denial of service, traceback and anonymity€¦ · denial of service, traceback and anonymity clay...
TRANSCRIPT
![Page 1: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/1.jpg)
Purdue UniversityCenter for Education and Research inInformation Assurance and Security
Denial of Service, Denial of Service, Traceback Traceback andandAnonymityAnonymity
Clay ShieldsAssistant Professor of Computer Sciences
CERIAS
![Page 2: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/2.jpg)
Network SecurityNetwork Security• I am with CERIAS to look at network
security issues• Involved in a number of projects in the
area• Overview of research in context of
denial-of-service attacks
![Page 3: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/3.jpg)
Network OverviewNetwork Overview
• Two types of network entities• Hosts
–PCs, workstations, user oriented–On edge of network
• Routers–Make up infrastructure–Enable communication
![Page 4: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/4.jpg)
Network DiagramNetwork Diagram
![Page 5: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/5.jpg)
CommunicationCommunication
• IP networks are packet switched• Connections between machines are
streams of packets• Hosts create packets and send them
into network• Routers forward to destination
![Page 6: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/6.jpg)
PacketsPackets
• Packets have two main parts• Data
–Created by and sent between hosts• Headers
–Routing information, used forforwarding
Source Address Destination AddressOther information
![Page 7: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/7.jpg)
Packet Source LocationPacket Source Location
• Source addresses in packet headerscan be lies
• Routing typically only uses destinationaddress
• Allows construction of packets thatappear to be from elsewhere
![Page 8: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/8.jpg)
IP SpoofingIP Spoofing
![Page 9: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/9.jpg)
Why is this a problem?Why is this a problem?
• IP Spoofing–Pretend to be another host–Exploit address-based trust
relationships• Denial of service attacks
–Hide source–More effective attacks
![Page 10: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/10.jpg)
Spoofing PreventionSpoofing Prevention• Practical measures:
–Turn on source address routingchecks at edge domains
–Desirable behavior for Internetcommunity
–Not done frequently enough–How frequently done at all is the
question
![Page 11: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/11.jpg)
SpoofstatSpoofstat
• Conduct measure of how manydomains conduct filtering
• Downloadable client tells what filtering adomain does
• Server keeps statistics on how muchfiltering occurs
• Encourage good network citizenship
![Page 12: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/12.jpg)
Denial-of-ServiceDenial-of-ServiceAttacksAttacks
• Attackers desire to prevent normalnetwork operation
• Various motivations for doing this• General method is to send packets that
cause other communications to fail
![Page 13: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/13.jpg)
Types of Types of DoS DoS AttacksAttacks• Bug exploitation
–Send packets that cause buggyTCP/IP stack to crash or hang
• Control Messages–Forge network control messages to
disrupt network operation• Flooding
–Consume resources with massivenumber of packets
![Page 14: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/14.jpg)
Flooding AttacksFlooding Attacks
![Page 15: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/15.jpg)
Flooded PacketsFlooded Packets
• Can consume host resources–SYN packets
• Can consume bandwidth–Large ICMP or UDP
• Attacks work if attacker can consumeenough resources to effect ability ofvictim to provide service
![Page 16: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/16.jpg)
Distributed Denial ofDistributed Denial ofServiceService
• Attackers with lower bandwidth can’teasily flood a victim with higherbandwidth
• Solution for attackers is to find a meansof generating more traffic
• Distributed denial-of-service tools• These attacks were used against Yahoo
and others
![Page 17: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/17.jpg)
DistributedDistributed DoS DoS
• Attacks work in two rounds• Attacker exploits vulnerabilities to break
into many systems• Attacker installs software clients• Master software controls clients to
initiate denial of services
![Page 18: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/18.jpg)
Compromising HostsCompromising Hosts
![Page 19: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/19.jpg)
Initiating FloodingInitiating Flooding
![Page 20: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/20.jpg)
Detecting Denial ofDetecting Denial ofServiceService
• It is not always obvious when a DoSattack is occuring
• Took Yahoo over an hour to determineit was under attack
• Requires system administrators toinvestigate network outage
• Type of attack is not alwaysimmediately evident
![Page 21: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/21.jpg)
DoSDoS Detection Detection
• Develop tools to determine when DoSoccurs and to categorize the type ofattack
• Early warning allows rapid response• Currently gathering data about normal
traffic and DoS traffic to train machinelearning algorithms
![Page 22: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/22.jpg)
How do you find anHow do you find anattacker?attacker?
• Trace flooded packets to the source• Trace control messages back to master• Trace attacker back from master to
origin of attack• Easy, right?
![Page 23: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/23.jpg)
Packet Source LocationPacket Source Location
• Flooded packets are sent with forged IPaddresses
• Currently no way to determine source ofpacket from packet itself
![Page 24: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/24.jpg)
Tracing an AttackerTracing an Attacker
• If you are able to identify DoS trafficsources and master, need to find origin
• Attackers generally hide by connectingthrough multiple compromised hosts
• Need to follow TCP stream throughnetwork
![Page 25: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/25.jpg)
Tracing an AttackerTracing an Attacker
![Page 26: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/26.jpg)
Packet TrackerPacket Tracker
• Goals:– Stimulate research to solve these problems– Produce a workable solution for some
environment
• Where we are now:– Completed literature review– Identified environments and concerns– Investigating existing solutions
![Page 27: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/27.jpg)
Future Work inFuture Work inTracebackTraceback
• Marking of single packets for sourcedetermination
• Encrypted stream matching–Match encrypted streams based on
timing and/or size of packets–Method for maintaining audit data
about connections–Host support for stream traceback
![Page 28: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/28.jpg)
Privacy ConcernsPrivacy Concerns
• If traceback solutions are successful,privacy will likely be a concern
• Desirable to have method ofmaintaining privacy
• Protocols exist to provide networkanonymity
• Use same techniques as attackers tohide IP addresses
![Page 29: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/29.jpg)
Anonymous ProtocolsAnonymous Protocols
• Develop anonymous protocols andunderstand their properties
• Arrive at a logic that describes suchprotocols
• Useful for privacy• Also useful for traceback
![Page 30: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/30.jpg)
HordesHordes
• Work done with Brian Levine, UMass• New protocol for anonymous
communication• Uses IP multicast for lower
communication latency• Being implemented here• One of family of protocols being
developed
![Page 31: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/31.jpg)
GoalsGoals
• Eventual goal of my research
The network should provide privacy andanonymity for network users unless theyhave violated some law, in which case
appropriate authorities should be able torapidly and easily identify suspects
![Page 32: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/32.jpg)
OverviewOverview
• Denial of service• Traceback
–Encrypted streams in network• Anonymity
![Page 33: Denial of Service, Traceback and Anonymity€¦ · Denial of Service, Traceback and Anonymity Clay Shields Assistant Professor of Computer Sciences CERIAS. Network Security • I](https://reader033.vdocuments.net/reader033/viewer/2022053003/5f0765c57e708231d41cc889/html5/thumbnails/33.jpg)
But wait!But wait!
• Secure routing–Secure Local Area Multicast (SLAM)
• Enabling technology for IP multicast• Source and receiver access control
–Ant Routing• Secure, robust, multi-path routing• Based on biological behavior of ants