1 roaming honeypots for mitigating service-level denial-of-service attacks written by: sherif m....
DESCRIPTION
3 Denial-of-Service Defenses: Replication – useful in protecting service front-ends Firewalls – strategy for prohibiting illegal flow of data Intrusion Detection Services – detection of tampering Honeypots – may be used for any number of purposesTRANSCRIPT
![Page 1: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/1.jpg)
1
Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by:Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami MelhemTaieb Znati
Presented by:Theodor RichardsonAni Starrenburg
![Page 2: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/2.jpg)
2
Denial-of-Service Attacks:
• Links – exceeding link capacity
• Routers – congesting router buffers
• Front-Ends – consuming front-end processing with requests.
• Servers – requesting services at a high rate
![Page 3: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/3.jpg)
3
Denial-of-Service Defenses:
• Replication – useful in protecting service front-ends
• Firewalls – strategy for prohibiting illegal flow of data
• Intrusion Detection Services – detection of tampering
• Honeypots – may be used for any number of purposes
![Page 4: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/4.jpg)
4
Honeypots
A security resource who’s value lies in being probed, attacked or compromised.
Properties
Environment: Production Research
Complexity: Low Medium High
Purpose: Deception Deterrence Detection
Attacker Profile: Script Kiddie Professional Blackhat
![Page 5: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/5.jpg)
5
Roaming Honeypot Properties
Properties
Environment: Production
Complexity: Low Medium
Purpose: Deception Deterrence Detection
Attacker Profile: Script Kiddie +
…A mechanism that allows the locations of honeypots to be unpredictable, continuously-changing and disguised within a server pool
![Page 6: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/6.jpg)
6
Proactive Server Roaming Background:
Back-EndServers
FirewallClients
Attacker
Idle Servers
One ActiveServer
Firewall
![Page 7: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/7.jpg)
7
Proactive Server Roaming Background
One server is active. At end of Epoch Ei of duration Ri server Si
assumes role of active server. Client must store information locally Service must track and process legitimate
users.
![Page 8: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/8.jpg)
8
Proactive Server Roaming Background
Backward chain of hashed keys Ki is built where (0<i<n)
Ri = MSBm (H’(Ki))
Si = servers MSBlg NH’’(Ki))
![Page 9: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/9.jpg)
9
Roaming Honeypots:
AGNBack-EndServersFirewallClients
Attacker
Honeypots & Active Servers
Firewall
![Page 10: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/10.jpg)
10
Roaming Honeypots Uses similar selection algorithms
selects for each in a set of servers
introduces a lower bound, m, on the epoch
Uses k out of N servers as active servers, the remainder of which are honeypots
Offloads processing from client and server to Access Gateway
![Page 11: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/11.jpg)
11
Roaming Honeypot Properties
Properties
Environment: Production
Complexity: Low Medium
Purpose: Deception Deterrence Detection
Attacker Profile: Script Kiddie +
Attack Type: Fixed Target Follower
Benefits: Filtering EffectConnection-Dropping
EffectDegrading Attack
Detection
![Page 12: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/12.jpg)
12
Service Model
Subscription-based service
Protection of a pool of N back-end servers
Packet-filtering firewall and IDS deployed
AGN as layer of indirection
![Page 13: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/13.jpg)
13
Access Gateway Network
Provides level of indirection between client and back-end server
Decouples authentication and authorization from service provision
Only AGN follows server locations and status – forwards client packets
Roaming scheme is transparent to client
![Page 14: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/14.jpg)
14
AGN Structure
Back-end server is considered tree root AG’s with higher resistance to attacks and lower
reconfiguration rates are closer to the back-end servers (lower in the tree)
AG is responsible for address registration and parent registration
AG’s closest to root handle connection migration
![Page 15: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/15.jpg)
15
AGN: Address Registration
Each AG registers an <ID,Address> tuple with the AG node responsible for storing addresses
ID = (SID||L||Index)SID is a service identifierL is the level of the AG in the AGN Index is the AG index within L
![Page 16: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/16.jpg)
16
AGN: Parent Registration
AG registers its IP address with its parent (the servers if at the root)
AG uses (SID||L-1||Index(parent)) to lookup the parent Address
Allows IP routing for migration messages
![Page 17: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/17.jpg)
17
AGN: Connection Migration
AG forwards traffic client C messages to server Si
When servers change from active to inactive, AG chooses new Sj at random for client C
AG re-registers with parent Sj AG encapsulates state information from Si and
forwards to Sj in TCP SYN package
![Page 18: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/18.jpg)
18
Roaming Protocol For a single active server:
Service time is divided into epochs – random intervals of activity/inactivity for servers
Length of epoch Ei is calculated by long hash chain Ri = H(Ki) where K is a random key and Ri is the number of seconds
Location of epoch Si = servers[MSB H’(Ki)] where MSB is Most Significant Bits of hash function H’ (such as MD5)
Out of N servers, k are active at any time Set of active servers is Pk(S)
![Page 19: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/19.jpg)
19
Network Model
AGNBack-EndServersFirewallClients
Attacker
Honeypot
ActiveServer
![Page 20: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/20.jpg)
20
Simulation Model
Tested on the ns-2 Discrete event simulator aimed at network
testing Simulates routing, TCP, and multicast
protocol Supports wired and wireless networks http://www.isi.edu/nsnam/ns/
![Page 21: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/21.jpg)
21
Simulation Model Tested under ns-2
simulation against Average Response Time
(ART) is considered as primary metric
Comparison of: Nonroaming (Load Sharing) Roaming w/o Filtering
(Attacker traffic is not dropped)
Roaming w/ Filtering (Attacker traffic is dropped)
![Page 22: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/22.jpg)
22
Effect of Migration Interval
Restarting TCP must be balanced with migration interval timing to balance the overhead cost of re-establishing TCP with the new server set
![Page 23: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/23.jpg)
23
Effect of Client Load
Under small attack loads, the nonroaming scheme performs better because of the overhead of roaming
![Page 24: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/24.jpg)
24
Effect of Attack Load
Using filtering, the ART does not change as the attack load increases once the attacker is detected
![Page 25: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/25.jpg)
25
Effect of Follow Delay
In Roaming w/ Filter, clients experience an attack free window as the attacker experiences follow delay
![Page 26: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/26.jpg)
26
Conclusions
Strengths:Under high attack load, roaming scheme
performs better than load sharingUndetectable honeypot locationsTransparent to client traffic
![Page 27: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/27.jpg)
27
Conclusions
Weaknesses:Must balance TCP overhead of resetting
connectionsWastes a large amount of server resources
with inactivity (as honeypot) Idea of logical roaming is underdeveloped in
paper, but could save resources and reduce overhead
![Page 28: 1 Roaming Honeypots for Mitigating Service-Level Denial-of-Service Attacks Written by: Sherif M. Khattab Chatree Sangpachatanarukz Daniel Mossé Rami Melhem](https://reader035.vdocument.in/reader035/viewer/2022062600/5a4d1bc87f8b9ab0599d5ac0/html5/thumbnails/28.jpg)
28
Conclusions
Vulnerability remains that malicious code can be installed on legitimate servers
Periodic reinstall suggested, but service can be compromised before reinstall if attack is sophisticated
Violates property of honeypots that they should not adversely affect operation of standard service if compromised