Secure Indirect Routing andAn Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon Dr. C. Edward Chow, UCCS 18 February 2004
Intrusion Detection and Tolerance • Mobile ad hoc networks have little or no physical security protection. • Mobile networks may connect to larger networks, including the GIG. • Hence mobile networks provide ready access points for intrusion into critical networks and Distributed Denial of Service (DDoS). • Since intrusion will be difficult to deny, the best strategy is to develop techniques that can detect intrusions and be able to restructure networks in a manner that isolates the point(s) of intrusion while maintaining network connectivity for other legitimate users. Intrusion Detection and Network Restructuring is best strategy!
The DDoS Problem • Distributed Denial of Service • ICMP, SYN, UDP, Smurf Floods • Code Red and Slammer worms • The victim is “flooded” from multiple compromised sources on net-a.mil and net-c.mil via multiple compromised paths and gateways • Legitimate users on net-b.mil attempting to communicate with the victim are denied service • Objective is to detect which paths and clients are NOT compromised. • But how do you hide IP addresses of alternative gateways? DDoS attack without alternate routes Can not prevent DDoS Attacks on MANETs!
Secure Indirect Routing as a Solution • UDP-based Worms such as Slammer propagate in minutes—too fast to detect and prevent. • Strategy is to determine uninfectedroutes and re-route traffic around infected nodes, and disconnect infected paths automatically. • Determine uninfected routes • Use proxy servers for alternate routing • Shield these routes from future attacks by hiding IP addresses • Use intrusion detection to block DDoS traffic into proxy servers. DDoS attack with alternate routes Exploit alternative routing options to circumvent DDoS attacks.
Benefits of Secure Indirect Routing • Security • When attacked, users switch to different routes dynamically • Urgent/critical packets sent over multiple routes simultaneously • Encrypted content sent over multiple routes • Information on DDoS attacks used to isolate source of attacks • Reliability: • Users can choose most reliable route dynamically • Packet content spread over multiple routes • Use redundant transmission or error correction to reduce PLR • Performance: • Multiple indirect routes provide additional bandwidth • Can be used for dynamic bandwidth provisioning Secure Indirect Routing has additional benefits!
Why Intrusion Tolerance is an Ideal Strategy for Mobile ad hoc Networks • It exploits the natural characteristics of mobile ad hoc networks offering multiple independent routing paths. • When a site is attacked, intrusion detection systems generate alarms that initiate secure DNS updates. • System exploits encryption inherent in military systems • Intrusion detection is easier and faster than intrusion prevention, and can be applied to insider attacks and RF jamming as well. • The use of multiple paths can be exploited to enhance the reliability, security and effective bandwidth of the system. Intrusion Tolerance is an Ideal Strategy for Mobile ad hoc Networks
Backup Secure Indirect Routingand An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks
DDoS Victims:Yahoo/Amazon 2000CERT 5/2001DNS Root Servers 10/2002 DDoS Tools:StacheldrahtTrinooTribal Flood Network (TFN) How DDOS Works A hacker begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS "master." It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple -- sometimes thousands of – compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service.
Autonomous Enterprise DDoS Defense • An effective enterprise DDoS defense requires • Fast coordinated intrusion detection and isolation. • Tight secure access and compromise detection. • Secure and reliable mechanisms for establishing or reconnecting legitimate connections during DDoS attacks. • Key techniques to be investigated for improving enterprise DDoS defense: • Secure indirect routing • Fast effective intrusion detection and tracking. • Efficient integration coordination between IDS and firewall devices • Responsive adaptive rating limiting • Secure access authentication and challenging response. • Efficient group rekeying system • Carefully designed routing protocols against wormhole and sinkhole attacks.