Autonomous Anti-DDoS Network V2.0 (A2D2-2) Sarah Jelinek University Of Colorado, Colo. Spgs....
-
date post
22-Dec-2015 -
Category
Documents
-
view
214 -
download
0
Transcript of Autonomous Anti-DDoS Network V2.0 (A2D2-2) Sarah Jelinek University Of Colorado, Colo. Spgs....
Autonomous Anti-DDoS Network V2.0
(A2D2-2)Sarah JelinekUniversity Of Colorado, Colo. Spgs.
Spring Semester 2003, CS691 Project
Project Goals
• Ultimate goal of project– To make DDoS technology more robust
• Relationship to other projects– Enhancements of existing A2D2 architecture to
incorporate IDIP and Alternate Proxy Servers
• High-level timing goals– Research and new architecture, now – Project completion planned for 9/03
Description - A2D2
• Developed by Angela Cearns, UCCS Masters Thesis
• DDoS Intrusion Detection and Response• Uses freeware as main detection component• Modifications made to affect better response
FOR MORE INFO...
http://cs.uccs.edu/~chow/pub/master/acearns/doc/angThesis-final.pdf
A2D2, cont..
• Strengths– Uses open source components– Portable– Configurable
• Weaknesses– Host Based– Local Network response– No attempt made to actively trace intruder– Possible bottleneck at firewall– Static thresholds
A2D2-2 Technology
• New technology being used– Intrusion Detection and Isolation Protocol (IDIP)
– Alternate Proxy Servers
• Standards being adopted– IDIP
• Will work with other IDIP enabled Intrusion Detection Networks
– Service Location Protocol (SLP)• Allows discovery of registered IDIP Nodes
A2D2-2 What It Solves
• Host Based– Now a dynamic, network wide solution
• Will work with other IDIP enabled Intrusion Detection Networks utilizing CITRA
• Active Tracing of Intruder– SLP is used to discover other network IDIP
services
A2D2-2 What It Solves, cont..
• Local Response– SLP used for location of alternate proxy servers
for more global response
• Firewall Bottleneck– Response Coordination Centralized
A2D2-2 & IDIP
• IDIP– Developed by Boeing and NAI Labs– Supports real-time tracking and containment of
DDoS attacks– Three layers:
• Application Layer
• Message Layer
• Discovery Coordinator
A2D2-2 - Discovery Coordinator
• IDIP Discovery Coordinator– Bulk of the work done here– Network wide response coordinator– Will notify clients and client dns of alternate
routes available– Standardized language used for messages and
topology (CISL)– Local attack response still active if down
IDIP Nodes
Intrusion DetectionSys tem
Routers
Firewall
Server Clien t
Network Manager(Discovery Coordinator)
Intrusion DetectionSys tem
Firewall
Firewall
FOR MORE INFO...
http://zen.ece.ohiou.edu/~inbounds/DOCS/reldocs/IDIP_Architecture.doc
Alternate Routes
FOR MORE INFO...
http://cs.uccs.edu/%7Echow/research/security/uccsSecurityResearch.ppt
22Security Research 1/10/2003 chow
Implement Alternate RoutesImplement Alternate Routes
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
R2 R1R3
Alternate Gateways
DNS
DDoS Attack Traffic
Client Traffic
Need to Inform Clients or Client DNS servers!
But how to tell which Clients are not compromised?
How to hide IP addresses of
Alternate Gateways?
Alternate Routes, cont..
23Security Research 1/10/2003 chow
Possible Solution for Alternate RoutesPossible Solution for Alternate Routes
DNS1
...
Victim
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
R
Sends Reroute Command with DNS/IP Addr. Of Proxy and Victim
distresscall
Proxy1Proxy2 Proxy3
Blocked by IDS
R2R1 R3
blockAttack msgs blocked by IDS
New route via Proxy3 to R3
A2D2-2 & SLP -> Alternate Routes
DNS1
...
A2D2-2Network IDS
AA A A A A A A
net-a.com net-b.com net-c.com
DNS2 DNS3
... ......
R R R
RIDIPNode
A2D2-2 IDIP DCSLP Discovery and communication
Proxy1IDIP Node
Proxy2IDIP Node Proxy3
IDIP Node
R2R1 R3
Block and tracebackAttack msgs blocked by IDS
New route via Proxy3 to R3
Local IDS ResponseLocal Netw ork