Pervasive Random Beacon in the Internet for Covert Coordination

Hui-Huang Lee, Ee-Chien Chang and Mun Choon Chan

School of ComputingNational University of Singapore

Pervasive Random Beacon in the Internet for Covert Coordination

and its role in DDoS attacks

DDoS attacks

• Distributed Denial of Service attacks: An attacker employs multiple agents to attack a victim, preventing it from providing services to legitimate clients.

Attacker

Agent AgentAgentAgent

victim

DDoS Communication modes

• Manual: Attacker directly sends attack parameters to the agents and activates the attack.

• Semi-automatic: Attacker communicates with the agents through the handlers.

• Automatic: Attack parameters are preprogrammed into the agents.

DDoS Communication modes

• Manual, Semi-automatic: Communication may lead to detection.

• Automatic: No communication at all. However, if an agent is captured and analyzed, the attack parameters will be revealed. E.g. Blaster worm attack Microsoft’s Window Update website starting from 16th Aug 2003.

Covert Co-ordination

A large collections of agents want to coordinate a common action.

• Communications should be hidden.

• The capture of one agent will not expose the identity of others.

• The capture of one agent will not reveal the actual common action, before the action is carried out.

Agent

Agent

Agent

AgentAgent

covertly identify the victim, and thetime and types of DDoSattack.

DDoS Covert Co-ordination

Agent

Agent

Agent

AgentAgent

Based on the randombits, carry out thecommon action.

DDoS Covert Co-ordination

pervasiverandombeacon

Random Beacon

• Introduced by Rabin to secure remote transaction.

• A random beacon periodically outputs random bits.

• The outputs are random and unpredictable.

Pervasive Random Beacon

• High Availability: The random bits are extensively replicated and available everywhere.

• Blended Access: Access to the random bits can evade detection.

A pervasive random beacon in Internet

• We look in the WWW for content-based random sources.

• The stock closing indices are good choice.

A stock market index is calculated using a certain number of stocks from its market.During trading period, value fluctuates and reported value can be inconsistent among different service providers. However, the dailyclosing index is static and consistent.

• High Availability: Closing indices can be found in many online newspapers.

• Blended access: Getting the stock closing indices is a “normal” web activity. Difficult to identify accesses to the random beacon among normal activities.

• Random and unpredictable: Well-accepted.

Implementation issues• Entropy of closing indices: Applied random tester ent on

15 least significant bits of DJIA closing index for the past 30 years. ent indicates that the entropy is about 13 bits.

• Robustness: The access program visits multiple web-pages.

• Mimic web-surfing behavior: To further make detection difficult, we can mimic web-surfing behavior, for e.g. add randomness in the time of access, favor a particular web-page, but will switch to others with certain probability.

DDoS Covert Co-ordination

A large collections of agents want to coordinate and decide the victim, time of

attack and attack type.

• Communication/activities are hidden.

• The capture of one agent will not expose the identity of others.

• The capture of one agent will not reveal the actual attack parameters, before the attack is carried out.

DDoS Covert co-ordination with Pervasive Random Beacon

Agent

Agent

Agent

AgentAgent

Based on the randombits, carry out thecommon action.

pervasiverandombeacon

• Periodically, each agents obtain 2 random random r1, r2, from the beacon.

• From r1 and possibly other parameters like date, decide whether to commence attack.

• If so, from r2 and a lookup table, decide the attack parameters: actual time of attack, attack type, victim.

The lookup table is preprogrammed.

Probabilistic parameters

• If an agent is captured, the actual algorithm that determine the attack parameters, and the lookup table will be revealed. However, actual attack still remain unknown.

• Such uncertainty places the defenders in a stressful situation.

• Even if the probability that a successful attack is low, the defender (who is listed in the lookup table) still has to prepare for the attacks.

Compare to Manual & Automatic attack

• In contrast to manual and semi-automatic attack, there is no communication among the agents and the attacker.

• Compare to automatic attack, the actual attack parameters remain unknown.

Disrupting and Influencing the Beacon

• Target at the reporting services: It is difficult to manipulate or to predict the exact stock indices. However, it may be possible to influence the reporting service. With good incentive, some reporting service providers may migrate it service to other servers.

• Misleading the parser : The access program can be analyzed for weakness. It is possible that its parser can’t handle slight changes in the reporting format.

for e.g.

a) change from

“DJIA 10427.20” to “DJIA 10, 427.20”.

b) having wrong information in the commented section of the html page.

• Using hard AI (graphical Turing test): The indices are displayed as a distorted image.

However, in the competitive business environment, little incentive for the service providers to implement the above.

Conclusion

• Introduce covert coordination, and argue why it can be realized by a pervasive random beacon.

• Give a pervasive random beacon in the Internet, and study a scenario of DDoS. Also give some limited ways to disrupt the beacon.

• Are there other e.g. of covert coordination? Covert Counting: A group of agents want to covertly count their population.

• Is it possible to make use of the web-search engines to enhance covert coordination? For e.g., can the lookup table derived from the web?