[7]   

Research is needed on infrastructure for distributed detection and response to network attacks in a system of systems environment where global trust and fortified perimeter approaches to network security are infeasible. One such environment is the Internet, where the potential for attacks and the limits of current responses are demonstrated by recent SYNflooding attacks on Internet sites. Such an infrastructure should also be applicable to single focus congestion (e.g., when a communication link is not available due to a surge of users accessing a popular site), and to containing contagion attacks involving a propagating virus or worm. For space reasons, this position paper focuses on the SYNflooding example.

A SYNflooding attack exploits resource exhaustion via partial establishment of TCP connections. The attacker bombards a TCP port on a target host with numerous TCP connection requests (SYNs) that cannot be completed because they appear to come from random source IP addresses. The target host creates a half open TCP connection for each request and attempts to synchronize (SYN+ACK) with the host at the (random) source IP address. This synchronization fails by timing out when the source IP address is for a host that does not exist or will not respond (e.g., a host behind a firewall). The SYNflooding attack exhausts resources used by half open connections, causing the target to reject or rapidly time out new connection requests. SYNflooding attacks are most effective when directed at ports that can expect to receive arbitrary connection requests (e.g., web server ports), and hence have no reasonable way to detect forged source IP addresses.

The Internet community has responded to SYNflooding attacks, but the resulting defensive measures will not stop a more capable adversary. The defensive measures consist of outbound filters to prevent forged source addresses from entering the Internet and hardened TCP implementations that better resist the attack (orders of magnitude improvement have been obtained). A more capable adversary who can compromise a T1 or T3 connected host and its associated router can remove the outbound filters and launch an overwhelming attack that will produce denial of service in even a hardened TCP. The vulnerability of hardened TCP implementations to denial of service attacks increases with network distance (delay) between client and target. This is of particular concern in mobile environments because mobile communication technologies often involve significant communication delays (e.g., 320ms via a geostationary satellite including ground equipment [Telesat]).

An important research goal is to provide distributed infrastructure for automatic or semi-automatic detection, tracing, and suppression of attacks. Routers are a promising focus of such an infrastructure, because routers have the first opportunity to counter network attacks, and the volume of traffic flowing through them creates significant leverage in applying countermeasures. For example, a possible response to a SYNflooding attack is to have each router determine whether it is carrying SYNs for the targeted port, preemptively discard a large proportion of such SYNs, and report the links by which the SYNs reached the router. This strategy reduces the effects of the attack by applying distributed backpressure and provides information to help identify the source(s) of the attack. A backpressure response also alleviates single focus congestion, and analogous measures could be used to disable the transmission mechanism of some contagion attacks.

A distributed response infrastructure for this class of problems requires a new trust model for evaluating assertions and directions from software agents and humans. The following characteristics of the Internet and similar environments without global trust make conventional trust models inappropriate:

Failure. The possibility of both transient and permanent failure of any system component necessitates a notion of trust failover to avoid propagation of failure through the trust model.

No Single Trust Authority implies a need for multiple independent trust sources to avoid the situation in which compromise of a single authority exposes the entire system of systems. A potentially useful notion is cumulative trust, wherein the credibility of an assertion rises as it is made by more independent sources.

Compromise. The possibility of an attacker compromising one of the systems involved requires the ability to conclude that the compromised system is not trustable and hence assertions made by it in the recent past are not to be believed.

The Range of Available Responses to attacks requires a notion of severity, so that actions with more severe consequences require a higher degree of authorization (e.g., human).

The latter three items contribute to a requirement that an attacker should not be able to use the response infrastructure to launch a more deadly attack than could be launched without it. Such a trust model must have no single point of disastrous vulnerability and must subject actions that change its behavior to increasing degrees of scrutiny (e.g., higher degrees of authorization from more sources) as the consequences of those actions increase. Thepreferred philosophy is one of augmenting rather than replacing human network managers, as there will always be human insights that an automated system will not see, and a threshold beyond which human approval is necessary before deploying a severe response (e.g., partial shutdown).

A promising approach to building a distributed response infrastructure is to employ mobile code in the form of mobile agents. For this paper, we define a mobile agent as an encapsulated active object (code and data) that performs computation and can make its own movement decisions. Mobile code is involved in execution of the mobile agent, and may also be part of the mobile agent's data (e.g., a mobile agent transporting a bug fix along with instructions for applying it). Mobile code is a fundamental requirement for flexibility of response and system evolution because it is impossible to predict in advance the responses and preventive measures that will be required by future attacks. The ability of mobile agents to make independent decisions (e.g., reevaluation of trust assumptions, redirection of communication in response to failure or compromise) can help avoid long decision cycles for situations in which human intervention is not required.

Current work on the Adage authorization policy manager [Zurko96] provides a valuable foundation for building an authorization system for mobile code in a system of systems environment. Adage can be extended to manage agent authorization via an experimental implementation of a novel trust model meeting the above requirements. The mobile code authorization challenges faced by this approach are largely independent of the use of mobile agents, and would be faced by any distributed response infrastructure that uses mobile code. Designing an infrastructure that could in theory promote survivability is not enough; what is required is designing one that will in practice promote survivability by enabling network system managers to understand and control both security policies and their effects.

[Telesat] Telesat, Satellite Delay and Response Times, http://www.telesat.ca/tssdrt.htm.

[Zurko96] Mary Ellen Zurko and Rich Simon, "User-Centered Security", New Security Paradigms Workshop, 1996.

Back to the Table of Contents
   [7]