UNCLASSIFIED

UNCLASSIFIED

Secure Indirect Routing and

An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks

J. Leland Langston, RaytheonDr. C. Edward Chow, UCCS

18 February 2004

2/18/2004 Page 2

UNCLASSIFIED

UNCLASSIFIED

Intrusion Detection and Tolerance

• Mobile ad hoc networks have little or no physical security protection.

• Mobile networks may connect to larger networks, including the GIG.

• Hence mobile networks provide ready access points for intrusion into critical networks and Distributed Denial of Service (DDoS).

• Since intrusion will be difficult to deny, the best strategy is to develop techniques that can detect intrusions and be able to restructure networks in a manner that isolates the point(s) of intrusion while maintaining network connectivity for other legitimate users.

Intrusion Detection and Network Restructuring is best strategy!

2/18/2004 Page 3

UNCLASSIFIED

UNCLASSIFIED

The DDoS Problem

• Distributed Denial of Service– ICMP, SYN, UDP, Smurf Floods

– Code Red and Slammer worms

• The victim is “flooded” from multiple compromised sources on net-a.mil and net-c.mil via multiple compromised paths and gateways

• Legitimate users on net-b.mil attempting to communicate with the victim are denied service

• Objective is to detect which paths and clients are NOT compromised.

• But how do you hide IP addresses of alternative gateways?

Can not prevent DDoS Attacks on MANETs!

DDoS attack without alternate routes

2/18/2004 Page 4

UNCLASSIFIED

UNCLASSIFIED

Secure Indirect Routing as a Solution

• UDP-based Worms such as Slammer propagate in minutes—too fast to detect and prevent.

• Strategy is to determine uninfected routes and re-route traffic around infected nodes, and disconnect infected paths automatically.– Determine uninfected routes

– Use proxy servers for alternate routing

– Shield these routes from future attacks by hiding IP addresses

– Use intrusion detection to block DDoS traffic into proxy servers.

Exploit alternative routing options to circumvent DDoS attacks.

DDoS attack with alternate routes

2/18/2004 Page 5

UNCLASSIFIED

UNCLASSIFIED

Benefits of Secure Indirect Routing

• Security– When attacked, users switch to different routes dynamically

– Urgent/critical packets sent over multiple routes simultaneously

– Encrypted content sent over multiple routes

– Information on DDoS attacks used to isolate source of attacks

• Reliability:– Users can choose most reliable route dynamically

– Packet content spread over multiple routes

– Use redundant transmission or error correction to reduce PLR

• Performance:– Multiple indirect routes provide additional bandwidth

– Can be used for dynamic bandwidth provisioning

Secure Indirect Routing has additional benefits!

2/18/2004 Page 6

UNCLASSIFIED

UNCLASSIFIED

Why Intrusion Tolerance is an Ideal Strategy for Mobile ad hoc Networks

• It exploits the natural characteristics of mobile ad hoc networks offering multiple independent routing paths.

• When a site is attacked, intrusion detection systems generate alarms that initiate secure DNS updates.

• System exploits encryption inherent in military systems

• Intrusion detection is easier and faster than intrusion prevention, and can be applied to insider attacks and RF jamming as well.

• The use of multiple paths can be exploited to enhance the reliability, security and effective bandwidth of the system.

Intrusion Tolerance is an Ideal Strategy for Mobile ad hoc Networks

UNCLASSIFIED

UNCLASSIFIED

Secure Indirect Routing and

An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks

Backup

2/18/2004 Page 8

UNCLASSIFIED

UNCLASSIFIED

Autonomous Anti-DDoS

IDIP DiscoveryCoordinator

FirewallIDIP Neighbor

Class-BasedQueuing

(CBQ)

Firewall(iptables)

Security Policy

Multi-LevelRate Limiting

eth0 eth1

Local IDS ResponseMulti-Level Adaptive

Rate Limiting

EnhancedIDS

+IDIP Application Layer

Cooperative TracebackCooperative Detection

Net RestructuringIntrusion Pushback

TracebackMsg Sent

IDIPNeighbor

NotificationTo IDIP

DiscoveryCoordinator

Rates Dependenton Traffic Type

SnortAlerts

InternetTraffic

2/18/2004 Page 9

UNCLASSIFIED

UNCLASSIFIED

How DDOS Works

The intruder loads cracking tools available on the Internet on multiple -- sometimes thousands of – compromisedsystems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service.

DDoS Victims:Yahoo/Amazon

2000CERT

5/2001DNS Root Servers

10/2002

DDoS Tools:Stacheldraht

TrinooTribal Flood Network

(TFN)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Handler(Middleman)

Agent(Attacker)

Handler(Middleman)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Agent(Attacker)

Client(Attack

Commander)

MastermindIntruder

A hacker begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS "master." It is from the master system that the intruder identifies and communicates with other systems that can be compromised.

2/18/2004 Page 10

UNCLASSIFIED

UNCLASSIFIED

Autonomous Enterprise DDoS Defense

• An effective enterprise DDoS defense requires – Fast coordinated intrusion detection and isolation.

– Tight secure access and compromise detection.

– Secure and reliable mechanisms for establishing or reconnecting legitimate connections during DDoS attacks.

• Key techniques to be investigated for improving enterprise DDoS defense:– Secure indirect routing

– Fast effective intrusion detection and tracking.

– Efficient integration coordination between IDS and firewall devices

– Responsive adaptive rating limiting

– Secure access authentication and challenging response.

– Efficient group rekeying system

– Carefully designed routing protocols against wormhole and sinkhole attacks.