3/30/2005 Auburn University Information Assurance Lab 1 Simulating Secure Overlay Services

3/30/2005 Auburn University Information Assurance Lab

1

Simulating Simulating Secure Overlay Secure Overlay

ServicesServices

3/30/2005 2Auburn University Information Assurance Lab

OutlineOutline SOS OverviewSOS Overview Communication ArchitectureCommunication Architecture Ideas and Assumptions Ideas and Assumptions ModelsModels ExperimentsExperiments ResultsResults Future WorkFuture Work Questions?Questions?


SOS OverviewSOS Overview

Target SiteTarget Site High-Speed RoutersHigh-Speed Routers Secret ServletSecret Servlet BeaconBeacon Secure Overlay Access Point (SOAP)Secure Overlay Access Point (SOAP)



Target SiteTarget Site The machine enlisting the protection of The machine enlisting the protection of

the overlay networkthe overlay network High-Speed Filter RoutersHigh-Speed Filter Routers

Routers that govern all access to the Routers that govern all access to the protected siteprotected site

Must have the capacity to repel a Must have the capacity to repel a sizeable attacksizeable attack



Secret ServletSecret Servlet The only Node that is allowed to send The only Node that is allowed to send

data directly to the Target Sitedata directly to the Target Site BeaconBeacon

The ultimate destination as far as the The ultimate destination as far as the overlay is concernedoverlay is concerned

Secure Overlay Access Point (SOAP)Secure Overlay Access Point (SOAP) The point at the edge of the overlay The point at the edge of the overlay

through which users are authenticated, through which users are authenticated, and their traffic forwardedand their traffic forwarded


Design Philosophy and Design Philosophy and AssumptionsAssumptions

SimplicitySimplicity Communication ProtocolCommunication Protocol

Inter-node communication is reduced to single Inter-node communication is reduced to single packet instructions and acknowledgementspacket instructions and acknowledgements

User-target communication is very simple stop-User-target communication is very simple stop-and-wait protocol, allows us to make simple and-wait protocol, allows us to make simple measurements of round trip time, loss rates, etc.measurements of round trip time, loss rates, etc.

Network ModelsNetwork Models The models should be as functionally pure as The models should be as functionally pure as

possiblepossible The network should not be overburdened with The network should not be overburdened with

excessively complex routingexcessively complex routing


Design Philosophy and Design Philosophy and AssumptionsAssumptions

Simplicity (cont’d)Simplicity (cont’d) Attacks are simulated by intermittently Attacks are simulated by intermittently

failing nodes as opposed to generating failing nodes as opposed to generating large amounts of traffic to overwhelm themlarge amounts of traffic to overwhelm them

Attacker AssumptionsAttacker Assumptions Attackers do not know the function of Attackers do not know the function of

nodes in the network, only that they are nodes in the network, only that they are participatingparticipating

Attackers have the strength to shut down n Attackers have the strength to shut down n nodes in a single strokenodes in a single stroke


ModelsModels

SOS Node ModelSOS Node Model Secret ServletSecret Servlet BeaconBeacon SOAPSOAP Intermediate NodeIntermediate Node

Target SiteTarget Site Accepts authenticated traffic and Accepts authenticated traffic and

repliesreplies


ModelsModels

RouterRouter Filters what it is told to filter, forwards Filters what it is told to filter, forwards

everything elseeverything else User (Traffic Generator)User (Traffic Generator)

Injects data into the network and waits Injects data into the network and waits patiently for ACKspatiently for ACKs


ModelsModels

The NetworkThe Network 25 Subnets25 Subnets Each Subnet contains (at least) a router Each Subnet contains (at least) a router

and an SOS nodeand an SOS node


ModelsModels


ModelsModels


ModelsModels


ModelsModels


ModelsModels


ModelsModels


ModelsModels


Experimental DesignExperimental Design Unsophisticated Random AttackerUnsophisticated Random Attacker

That attacker knows which nodes are That attacker knows which nodes are participating in the network, but does not participating in the network, but does not know their roles.know their roles.

The attacker can fail any node in the network The attacker can fail any node in the network with probability with probability pp. After a random amount of . After a random amount of downtime, the node will rejoin the network.downtime, the node will rejoin the network.

Unsophisticated Targeted AttackerUnsophisticated Targeted Attacker The attacker can use all of her resources to The attacker can use all of her resources to

bring down bring down nn nodes simultaneously. These nodes simultaneously. These nodes do not have the chance to rejoin the nodes do not have the chance to rejoin the network.network.


Experimental DesignExperimental Design

Sophisticated (Overinformed) Sophisticated (Overinformed) AttackerAttacker This attacker can divine the identity of This attacker can divine the identity of

the overlay’s most guarded secret, the the overlay’s most guarded secret, the identity of the secret servlet.identity of the secret servlet.

This discovery takes a short and near This discovery takes a short and near constant amount of time.constant amount of time.


ResultsResults

Unsophisticated Unsophisticated Random AttackerRandom Attacker For small values of For small values of pp the overlay is the overlay is hardly effectedhardly effected

Anything larger Anything larger than 0.5 creates than 0.5 creates long periods of long periods of down time for down time for recovery.recovery.

P = 0.25

0

0.1

0.2

0.3

0.4

0.5

0.6

0 100 200 300 400 500 600 700

Delay

P = 0.5

0

0.1

0.2

0.3

0.4

0.5

0.6

0 100 200 300 400 500 600 700

Delay


ResultsResults

Unsophisticated Unsophisticated Targeted attacker Targeted attacker AttackerAttacker Again, once 50% of Again, once 50% of

the nodes are the nodes are susceptible to susceptible to failure, recovery failure, recovery becomes very becomes very difficult, if not difficult, if not impossibleimpossible

n Avg. Recovery Time 3 (12%) 4.226 sec. 6 (24%) 9.681 sec. 9 (36%) 12.681sec.

12 (48%) 56.09 sec. 15 (60%) 145.03 sec.


ResultsResults

Sophisticated AttackerSophisticated Attacker Recovery time for losing a secret servlet is Recovery time for losing a secret servlet is

near constant no matter how many times it near constant no matter how many times it happeneshappenes

Delay

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0 50 100 150 200 250 300 350 400 450 500

Delay


ConclusionsConclusions

The ease with which attackers can recruit a The ease with which attackers can recruit a zombie hoard make DDoS a large and zombie hoard make DDoS a large and realistic threat to the communication realistic threat to the communication infrastructure.infrastructure.

Secure Overlay Services represents a Secure Overlay Services represents a creative solution to a complicated problem.creative solution to a complicated problem.

With a large enough number of participating With a large enough number of participating nodes, and very high speed links, SOS nodes, and very high speed links, SOS provides adequate protection and real-time provides adequate protection and real-time recoverability in the face of a bandwidth recoverability in the face of a bandwidth denial of service attack.denial of service attack.


Future WorkFuture Work

More Accurate Network ModelMore Accurate Network Model TCP/IP StackTCP/IP Stack Dynamic RoutingDynamic Routing

ImplementationImplementation Ask Adam…Ask Adam…


ResourcesResources A. D. Keromytis, V. Misra, and D. Rubenstein. A. D. Keromytis, V. Misra, and D. Rubenstein. SOS: Secure SOS: Secure

Overlay ServicesOverlay Services. . In Proceedings of ACM SIGCOMMIn Proceedings of ACM SIGCOMM, pages , pages 61--72, August 2002. 61--72, August 2002.

I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan. Chord: A Scalable Peer-To-Peer Lookup Service Balakrishnan. Chord: A Scalable Peer-To-Peer Lookup Service for Internet Applications. for Internet Applications. In Proceedings of ACM SIGCOMMIn Proceedings of ACM SIGCOMM, , 2001.2001.

Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, Morein, W.G., Stavrou, A., Cook, D.L., Keromytis, A.D., Misra, V., Rubenstein, D.: Using Graphic Turing Tests to Counter V., Rubenstein, D.: Using Graphic Turing Tests to Counter Automated DDoS Attacks Against Web Servers. Automated DDoS Attacks Against Web Servers. In: In: Proceedings of the 10th ACM International Conference on Proceedings of the 10th ACM International Conference on Computer and Communications Security (CCS).Computer and Communications Security (CCS). (2003) 8-19. (2003) 8-19.

D. Karger, E. Lehman, F. Leighton, R. Panigrahy, M. Levine, D. Karger, E. Lehman, F. Leighton, R. Panigrahy, M. Levine, and D. Lewin. Consistent Hashing and Random Trees: and D. Lewin. Consistent Hashing and Random Trees: Distributed Caching Protocols for Relieving Hot Spots on the Distributed Caching Protocols for Relieving Hot Spots on the World Wide Web. World Wide Web. In Proceedings of ACM Symposium on In Proceedings of ACM Symposium on Theory of Computing (STOC),Theory of Computing (STOC), pages 654–663, May 1997. pages 654–663, May 1997.

H. W. Fletcher, K. Richardson, M. C. Carlisle, J. A. Hamilton. H. W. Fletcher, K. Richardson, M. C. Carlisle, J. A. Hamilton. Simulation Experimentation with Secure Overlay Services. In Simulation Experimentation with Secure Overlay Services. In review for SES Summer Simulation Conference, 2005.review for SES Summer Simulation Conference, 2005.

Documents

3/30/2005 Auburn University Information Assurance Lab 1 Simulating Secure Overlay Services