Document Sample
sos Powered By Docstoc
					SOS: Secure Overlay Services


DoS attacks
Problem Scenario
SOS: Operation-Architecture
Experimental Results
                    DoS attacks
   A denial-of-service attack (DoS attack) is an
    attempt to make a computer or network
    resource unavailable to its intended users.
   They are implemented by
      forcing the targeted computer(s) to reset
      consuming its resources so that it can no longer
      provide its intended service
      obstructing the communication media between the
      intended users and the victim so that they can no
      longer communicate adequately.
             Problem Scenario
Allow moderate number of legitimate users to
  communicate with a target destination, where:
  Target is difficult to replicate (e.g., info highly
 legitimate users may be mobile (source IP
 address may change)
 DoS attackers will attempt to stop
 communication to the target
          SOS: The players (1/2)
Target: the node/end-system/server to be protected
  from DOS attacks
 It will be filtered to only allow overlay traffic

SOAP - Secure Overlay Access Point: the start point
  in for all traffic that will communicate with the target
 Handles authentication of users and traffic.

Beacon:The end-point in a chord ring
 Beacon forwards traffic to the Secret Servlet

Secret Servlet:The node that will communicate with a
 specific target or group of targets
         SOS: The players (2/2)
Legitimate User: Authenticated Users communicate
  with the target
Attacker:Try to stop users to communicate with the
SOS Architecture
    SOS Operation: Step1 ->Filtering
Routers near the target apply simple packet filter based on IP address
  legitimate users’ IP addresses allowed through
    illegitimate users’ IP addresses aren’t

  good and bad users have same IP address
   bad users know good user’s IP address and spoofs
   legitimate users are mobile and don't have fixed IPs
    SOS Operation: Step2 ->Proxies
Install Proxies outside the filter whose IP addresses are
  permitted through the filter
    proxy only lets verified packets from legitimate
    sources through the filter
   Once attackers know th IP of a proxy they can spoof
    packets with its IP an reach the target
   Attackers directly attack on the proxy to drag it down
  SOS Operation: Step 3 -> Secret
Keep the identity of the proxy hidden!
  a hidden proxy is called a Secret Servlet
  only target, the secret servlet itself, and a few other points in
  the network know the secret servlet’s identity (IP address)
SOS Operation: Step 4 –> Overlay
Send traffic to the secret servlet via a network overlay
  nodes in virtual network are often end-systems
  verification/authentication of “legitimacy” of traffic can be
  performed at each overlay end-system hop
  SOS Operation: Step 5 –> Soaps
Advertise a set of nodes that can be used by the legitimate user
  to access the overlay
  these access nodes participate within the overlay
  called Secure Overlay Access Points (SOAPs)
 User    SOAP    across overlay Secret Servlet        (through
                         filter) target
    SOS Operation: Chord routing
Must get from SOAP to Secret Servlet in a “hard-to-predict
manner”: But random routing routes are long (O(n))
Routes should not “break” as nodes join and leave the
overlay (i.e., nodes may leave if attacked)
Current proposed version uses DHT routing (e.g., Chord,
CAN, PASTRY, Tapestry). We consider Chord:
  A distributed protocol, nodes are used in homogeneous

   Chord utilizes consistent hashing to map an identifier, I,
    to a unique node h(I) = B in the overlay
   Implements a route from any node to B containing
    O(log N) overlay hops, where N = # overlay nodes
      SOS Operation: Overview
Routers in the filtered region only accept traffic from the
secret servlets. The site selects one or more secret
The informed secret servlet node will compute keys for
each of the overlay nodes that will act as beacons.
Servlets will contact the beacons that they identified and
let them know of their existence and the beacons will then
store the information.
When a source wants to communicate with a target, it
sends the request to a SOAP to access the protected site.
Using chord, the traffic is directed to a beacon.
The beacon then routes it to the secret servlet.
      SOS Operation: Data routing
1. Legitimate user forwards packet to SOAP
2. SOAP forwards verified packet to Beacon (via Chord)
3. Beacon forwards verified packet to secret servlet
4. Secret Servlet forwards verified packet to target
      Adding Redundancy in SOS
  Each special role can be duplicated if desired
   Any overlay node can be a SOAP
     The target can select multiple secret servlets
     Multiple Beacons can be deployed by using
      multiple hash functions
    An attacker that successfully attacks a SOAP, secret
    servlet or beacon brings down only a subset of
    connections, and only while the overlay detects and
    adapts to the attacks
    Why attacking SOS is difficult
Attack the target directly (without knowing secret servlet
ID): filter protects the target
Attack secret servlets:
  They’re hidden

   Attacked servlets -> “shut down” and target selects
    new servlets
Attack beacons: beacons “shut down” (leave the overlay)
and new nodes become beacons
  attacker must continue to attack a “shut down” node or

   it will return to the overlay
Attack other overlay nodes: nodes shut down or leave the
overlay, routing self-repairs
                Experimental Results

Almost all overlay nodes must be attacked to achieve a high likelihood of DoS
             Implementation of SOS
SOS can be implemented using existing software and standardized
   Filtering: all high and medium-range routers, as well as most
    desktop and server operating systems, offer some high-speed
    packet classification scheme that can be used to implement the
    target perimeter filtering
   Authentication and authorization of sources: practically
    all commercial and free operating systems include an
    implementation of IPsec
   Tunneling: once traffic has entered the overlay network, it
    needs to be forwarded to other SOS nodes toward the beacon,
    and from there to the secret servlets. Standard traffic tunneling
    techniques and protocols can be used (IP-in-IP encapsulation,
    GRE encapsulation, or IPsec in “tunnel mode”
  SOS protects a target from DoS attacks
lets legitimate (authenticated) users through
    Filter around the target

     Allow “hidden” proxies to pass through the filter
     Use network overlays to allow legitimate users to
      reach the “hidden” proxies
  Preliminary Analysis Results
An attacker without overlay “insider” knowledge must
  attack majority of overlay nodes to deny service to
Magdalini Grammatikou

Shared By: