In this lesson, we discuss An Intrusion Tolerance Implementation based on proxy server with Multi-path Routing. We call it Secure Collective Network Defense or a short name for SCOLD. We detail its steps here and present its performance evaluation using pin requests, web and FTP document transfer is under on or not, with DDoS attack and also with or without SCOLD protection. One idea we have proposed is to create proxy-based multi-path routing to tolerate the DDoS attack. And here we try to come up with a mechanism or protocol software that provides secure, alternate indirect route. Our assumptions is we are going to utilize a proxy server from a consortium you join or you purchase from content delivery network or you set it up in cloud provider. And it could be you are a big company, then you can use it in all different branches. For example you are IVM you have different branch spread out in the Internet, each of your branch server can contribute as a connection proxy relay server. Second thing, the idea here is extend your perimeter defense, DMZ kind of perimeter defense, push them out to defend on a wide area network proxy. That is further out from our site. Need new security DNS services to notify our legitimate users to come in through these alternate route. So it actually takes us almost one year to implement that. And then, we need to be very smart and allocate those proxy servers to different group over time and we partition the user into group and give them different portion of those subset of the proxy server because we assume that some of them may be compromised or some of the machine can compromise. We'll block further access if DDoS follows those certain group of users. We will discuss the design and implementation of this Intrusion Tolerance Approach next. Here we show during the DDoS attacks that compromised node are used by the mastermind to send the packet from different subnet into the wait time server down there. The aggregate traffic overfed and bandwidth is available in the main gateway or the victim servers gateway. Since the internet traffic is first in, first out, all the other legitimate user their requests represent [inaudible] route, will get delayed or often timed out and terminated after a certain retry. When a site got such DDoS attacks, it will be nice to have some alternate route. It turned out that for network of our age, some site actually set up with not just one, sometime multiple of those alternate gateways this is called home gateway--Multi-homing technique. So this alternate gateway allow the sites still go out to the Internet and enjoy the connection. And even though those alternate gateway have a slower link than the normal gateway and they could use Comcast cable, TerraCom, ADSL9 or even Satellite link as a back-up. However such multi-homing gateway can be attacked again. Once you announce to the users, they forward it to you, to attack those old multi-homing gateway. And how can we deal that then? It is good to construct this alternate route but there are two technical issue. First, how do we inform the client DNS server to come in through this new route? Then you'll be notified because the main gateway may block. Second, since the client knows they may be compromised, those new route will be known by the hacker, attacker and then soon they will follow the normal traffic to attack alternative gateway. How can we hide the IP address of these older gateway from them? So the solution we come up with is called Secure Collective Network Defense, SCOLD for short. Once IDS of the main gateway detects there is a DDoS attack, it asks a SCOLD coordinator to send a secure DNS Zone update to the clients' DNS server, tells them to come in through a set of designated proxy server using the indirect routing to the wait time server. For example, the SCOLD coordinator will tell DNS number 3 of net-c.mil there is alternate routes through proxy server 3. And it also tell net-b.mil's DNS server 2 there is the indirect route through proxy server 2 and then tell net server 1 of net-a.mil subnetwork to come in through proxy number 1. The SCOLD coordinator also telling those three proxy whenever you receive the packet coming from those networks, try to relay them to our alternate gateway to R3, R2 and R1, but don't tell the outside people those are the multi-homing gateway we use. And so the connection between the proxy server and the multi-homing gateway could be a secure tunnel. Step one, IDS detect the DDoS attacks, sends distress call to the SCOLD Reroute coordinator. Reroute coordinator then examine the topologies and try to match the kind with certain proxy servers available at that time and assign them to a different kind network. Step two, the SCOLD coordinator sends a Reroute command to a proxy server and ask them to first notify their designated DNS server through the DNS zone security and transfer using TCP with a mutual authentication there and inform them about this new entry like DNS name, IP address of the victim, and then set up proxy server IP address. And for example proxy 3 will inform DNS 3, proxy 1 will inform DNS 1. Second, to relay the traffic through the alternate gateway, for example, proxy 3 should relay the packet to Multi-homing gateway R3. Proxy 2 should relay traffic through Multi-homing gateway R2 and perhaps set up a secure tunnel. In step three the client retrieves the new DNS in the Rerouting entry from their DNS server. Step four, the attack traffic detect and then try to block launching the traffic through these proxy server also, but it will be blocked by the proxy server because the signature of those attack virus can be sent by the coordinator to a proxy server and utilize the intrusion detection or prevention system to block those traffic. The normal traffic will get routed in smoothly through the proxy server to alternate gateway onward to the victim server. Here, we shows are related implementations. The Bind9 is the open source DNS server software package. We modify it to include... the IVM actually [inaudible] modify it to include indirect routing proxies entries. In the lower box we are sure victim servers. Let's say the name is target.targetnet.com, and with the IP address 133.41.96.7 but we add these three new indirect proxy IP address where the client can come in indirectly. Since these new DNS cannot be delivered through the normal route because because your main gateway has been blocked, right? So the only way we can notify those DNS 1, 2, 3 is through those proxy server, the alternate route. So even the DNS is notified the alternate new route. Know that the client and client DNS server can be modified to support such a feature also depending on how much they have trust for you. You can consider the scope design. We just pushed our local perimeter DMZ firewall all the way to the Internet and giving our neighbor, Multi-homing network or the surrounding neighbor much more breathing room without being attacked. SCOLD utilize the indirect routing. The clients will be sending IP over IP with inside IP packet with destination IP point at the victim server. And the destination IP address of the outer IP packet is point at that designated proxy server. The proxy server receive such IP over packet straight out of the packet and then send it through a secure tunnel to the desgnated alternate gateway. And finally get to the victim's server. The return route follow except same path in reverse. With client running a SCOLD daemon we. Do not have to modify the client resolve library. The first table show the ping response time. When no DDoS attack, the response time from the time server almost three half route is about point 0.49ms. The DDoS attack the response degraded to 225ms. So it still come in but in a slow rate. But for TCP could interrupt [inaudible] time up. With a SCOLD implementation, the next two client there, overhead of IVOIP is just about 33% time overhead about 0.5ms or additional delay. But this overhead number is acceptable and you can see under the DDoS attack no much difference in terms of pin delay. Table 2 shows the overhead of different size of file transfer and the web document retrieval. There is a significant improvement there.
