DENIAL OF SERVICE MEETING
July 16, 1999
1-2pm
3085 EU II

In attendance:
Matt Bishop (MB), Tuomas Aura (TA), Steven Cheung (SC), Dean Sniegowski (DS) and John Hughes (JH)
    1. Tuomas Aura's "Serbian" Problem
      1. Minimize the number of cuts while maximizing the amount of damage (cost)
      2. Static network
      3. DS: Include randomized techniques?
      4. Preprocessing - number of centers and links
      5. Shortest path around
      6. Maximum flow to other nodes - find damage
        1. Damage assessment to minimum cut
    2. WATCHERS Paper
      1. MB: Would like to get Steven's feedback on the paper
      2. TA: The paper doesn't describe the real attack that breaks the hypothesis: 2 malicious routers along route. One drops packets, replaces them and sends it on to the next malicious router
      3. JH: Solution - extend to counters on a per pair basis.
        1. Source/destination as pairs
        2. Cannot replace 1 source address with another
      4. TA: Identification numbers - count every packet separately, decrease the range of random ID numbers
        1. Bookkeeping problem
        2. Substituting packets - 2 bad routers - asymmetric encryption with private key. Public key should be verified at every node. (Cost too high, too much hardware required).
        3. System is not on the internet - node gives receipt with cryptography
    3. TCP with specification
      1. Davis doesn't have a high-speed network that we can use - will try NASA Ames
        1. Workshop at NASA in mid-August that we should put something together for.
    4. Anomaly Detection work
      1. SYN Flood example - you can train the statistical engine
        1. Check to see where the volume of flow is going
      2. MB: Denial of Service (DoS) is inherent in the protocols; not an easy problem to solve
        1. Magic cookies - reduce vulnerabilities similar to covert channels, which reduce bandwidth.
          1. Close connections quickly
          2. Too much noise - insert bogus packets into stream
        2. Anyone in the world can take down your computer; even if you use encryption, you still need the server to be up.
      3. Routers to detect DoS?
        1. DS: Anonymous traffic flow to site, you can't reach it, what do you do?
          1. MB: Raise an alarm, notify a human
          2. Try to reach hosts that are sending info.
          3. If you can't take out a system, take out their notification system (IDS)
          4. Router gives you less or no capacity
            1. ICMP packet - slows down traffic in absolute way or percentage
            2. Slow down sending to that host only
            3. Malicious router can't slow you down - won't see dropped packets
            4. What if the malicious router doesn't forward the quench packets, so the connect speed doesn't slow down?
          5. Need to establish a meaningful baseline for Anomaly Detection
            1. Monitor all connections - build up a pattern of what to expect
    5. TA: Is there a program that can trace a map of the Internet?
      1. MB: Michael Swantz at Boulder, CO (boulder.colorado.edu)
      2. Can you monitor bandwidth of links? ISP keeps information confidential.
      3. Send packets to transit ISP.
    6. For Next Week
      1. Dean and Tuomas work on the Serbian problem in more detail
      2. John and Matt will work on the WATCHERS paper
      3. Steven - review WATCHERS paper