Future Work Motivation Challenge

Document Sample
Future Work Motivation Challenge Powered By Docstoc
					  Reducing Malicious Traffic With IP Puzzles
                                                       Ed Kaiser, Wu-chang Feng, Wu-chi Feng, Antoine Luu

                                                                                         Motivation                                                  Challenges
                                                                            Arrgh! There is so much bad traffic on the internet!       Flexible Deployment
                                                                             • DoS attacks • Port scans       • Spam e-mail               • Puzzle issuers at arbitrary network locations
                                                                             • Worms          • Hacking       • Game cheaters
                                                                            Question: What can be done?
                                                                            Answer: Make clients accountable for their behavior        Minimal Overhead
                                                                                      by using a mechanism for punishing them if          • Puzzles can be generated at line speed
                                                                                      they behave badly.                                  • Constant state at the puzzle issuer
                                                                                                                                          • Minimal packet expansion
                                                                            Client puzzles offer an ideal punishment mechanism:
                                                                                • Easy to assign punishment
                                                                                • Can make punishment arbitrarily difficult            Tamper Resistance
                                                                                • False positives degrade but do not deny service         • Replay attacks
                                                                            Other work secures individual protocol vulnerabilities,       • Spoofing attacks
                                                                            however the most effective solution should protect all        • Work ahead attacks
                                                                            network traffic; thus it must be placed in the IP layer.
                                                                            Our approach:
                                                                                                                                       Support for Real Time Apps
                                                                                                                                          • Online games
                                                                                    IP layer client puzzles                               • Streaming media

    Puzzle Protocol                                                              Puzzle Algorithm                                      Protocol Extensions
 Client                                                       Issuer        Hint-Based Hash-Reversal
                           Client Cookie                                    Requires:                                                   IP Options    Type = 25    Length              Control
                                                                               • Keyed HMAC; h()                                        Cookie:         Client Timestamp            Client Nonce
                                                                               • high entropy random number generator; rand()
            Client Cookie, Server Cookie, F, Puzzle
 Client                                                       Issuer
 Nonce                                                        Nonce                                                                     ICMP          Type = 38      Code            Checksum
                                                                            Creating the Puzzle:                                                     PuzzleType Length                 Control
 Cache       Client Cookie, Server Cookie, Answer             Cache              1) Answer     rand()                                   Puzzle:         Client Timestamp           Client Nonce
                                                                                 2) Hint   Answer – (rand() mod Difficulty)                             Issuer Timestamp           Maturity Time
                                                                                 3) Puzzle Hash    h(Answer)                                               Expiry Time                      Protocol
                                                                                 4) discard the Answer                                                                  Client IP
  Protocol Field   Description                                                                                                                                          Server IP
  Client Cookie    TSc, Nc                                                                         Difficulty                                               Client Port             Server Port
  Server Cookie    TSs, TSm , TSe, h(F, TSc , Nc, TS s, Ns, TS m, TSe)                                                                                       Hash of Parameters and Secrets
  Puzzle           Difficulty, Puzzle Parameters                                                                                                                     Puzzle Difficulty
  Answer           Puzzle Answer                                                                                                                           Puzzle Parameters (variable length)
                                                                             0                       Hint         Answer        2n
  TSc              Client Logical Timestamp
  Nc               Client Nonce
  TSs              Issuer Logical Timestamp                                 Solving the Puzzle:                                         IP Options    Type = 26     Length          Control
                                                                                 1) Search Value    Hint                                                Client Timestamp         Client Nonce
  Ns               Issuer Nonce                                                                                                         Answer:         Issuer Timestamp         Maturity Time
  F                Flow Identifier                                               2) if h(Search Value) = Puzzle Hash
                                                                                      Answer    Search Value                                               Expiry Time
  TSm              Puzzle Maturity Time                                                                                                                      Hash of Parameters and Secrets
  TSe              Puzzle Expiry Time                                            3) Search Value    Search Value + 1                                         Puzzle Answer (variable length)
  h()              Hash Message Authentication Code (HMAC)                       4) go to step 2

                          iptables Implementation                                                                                                  Tracing ssh
                                                                                                                                                     Proxy                                Firewall
                     Puzzle Proxy                                                                  Puzzle Firewall                      First
 First                                        Add
                                           Cookie to
                                                                                                        Need            No
                      Packet                                                                           Puzzle?                                                     3    5       7   8
on Flow                                    IP Header                                                                                    Next
                                                                                                                 Yes                   Packet
                                                                                                                                                   (dragon)                              (monkey)
                   Retransmit                 Solve                      Internet
                                                                          Internet                       Issue
                                                                                                                        Drop           Trace:
                                                                                                         ICMP                          tcpdump: listening on eth0
                     Packet                  Puzzle                                                                    Packet
                                                                                                        Puzzle                         20:54:05.570461 dragon.32803 > monkey.22: S                     1
                                                                                                                                       20:54:05.570644 monkey > dragon: icmp: type-#38                 2
                                                                                                                                       20:54:05.570679 dragon.32803 > monkey.22: S                     3
                                                                                                                 No                    20:54:05.570826 monkey.22 > dragon.32803: S
Following                                     Add                                                                                      20:54:05.570853 dragon.32803 > monkey.22: .                     5
 Packets                                   Answer to                                                                                   20:54:05.572148 monkey.22 > dragon.32803: P
                                                                                                       Answer?                                                                                         7
                                                                                                                                       20:54:05.572190 dragon.32803 > monkey.22: .
 on Flow                                   IP Header                                                                                   20:54:05.572317 dragon.32803 > monkey.22: P                     8
                                                                                                                                       20:54:05.572445 monkey.22 > dragon.32803: .

          Performance                                                        Slowing Port Scans                                                   Future Work
Constant State at Issuer                                                                                                               Reputation-Based Networking
                                                                                                                                          •   Keep interaction history about clients
Fast to Issue                                                                                                                             •   Determine their reputability
  • requires only one hash and two random numbers                                                                                         •   Use IP Puzzles to punish clients who are bad
                                                                                                                                          •   Share knowledge with other IP Puzzle firewalls
Fine Grain Difficulty Control
  • can linearly increment puzzle difficulty                                                                                           Publicly Auditable Puzzles
                                                                                                                                          • Puzzle answers can be independently verified
Throughput                                                                                                                                    by intermediate IP Puzzle routers
  Tests use:                                                                                                                              • Answers can indicate amount of work done
  • Dual 1.8GHz Intel Xeon machines
  • Cisco Catalyst 4006 Gigabit switch                                                                                                 Puzzles With Useful Answers
  Firewall:                                                                                                                               • Puzzle algorithms where the answers provide
  • validate and issue puzzles at 182,000 packets/s                                                                                           useful computation for the puzzle issuer
                                                                                                                                          • Puzzle answer must be easily verifiable
  • solve min-difficulty puzzles at 130,000 packets/s
  • solve max-difficulty puzzles at << 1 packets/s
                                                                             Adjusting the difficulty of IP Puzzles can force port     IXP Implementation
                                                                              scans to take a selectively long time to complete.

              OGI SCHOOL OF SCIENCE & ENGINEERING                                                                     
              OREGON HEALTH & SCIENCE UNIVERSITY                                                                                Funded by:

Shared By: