DENIAL OF SERVICE MEETING
July 16, 1999
3085 EU II
Matt Bishop (MB), Tuomas Aura (TA), Steven Cheung (SC), Dean Sniegowski (DS) and John Hughes (JH)
- Tuomas Aura's "Serbian" Problem
- Minimize the number of cuts while maximizing the amount of damage (cost)
- Static network
- DS: Include randomized techniques?
- Preprocessing - number of centers and links
- Shortest path around
- Maximum flow to other nodes - find damage
- Damage assessment to minimum cut
- WATCHERS Paper
- MB: Would like to get Steven's feedback on the paper
- TA: The paper doesn't describe the real attack that breaks the hypothesis: 2 malicious routers along route. One drops packets, replaces them and sends it on to the next malicious router
- JH: Solution - extend to counters on a per pair basis.
- Source/destination as pairs
- Cannot replace 1 source address with another
- TA: Identification numbers - count every packet separately, decrease the range of random ID numbers
- Bookkeeping problem
- Substituting packets - 2 bad routers - asymmetric encryption with private key. Public key should be verified at every node. (Cost too high, too much hardware required).
- System is not on the internet - node gives receipt with cryptography
- TCP with specification
- Davis doesn't have a high-speed network that we can use - will try NASA Ames
- Workshop at NASA in mid-August that we should put something together for.
- Anomaly Detection work
- SYN Flood example - you can train the statistical engine
- Check to see where the volume of flow is going
- MB: Denial of Service (DoS) is inherent in the protocols; not an easy problem to solve
- Magic cookies - reduce vulnerabilities similar to covert channels, which reduce bandwidth.
- Close connections quickly
- Too much noise - insert bogus packets into stream
- Anyone in the world can take down your computer; even if you use encryption, you still need the server to be up.
- Routers to detect DoS?
- DS: Anonymous traffic flow to site, you can't reach it, what do you do?
- MB: Raise an alarm, notify a human
- Try to reach hosts that are sending info.
- If you can't take out a system, take out their notification system (IDS)
- Router gives you less or no capacity
- ICMP packet - slows down traffic in absolute way or percentage
- Slow down sending to that host only
- Malicious router can't slow you down - won't see dropped packets
- What if the malicious router doesn't forward the quench packets, so the connect speed doesn't slow down?
- Need to establish a meaningful baseline for Anomaly Detection
- Monitor all connections - build up a pattern of what to expect
- TA: Is there a program that can trace a map of the Internet?
- MB: Michael Swantz at Boulder, CO (boulder.colorado.edu)
- Can you monitor bandwidth of links? ISP keeps information confidential.
- Send packets to transit ISP.
- For Next Week
- Dean and Tuomas work on the Serbian problem in more detail
- John and Matt will work on the WATCHERS paper
- Steven - review WATCHERS paper