Autonomous Anti-DDoS Network V2.0 (A2D2-2)Project GoalsDescription - A2D2A2D2, cont..Slide 5A2D2-2 TechnologyA2D2-2 What It SolvesA2D2-2 What It Solves, cont..A2D2-2 & IDIPA2D2-2 - Discovery CoordinatorIDIP NodesA2D2-2 Proposed ArchitectureAlternate RoutesAlternate Routes, cont..A2D2-2 & SLP -> Alternate RoutesA2D2-2 FuturesAutonomous Anti-DDoS Network V2.0(A2D2-2)Sarah JelinekUniversity Of Colorado, Colo. [email protected] Semester 2003, CS691 ProjectProject Goals•Ultimate goal of project–To make DDoS technology more robust•Relationship to other projects–Enhancements of existing A2D2 architecture to incorporate IDIP and Alternate Proxy Servers•High-level timing goals–Research and new architecture, now –Project completion planned for 9/03Description - A2D2•Developed by Angela Cearns, UCCS Masters Thesis •DDoS Intrusion Detection and Response•Uses freeware as main detection component•Modifications made to affect better responseFOR MORE INFO...http://cs.uccs.edu/~chow/pub/master/acearns/doc/angThesis-final.pdfA2D2, cont..A2D2, cont..•Strengths–Uses open source components–Portable–Configurable•Weaknesses–Host Based–Local Network response–No attempt made to actively trace intruder–Possible bottleneck at firewall–Static thresholdsA2D2-2 Technology•New technology being used–Intrusion Detection and Isolation Protocol (IDIP)–Alternate Proxy Servers•Standards being adopted–IDIP•Will work with other IDIP enabled Intrusion Detection Networks–Service Location Protocol (SLP)•Allows discovery of registered IDIP NodesA2D2-2 What It Solves•Host Based–Now a dynamic, network wide solution•Will work with other IDIP enabled Intrusion Detection Networks utilizing CITRA•Active Tracing of Intruder–SLP is used to discover other network IDIP servicesA2D2-2 What It Solves, cont..•Local Response–SLP used for location of alternate proxy servers for more global response•Firewall Bottleneck–Response Coordination CentralizedA2D2-2 & IDIP•IDIP–Developed by Boeing and NAI Labs–Supports real-time tracking and containment of DDoS attacks–Three layers:•Application Layer•Message Layer•Discovery CoordinatorA2D2-2 - Discovery Coordinator•IDIP Discovery Coordinator–Bulk of the work done here–Network wide response coordinator–Will notify clients and client dns of alternate routes available–Standardized language used for messages and topology (CISL)–Local attack response still active if downIDIP NodesIntrusion DetectionSystemRoutersFirewallServerClien tNetwork Manag er(Discovery Coordinator)Intrusion DetectionSys temFirewallFirewallFOR MORE INFO...http://zen.ece.ohiou.edu/~inbounds/DOCS/reldocs/IDIP_Architecture.docA2D2-2 Proposed ArchitectureAlternate RoutesFOR MORE INFO...http://cs.uccs.edu/%7Echow/research/security/uccsSecurityResearch.ppt22Security Research 1/10/2003chowImplement Alternate RoutesImplement Alternate RoutesDNS1...VictimAA A A A A A Anet-a.com net-b.com net-c.comDNS2DNS3... ......R R RRR2R1R3Alternate GatewaysDNSDDoS Attack TrafficClient TrafficNeed to Inform Clients or Client DNS servers!But how to tell which Clients are not compromised?How to hide IP addresses of Alternate Gateways?Alternate Routes, cont..23Security Research 1/10/ 2003chowPossible Solution for Alternate RoutesPossible Solution for Alternate RoutesDNS1...VictimAA A A A A A Anet-a.com net-b.com net-c.comDNS2DNS3... ......R R RRSends Reroute Command with DNS/IP Addr. Of Proxy and VictimdistresscallProxy1Proxy2Proxy3Blocked by IDSR2R1R3blockAttack msgs blocked by IDSNew route via Proxy3 to R3A2D2-2 & SLP -> Alternate RoutesDNS1...A2D2-2Network IDSAA A A A A A Anet-a.com net-b.com net-c.comDNS2DNS3... ......R R RRIDIPNodeA2D2-2 IDIP DCSLP Discovery and communicationProxy1IDIP NodeProxy2IDIP NodeProxy3IDIP NodeR2R1R3Block and tracebackAttack msgs blocked by IDSNew route via Proxy3 to R3Local IDS ResponseLocal Netw orkA2D2-2 Futures•IDIP Redundant/Cooperative Discovery Coordinators•Discovery Coordinator Response Optimization Enhancements•Updates To Snort•Secure DNS (already