Add to collection(s) Add to saved
  1. Business
  2. Economics

Protecting Network Quality of Service Against Denial of Service Attacks Douglas S. Reeves

advertisement 
Protecting Network Quality
of Service Against Denial of
Service Attacks
Douglas S. Reeves

S. Felix Wu

Fengmin Gong
NC STATE UNIVERSITY / MCNC
DARPA IA&S Meeting
July 20, 2000
NC STATE UNIVERSITY / MCNC
New Capabilities...
• Different classes of service for users
– how much bandwidth
– what quality level (delay, loss rates)
• Based on trust, need, importance,
urgency, .... : Policies!
2
NC STATE UNIVERSITY / MCNC
Provided By...
• Service provider provisions the resources
for the expected demand
• User makes request
• Network allocates bandwidth amount and
quality level, sends response
• Network enforces amount / quality
3
NC STATE UNIVERSITY / MCNC
…Create New Vulnerabilities!
• Each step can be attacked
4
NC STATE UNIVERSITY / MCNC
Attack 1: Excessive User
Demands
• Everyone asks for...
– maximum resource amount
– premium service
• Why not?
5
NC STATE UNIVERSITY / MCNC
Our Solution: Resource Pricing
• (An example: Telephone Network)
6
NC STATE UNIVERSITY / MCNC
Resource Prices Based on
Demand
• Predicted-load (static) pricing
– ex.: provisioning, time-of-day pricing
• Auction-based (semi-static) pricing
– ex.: bandwidth exchanges, time-slot
assignment
• Congestion-based (dynamic) pricing
– ex.: congestion control
• Combined approaches
7
NC STATE UNIVERSITY / MCNC
Policy Specification / Enforcement
• What determines the price?
• How much can each user pay?
8
NC STATE UNIVERSITY / MCNC
Provable Fairness
• Fairness is the consequence of a policy
• Achievable...
– Pareto optimal
– Weighted max-min fair
– Proportional fair
– Equal QoS
– Maximal aggregate utility
– Maximum revenue
9
NC STATE UNIVERSITY / MCNC
Properties
• Simple, distributed computation
• Fast convergence
• Low overhead
10
NC STATE UNIVERSITY / MCNC
Comparison With Other
Approaches
• First-come, first-served
– “grab resources early and often”
• Fixed (absolute) priority
– starvation problems
• Non-weighted fairness (TCP)
– everyone is equal?
• Other resource pricing work
– static / centralized, restricted fairness
11
NC STATE UNIVERSITY / MCNC
Future Work: Implementation
• Fall 2000 (management tools: Summer 2001)
12
NC STATE UNIVERSITY / MCNC
Fut. Wk.: 3rd Party Authorization
• Fall 2000
13
NC STATE UNIVERSITY / MCNC
Future Work: Service Class
Provisioning
• Given predicted demand for each service
class...
– how much of each service class should
network owner provision?
– what price charge for each class?
• Goals: maximum profit, maximum utility,
...?
• Spring 2001
14
NC STATE UNIVERSITY / MCNC
Future Work: Protecting the
Pricing Mechanism
• Vulnerability to attack
• Protecting…
– RSVP
– COPS
– SIP
– Policy server and databases
– Authorization server, user database, billing
database
• Spring 2002
15
NC STATE UNIVERSITY / MCNC
Impact of This Work
• Disincentives for "bad" user behavior
• Ability to flexibly specify and enforce
policies
• Efficient (optimal) allocation
• Economic incentives for deployment of
new services
16
NC STATE UNIVERSITY / MCNC
Attack 2: Modify Resource
Request / Response Signals
• RSVP is the control mechanism for QoS
• Routers can "legally" modify these signals
• How detect illegal modification?
17
NC STATE UNIVERSITY / MCNC
RSVP Attack Examples
18
NC STATE UNIVERSITY / MCNC
RSVP Attack Examples
19
NC STATE UNIVERSITY / MCNC
RSVP Attack Examples
20
NC STATE UNIVERSITY / MCNC
Our Solution: Selective Signing
+ Auditing
• 1. Sign at the end-points the message
contents that cannot be changed
• 2. Each router audits fields that can be
changed
– remember values transmitted downstream
– compare with values propagated upstream
• Has been implemented and tested
21
NC STATE UNIVERSITY / MCNC
Comparison With Other
Approaches
• End-to-end signing of complete message
contents
– Won't work with changeable contents
• Hop-by-hop signing of message contents
– Excessive overhead
– Does not detect attacks by corrupted routers
22
NC STATE UNIVERSITY / MCNC
Future Work
• Other attacks
– Message dropping
– Message insertion
– Resource "hoarding"
– Summer 2001
• Auditing
– Integration with intrusion detection
– Fall 2001
23
NC STATE UNIVERSITY / MCNC
Impact of This Work
• Practical, more effective detection of DoS
attacks on control flow
24
NC STATE UNIVERSITY / MCNC
Attack 3: TCP Packet Dropping
• Congestion causes "normal" packet
dropping
• Can malicious packet dropping (not due to
normal congestion) be detected?
– due to corrupted routers
– due to "unfriendly" users
25
NC STATE UNIVERSITY / MCNC
Our Solution
• Build a profile of normal dropping behavior
• Compare with observed dropping behavior
– statistical techniques
– neural net techniques
• Experiments: 5 sites in 4 countries over
several weeks
26
NC STATE UNIVERSITY / MCNC
Effectiveness
• Created several types of dropping attacks
– random
– periodic
– re-transmissions only
• Measured losses and latency
• High detection rate (> 80%), low (1%5%) false positive rate
27
NC STATE UNIVERSITY / MCNC
Impact
• Attacks will become less obvious;
degraded service, not disrupted service
• First work on monitoring this type of
attack
28
NC STATE UNIVERSITY / MCNC
Attack 4: Compromised
DiffServ Routers
29
NC STATE UNIVERSITY / MCNC
Attack Types
• Dropping one data flow to benefit others
• Injecting(spoofing, flooding,...) packets to
a high priority flow
• Remarking packets in a data flow
• Delaying packets in a data flow
• Compromised ingress, core, or egress
routers
30
NC STATE UNIVERSITY / MCNC
Approach
• Monitor router behavior externally
• Monitoring agents externally controlled by
intrusion detection system (IDS)
– selectively enabled when needed
• IDS performs analysis of measurements
31
NC STATE UNIVERSITY / MCNC
Monitoring
• Granularity is Per-Hop-Behavior (PHB,
macroflow)
• Metrics: ingress rate, egress rate, drop
rate, delay
• Passive (packet counting)
• Active (packet probing)
32
NC STATE UNIVERSITY / MCNC
Status
• Attack analysis
• Architecture
• Testbed, measurements
• Future work
– Implement passive monitoring, Fall 2000
– Implement active monitoring, Spring 2001
– Implement analysis, Summer 2001
– Integrate with existing intrusion-detection
engine, Year 3
33
NC STATE UNIVERSITY / MCNC
Impact
• First work on detecting and preventing
attacks on DiffServ
34
NC STATE UNIVERSITY / MCNC
Technology Transfer
• Code release (pricing simulator, TCP
dropping attack analyzer)
• Patent application on pricing with NEC
• Collaboration with Nortel on resource
authorization
• Discussions with Enron, NEC, IETF
DiffServ WG
35
NC STATE UNIVERSITY / MCNC
General Hicks’ “Hot List” of
Needs
• Prevent Denial of Service attacks
• Automate network bandwidth allocation
– reallocate to other, changing priorities
36
Related documents
School Technology Commission February 23, 2010
School Technology Commission February 23, 2010
Protecting Network Quality of Service Against Denial of Service Attacks
Protecting Network Quality of Service Against Denial of Service Attacks
Get-Involved - Middle College National Consortium
Get-Involved - Middle College National Consortium
Biological, Health, Environmental Sciences, Applied Technologies
Biological, Health, Environmental Sciences, Applied Technologies
NC EDUCATION CLOUD
NC EDUCATION CLOUD
Download
advertisement