Document Sample
SOS Powered By Docstoc

SOS: Secure Overlay Service (+Mayday)

    A. D. Keromytis, V. Misra, D. Runbenstein
               Columbia University

            Presented by Yingfei Dong


 Goal: Proactively Prevent DOS attacks to allow legitimate users to
  communicate with a critical target
    DOS attacks try to stop the communication
    The target is difficult to replicate
       – e.g., high security or dynamic contents
    Legitimate users are mobile ( IP addresses are not fixed )
 Motivation Applications: Emergency Response Teams (ERTs)
    Phone Networks are easy to be crashed
    FBI/Police/Fire dept contacts with a center database
     Bank users / stock brokers access their accounts
     On-line transactions
    Application Requirements
       – Protect private communications on top of public networks
       – Authenticated Mobile Users

                 Denial Of Service (DOS) Attacks

    Select a target to degrade its performance
    Generate “high volume” traffic to the target
      – Use up network resources bandwidth, buffers
           * Packet flooding: for a 10Mbps-link, 830 1500-byte packets
       – Overload CPU with security-checking or kernel resources
           * Security Handshaking
           * TCP SYN flooding: holding all TCP control blocks
           * Force to a server fork many processes

 SOS is not for general DOS attacks
    Not for global traffic analysis
    A number of authenticated users to communicate with a selected
     target on a public network

                            Related Work

     Participation         Global Routers changes    Local filters at
                                                     end-systems or routers

     Detect/Prevent        Router-based filtering,   IP traceback
     Spoofing              Ingress filtering

     Identify/shutdown     IP pushback               Pattern matching and
     ongoing attacks       Rate-limiting             filtering

     Proactively Prevent   IPsec (in each step)      SOS

Secure                Less implementation costs
                       Players in SOS

 Target
    Node / Server protected by SOS from DOS
    Fixed IP address, non-duplicable

 Legitimate User
    Authenticated Users communicate with the target
    Mobile IP address

 Attacker
    Try to stop users to communicate with the target
    Limited Capability: not draging down core routers

                          Basic Idea

 Why DOS is effective? many-to-one
 Solution:   hiding paths to the target through a large-
      scale distributed filter
    Difficult to do because
       – The Internet is an open architecture and will keep open
       – IP spoofing is easy and Ingress filters are not broadly
         deployed, …
    Idea: Forwarding secure packets on a virtual overlay
     network on top of the Internet
      – Secure packets are forwarded between overlay nodes
      – Using a larger number of overlay nodes
      – Overlay network adapts to attacks quickly
    Attackers must attack many nodes to be successful !

                   SOS Functionalities

 Goals
    Allow legitimate users to communicate with target
    Prevent packets from illegitimate attackers to reach
     the target

 Ideal Solution
    No changes required in intermediate routers
    No high-cost security checking near/at the target

 Assumptions
    Attackers have a limited number of resources
    Attackers cannot drag down core routers
      – Does NOT solve the general DoS problem

              Method 1: Source-Address Filtering

 Routers near the target do simple filtering based on source
  IP addresses
    Only packets from legitimate nodes can reach the target
    Packets from other sources
      are dropped
    Fast Light-weight authenticator
    Routers are difficult to hack

 Problems
    Attackers obtain an account on a legitimate node
    Attackers spoof packets with a legitimate src IP
    Legitimate users are mobile and don’t have fixed IPs

           Method 2: Filters + Proxy Servers

 Idea:
    A proxy server between a legitimate user and the target
    The proxy only forwards authenticated packets
    Only packets from the proxy can reach the target

 Problems
    Once attackers know the IP of a proxy, x.x.x.x
     they can spoof packets with x.x.x.x and reach the target
    Attackers directly attack on the proxy to drag it down

           Method 3: Filters + Secret Proxy Servers

 Hiding the identity (IP address) of a proxy to prevent IP
  spoofing or attacks aiming at a proxy
    Secret Servlet is a hidden proxy is chosen by the target
    A filter only allows packets whose source address matches
     n  Ns, a set of nodes selected
    Only the target, secret servelets, and other few trusted
     nodes know the IP address of secret servlets

 Attacker is not sure which node is a proxy for the target

Method 4: Filter + Secret Proxy + Overlay Routing + SOAP

  Question: How to forward packets to a Secret Servlet
   without knowing its IP address?
  Virtual Overlay Network
     Each node is an end host
     Only some nodes how to reach a proxy (Servlet)
     Indirect Assumption:      large number of nodes 
      attackers couldn’t monitor all overlay nodes
  Service Overlay Access Points (SOAP’s)
     Everyone knows a set of SOAP’s
     An SOAP is an entry node to the overlay network
     Receive and verify traffic via IPSec/TLS
     A large number of SOAPs as a distributed firewall

 User  SOAP  across overlay  Secret Servlet  Target
      Overlay Routing: SOAP  Servlet  Target

 A Path from a SOAP to a Servlet must be hard to find
    Random Walk: O(N/Ns) time,
      N is total # of overlay nodes, Ns is the # of Servlet
    Chord: O( log N )
 A path must be resilient to attacks, fast recovery

                Dynamic Hash Table (DHT)

 Examples: Chord, CAN, PASTRY, Tapestry, …

 Chord
    A distributed protocol with N homogenous overlay nodes
    Each node has a node identifier
    Each object has an object key
    Distribute all object keys to N nodes:
     the object with key T is mapped to node B, if H(T) = B,
      where object T is managed by node B
    Chord Property:
      To find key T from any node to B is O(logN) steps

        A Beacon Connects a SOAP and a Servlet

 An object key in SOS is the IP address of a target

 Beacon B for IP address T is an overly node with an
  identifier B = H(T)
    Secret Servlet S finds Beacon B by B = H(T), and
      tells it to forward packets with DST T from B to S
    SOAP A also finds Beacon B by B = H(T), and
     forwards secure packets with DST T to B

 Multiple hash functions produce different Beacons, i.e.,
  different paths to the target.

                      Routing Summary

 Target T randomly selects Secret Servlet S
 Secret Servlet S informs Beacon B to forward packets with DST T
  to S
 SOAP A forwards authenticated packets with DST T to B

 Overlay nodes are known to the public but their roles are secret
 Communications between overlay nodes are secure/authenticated
 Packets are authenticated by SOAP before the overlay          15
                      Against the DoS attacks

 Redundancy in SOS
    Every overlay node can be SOAP, Beacon or Servlet
    A target can select multiple Servlets
    Multiple beacons can be used by using different hashes
    Many SOAP’s

   User  SOAP  Beacon  Servlet  Target
 Attacks on an overlay node
       Chord self-heals by removing the node from Chord
 Attacks on all SOAP’s, otherwise an alternative SOAP exists
 Attacks on all Beacons: remove the nodes and change hash functions
 Attacks on all Servlets
       The target can real-time change the set of Servlets
 Target is protected by filters

                     Static Attack Analysis

 N nodes in the overlay
 For a given target T
    S is the number of Servlets
    B is the number of Beacons
    A is the number of SOAPs
 Static Attacks: attackers randomly shutdown M out of N nodes
 Pstatic = P(N, M, S, B, A) = P{stop communications with T}
 P(n,b,c) = P{set of b nodes chosen randomly from set of n
  nodes, and set of b nodes contains set of c nodes}
                   b c  c
                 Cnc Cb
     P(n, b, c)  b  c
                  Cn    Cn

   Successfully Attack all Servlets or all Beacons or all SOAPs

Pstatic = P(N, M, S, B, A)= 1 – (1-P(N,M,S))(1-P(N,M,B))(1-P(N,M,A))

Prob Of Attack

                         Number of nodes attacked
                    Dynamic Attacks

 Attack/Repair Battle
    The Overlay removes attacked nodes, taking time TR
    Attackers shifts attacking traffic from removed nodes
     to active nodes, taking time TA
    Assume TR and TA are exponential distributed R.V.,
     modeled as a birth-death process
 Attacking rate 
 Repairing rate 
 Attack Load Ratio  =  / 

Centralized Attacks and Centralized Recovery

    • 1000 nodes, 10 SOAP, 10 Beacons, 10 Servlets
    • If repairing is faster then attacking, SOS can
    survive under large scale attacks
Distributed Attacks and Distributed Recovery, M/M///K


 SOS protects a target from DOS
    Only legitimate traffic will reach the target

 Approach
    Ingress Filtering
    Hidden Proxies
    Self-healing overlay networks to defeat attacks

 Preliminary Analysis
    Static Attacks
    Dynamic Attacks


 Goal: protect critical servers
 Components
    A Server: centralized resource
    A Filter Ring: around the server to protect it
      – Edge routers of a domain
    An Overlay network
      – An Overlay node can be
          * an ingress point of the overlay network (SOAP)
          * an egress point from the overlay network to the filter
            ring (Servlet)
          * a forwarding node of the overlay network
    A Client is authenticated by an overlay node but not

Mayday Architecture

                 Generalizing the Idea of SOS

 Packet Authenticators at a filter (mostly in IP header)
    Egress Sources IP Address (SOS)
    Server Destination Port: 1 to 65,536, large search space
    Server Destination Address: 1 out of N reserved IP
     addresses, (like VPN shield)
    Application-defined: ok with firewall, not core routers
 Overlay routing schemes
      Proximity Routing: proxies close to client, filter is known
      Singly-Indirect Routing: egress address is known
      Double-Indirect Routing (SOS)
      Random Walk
      Mix Routing: each node only know next step


 SOS provides formal analysis
 Mayday discusses potential practical solutions
    Discussion of Advanced attacking approaches

 Questions:
    Long Delay in overlay routing
    Trust of overlay nodes
    Repair Speed v.s. Attacking Rate


Shared By: