transparent to client

14

AGN Structure

Back-end server is considered tree root AG’s with higher resistance to attacks and lower

reconfiguration rates are closer to the back-end servers (lower in the tree)

AG is responsible for address registration and parent registration

AG’s closest to root handle connection migration

15

AGN: Address Registration

Each AG registers an <ID,Address> tuple with the AG node responsible for storing addresses

ID = (SID||L||Index)SID is a service identifierL is the level of the AG in the AGN Index is the AG index within L

16

AGN: Parent Registration

AG registers its IP address with its parent (the servers if at the root)

AG uses (SID||L-1||Index(parent)) to lookup the parent Address

Allows IP routing for migration messages

17

AGN: Connection Migration

AG forwards traffic client C messages to server Si

When servers change from active to inactive, AG chooses new Sj at random for client C

AG re-registers with parent Sj AG encapsulates state information from Si and

forwards to Sj in TCP SYN package

18

Roaming Protocol For a single active server:

Service time is divided into epochs – random intervals of activity/inactivity for servers

Length of epoch Ei is calculated by long hash chain Ri = H(Ki) where K is a random key and Ri is the number of seconds

Location of epoch Si = servers[MSB H’(Ki)] where MSB is Most Significant Bits of hash function H’ (such as MD5)

Out of N servers, k are active at any time Set of active servers is Pk(S)

19

Network Model

AGNBack-EndServersFirewallClients

Attacker

Honeypot

ActiveServer

20

Simulation Model

Tested on the ns-2 Discrete event simulator aimed at network

testing Simulates routing, TCP, and multicast

protocol Supports wired and wireless networks http://www.isi.edu/nsnam/ns/

21

Simulation Model Tested under ns-2

simulation against Average Response Time

(ART) is considered as primary metric

Comparison of: Nonroaming (Load Sharing) Roaming w/o Filtering

(Attacker traffic is not dropped)

Roaming w/ Filtering (Attacker traffic is dropped)

22

Effect of Migration Interval

Restarting TCP must be balanced with migration interval timing to balance the overhead cost of re-establishing TCP with the new server set

23

Effect of Client Load

Under small attack loads, the nonroaming scheme performs better because of the overhead of roaming

24

Effect of Attack Load

Using filtering, the ART does not change as the attack load increases once the attacker is detected

25

Effect of Follow Delay

In Roaming w/ Filter, clients experience an attack free window as the attacker experiences follow delay

26

Conclusions

Strengths:Under high attack load, roaming scheme

performs better than load sharingUndetectable honeypot locationsTransparent to client traffic

27

Conclusions

Weaknesses:Must balance TCP overhead of resetting

connectionsWastes a large amount of server resources

with inactivity (as honeypot) Idea of logical roaming is underdeveloped in

paper, but could save resources and reduce overhead

28

Conclusions

Vulnerability remains that malicious code can be installed on legitimate servers

Periodic reinstall suggested, but service can be compromised before reinstall if attack is sophisticated

Violates property of honeypots that they should not adversely affect operation of standard service if compromised