DENIAL OF SERVICE MEETING
July 16, 1999
1-2pm
3085 EU II
In attendance:
Matt Bishop (MB), Tuomas Aura (TA), Steven Cheung (SC), Dean Sniegowski (DS) and John Hughes (JH)
Tuomas Aura's "Serbian" Problem
Minimize the number of cuts while maximizing the amount of damage (cost)
Static network
DS: Include randomized techniques?
Preprocessing - number of centers and links
Shortest path around
Maximum flow to other nodes - find damage
Damage assessment to minimum cut
WATCHERS Paper
MB: Would like to get Steven's feedback on the paper
TA: The paper doesn't describe the real attack that breaks the hypothesis: 2 malicious routers along route. One drops packets, replaces them and sends it on to the next malicious router
JH: Solution - extend to counters on a per pair basis.
Source/destination as pairs
Cannot replace 1 source address with another
TA: Identification numbers - count every packet separately, decrease the range of random ID numbers
Bookkeeping problem
Substituting packets - 2 bad routers - asymmetric encryption with private key. Public key should be verified at every node. (Cost too high, too much hardware required).
System is not on the internet - node gives receipt with cryptography
TCP with specification
Davis doesn't have a high-speed network that we can use - will try NASA Ames
Workshop at NASA in mid-August that we should put something together for.
Anomaly Detection work
SYN Flood example - you can train the statistical engine
Check to see where the volume of flow is going
MB: Denial of Service (DoS) is inherent in the protocols; not an easy problem to solve
Magic cookies - reduce vulnerabilities similar to covert channels, which reduce bandwidth.
Close connections quickly
Too much noise - insert bogus packets into stream
Anyone in the world can take down your computer; even if you use encryption, you still need the server to be up.
Routers to detect DoS?
DS: Anonymous traffic flow to site, you can't reach it, what do you do?
MB: Raise an alarm, notify a human
Try to reach hosts that are sending info.
If you can't take out a system, take out their notification system (IDS)
Router gives you less or no capacity
ICMP packet - slows down traffic in absolute way or percentage
Slow down sending to that host only
Malicious router can't slow you down - won't see dropped packets
What if the malicious router doesn't forward the quench packets, so the connect speed doesn't slow down?
Need to establish a meaningful baseline for Anomaly Detection
Monitor all connections - build up a pattern of what to expect
TA: Is there a program that can trace a map of the Internet?
MB: Michael Swantz at Boulder, CO (boulder.colorado.edu)
Can you monitor bandwidth of links? ISP keeps information confidential.
Send packets to transit ISP.
For Next Week
Dean and Tuomas work on the Serbian problem in more detail