autonomous anti-ddos network v2.0 (a2d2-2)
DESCRIPTION
Autonomous Anti-DDoS Network V2.0 (A2D2-2). Sarah Jelinek University Of Colorado, Colo. Spgs. [email protected] Spring Semester 2003, CS691 Project. Project Goals. Ultimate goal of project To make DDoS technology more robust Relationship to other projects - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/1.jpg)
Autonomous Anti-DDoS Network V2.0
(A2D2-2)Sarah JelinekUniversity Of Colorado, Colo. [email protected]
Spring Semester 2003, CS691 Project
![Page 2: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/2.jpg)
Project Goals
• Ultimate goal of project– To make DDoS technology more robust
• Relationship to other projects– Enhancements of existing A2D2 architecture to
incorporate IDIP and Alternate Proxy Servers• High-level timing goals
– Research and new architecture, now – Project completion planned for 9/03
![Page 3: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/3.jpg)
Description - A2D2
• Developed by Angela Cearns, UCCS Masters Thesis
• DDoS Intrusion Detection and Response• Uses freeware as main detection component• Modifications made to affect better response
FOR MORE INFO...
http://cs.uccs.edu/~chow/pub/master/acearns/doc/angThesis-final.pdf
![Page 4: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/4.jpg)
A2D2, cont..
![Page 5: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/5.jpg)
A2D2, cont..
• Strengths– Uses open source components– Portable– Configurable
• Weaknesses– Host Based– Local Network response– No attempt made to actively trace intruder– Possible bottleneck at firewall– Static thresholds
![Page 6: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/6.jpg)
A2D2-2 Technology
• New technology being used– Intrusion Detection and Isolation Protocol (IDIP)– Alternate Proxy Servers
• Standards being adopted– IDIP
• Will work with other IDIP enabled Intrusion Detection Networks
– Service Location Protocol (SLP)• Allows discovery of registered IDIP Nodes
![Page 7: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/7.jpg)
A2D2-2 What It Solves
• Host Based– Now a dynamic, network wide solution
• Will work with other IDIP enabled Intrusion Detection Networks utilizing CITRA
• Active Tracing of Intruder– SLP is used to discover other network IDIP
services
![Page 8: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/8.jpg)
A2D2-2 What It Solves, cont..
• Local Response– SLP used for location of alternate proxy servers
for more global response• Firewall Bottleneck
– Response Coordination Centralized
![Page 9: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/9.jpg)
A2D2-2 & IDIP
• IDIP– Developed by Boeing and NAI Labs– Supports real-time tracking and containment of
DDoS attacks– Three layers:
• Application Layer• Message Layer• Discovery Coordinator
![Page 10: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/10.jpg)
A2D2-2 - Discovery Coordinator
• IDIP Discovery Coordinator– Bulk of the work done here– Network wide response coordinator– Will notify clients and client dns of alternate
routes available– Standardized language used for messages and
topology (CISL)– Local attack response still active if down
![Page 11: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/11.jpg)
IDIP Nodes
Intrusion DetectionSys tem
Routers
Firewall
Server Clien t
Network Manager(Discovery Coordinator)
Intrusion DetectionSys tem
Firewall
Firewall
FOR MORE INFO...
http://zen.ece.ohiou.edu/~inbounds/DOCS/reldocs/IDIP_Architecture.doc
![Page 12: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/12.jpg)
A2D2-2 Proposed Architecture
![Page 13: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/13.jpg)
Alternate Routes
FOR MORE INFO...
http://cs.uccs.edu/%7Echow/research/security/uccsSecurityResearch.ppt
22Security Research 1/10/2003 chow
Implement Alternate RoutesImplement Alternate Routes
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
RR2 R1R3
Alternate Gateways
DNS
DDoS Attack TrafficClient Traffic
Need to Inform Clients or Client DNS servers!
But how to tell which Clients are not compromised?
How to hide IP addresses of
Alternate Gateways?
![Page 14: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/14.jpg)
Alternate Routes, cont..
23Security Research 1/10/2003 chow
Possible Solution for Alternate RoutesPossible Solution for Alternate Routes
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
Sends Reroute Command with DNS/IP Addr. Of Proxy and Victim
distresscall
Proxy1Proxy2 Proxy3
Blocked by IDSR2
R1 R3
blockAttack msgs blocked by IDS
New route via Proxy3 to R3
![Page 15: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/15.jpg)
A2D2-2 & SLP -> Alternate Routes
DNS1
...
A2D2-2Network IDS
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
RIDIPNode
A2D2-2 IDIP DCSLP Discovery and communication
Proxy1IDIP Node
Proxy2IDIP Node Proxy3
IDIP Node
R2R1 R3
Block and traceback Attack msgs blocked by IDS
New route via Proxy3 to R3
Local IDS ResponseLocal Netw ork
![Page 16: Autonomous Anti-DDoS Network V2.0 (A2D2-2)](https://reader035.vdocuments.net/reader035/viewer/2022062816/56815682550346895dc4301d/html5/thumbnails/16.jpg)
A2D2-2 Futures
• IDIP Redundant/Cooperative Discovery Coordinators
• Discovery Coordinator Response Optimization Enhancements
• Updates To Snort• Secure DNS (already started?)