Secure Collective Internet Defense (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from NISSC; and a seed grant from EAS RDC. Chow SCOLD 1 Goals of SCOLD Project • The goal of the project is to investigate techniques for enhancing Internet security and protecting the Internet Infrastructure through collective defense. • SCOLD explores the use of alternate gateways and a collection of proxy servers for intrusion tolerance. • SCOLD pushes back intrusion attacks using an enhanced IDIP (Intrusion Detection and Isolation Protocol) and SLP (Service Location Protocol). Chow SCOLD 2 How to use Alternate Routes When Under DDoS Attack Chow SCOLD 3 SCOLD Approach Redirect Through Proxy Servers Chow SCOLD 4 Timeline and Deliverables • Phase 1. 6/2/2003-7/9/2003 (feasibility study) Extend Bind9 DNS with Secure DNS update/query including indirect routing entries Develop indirect routing with IP tunnel NISSC Midterm Report. • Phase 2. 7/10/2003-8/9/2003 (SCID 0.1 development) Develop SCID protocol among SCID coordinator, proxy server, DNS server, and target. Integrate proxy server with A2D2 for intrusion detection. Enhance A2D2 IDS with IDIP protocol for intrusion push back. • Phase 3. 8/10/2003-9/9/2003 Create test scripts and benchmark to evaluate SCID version 0.1 system; Suggest improvements to SCID version 0.2 system. NISSC Final Report. Chow SCOLD 5 Status • Extended Bind9 DNS with DNS update with new indirect routing entry/query • Developing client side indirect routing with IP tunnel • Modified client resolve library to create IP tunnel when receives new indirect routing entry from DNS server. • Created protocol for SCOLD coordinator to issue the indirect routing requests to target DNS, proxy server, alternate way, and target server. • Perform initial performance evaluation • Setting up two SCOLD prototype test beds. Chow • One with virtual machines using vmware. • One with real machines connected by small switch. • Looking for sites to participate in real Internet WAN tests! SCOLD 6 Secure DNS Update Chow SCOLD 7 SCOLD Indirect Routing Using Daemons Chow SCOLD 8 Indirect Routing With Modified Client Resolve Library Chow SCOLD 9 How about using NAT? Chow SCOLD 10 Pro and Con of Using NAT • Advantages: – No changes in Client DNS server and Client • Disadvantages: – IP spoofing (Client use reverse DNS lookup will find IP address belong to different organization) – Proxy server have limited IP addresses and may force to use IP masquerade (Client needs to use different port) Chow SCOLD 11 Pro and Con of Using SCOLD • Advantages: – Allow the use of multiple routes • Use them simultaneously increase aggregate bandwidth • Select one of them and fall back to other for reliability and security • Avoid bottleneck. • Disadvantages: – Require redesign of DNS and routing, modify the client resolve library. Chow SCOLD 12 SCOLD Testbed Chow SCOLD 13 Performance of SCOLD Systems Chow SCOLD 14 Performance of Enhanced Resolve Library Chow SCOLD 15 Summary Chow SCOLD 16 Need your help to test SCOLD • Requirement for a full SCOLD service node (capable of issuing reroute requests): – Three Linux Redhat 9 machines. Two served as gateways with connections to two different Internet subnets or ISPs. One runs target DNS server, web server, and SCOLD coordinator. Chow SCOLD 17