Lockheed Martin sponsored DDoS Defense Conference ================================================= On December 20, 2001, Lockheed Martin sponsored a conference where a selected set of vendors, who claim to have "solutions" to one or more of the issues of DDoS, gave brief presentations on their technologies. DDoS itself is a very complex problem set, which has several aspects. These include: o Exploitation of host level security weaknesses used to create networks of attack agents and handlers, and for stepping stones used by attackers to anonymize themselves. o Host level detection of attacks (e.g., the initial compromise of hosts from the last bullet item) o Network level detection of attacks (either the compromises described in the last bullet item, or a DoS attack involving host or network level resource consumption ala SYN or ACK floods, or a network bandwidth consumption attack.) o Reaction to a DDoS attack to stop the flooding Most vendors' offerings fall into just one of these categories, although some combine two or more capabilities. No vendor can provide a solution for all aspects of DDoS. The following are notes of the presentations of each vendor. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Distributed Denial-of-Service," by Walter McCormack (617-354-9292 x125, walter@mazunetworks.com) Mazu Networks, http://www.mazunetworks.com o Focused on network level detection and reaction o Founded May 2000 o MIT based (DARPA funded) research o High-speed packet processing system, profiler o Collection: + Inline, forwarding traffic (all traffic visible) - 500Mbps + Tap a link (passive - up to gigE, minimum sized packets) - OC12 in Q1-02 + Collect info from routers (netflow) o Anomoly based detection + Source/dest IP/port + TTL, protocol, packet payload, length (any field) + Source histogram variance, flow volume variance, etc. o Recommends filters with guidance about impact o Can handle asymetric routes, multiple links. o Coordination servers handle communication between distributed devices (even in other facilities.) o Customer deployments + New York Mercantile Exchange + MTVI =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "MANAnet Shield: DDoS Defense Using Fair Service," by K. Narayanswamy (310-337-3013, swamy@cs3-inc.com) CS3, http://www.cs3-inc.com o Focused on network level detection and reaction o Founded 1991, R&D background + Privately held + Internet event monitoring/DDoS started in 1999 o Main defense against "packet flood" attacks + Modified router + Modified firewall o Three components to defense + "Enhanced IP" (Packet marking used to identify source of traffic) + "Fair Service" path based queing + Cooperative rate limiting o Reverse firewall also blocks outbound attacks + Source of attacks easy to track by "Enhanced IP" o Target market + Large ISPs + Universities o Available today + MANAnet router + Reverse firewall + Working on GigE (Q1/Q2 02) o Customer deployments + Motorola + Citicorp =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Distributed Denial-of-Service," by Dave Olverson (781-768-3279, davido@arbor.net), Arbor Networks, http://www.arbornetworks.com o Focused on network level detection and reaction o Anomoly based detection + Performs baseline assessment, then notes anomolies (lowers the false positive rate) + Supports traceback by noting which ingress/egress routers involved (without requiring alteration of packets) + Thresholds all configurable o Adjunct processor connects to routers, but not "bump in the wire" + Primary goal of not changing the infrastructure + Collectors and analyzer based on stripped down OpenBSD + Use Cisco netflows or Juniper cflowd data + Can use sampled data (doesn't need full packets, or all flows) + Currently handles OC-3 up to OC-96. o Partnered with Cisco + Working with netflow & GSR groups + Integrated with Cisco PIX firewalls o Customer deployments (20 at present) + Cisco =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Anomaly Detection Using 'Normal' Data," by Lynn Jones (206-545-2941, lwjones@shai-seattle.com), SHAI, http://www.shai.com o Focused on detection o R&D company + Expertise in AI + Research into AI methods for anomoly detection + Also researching event correlation to minimize false positives (including detection of previously unknown attacks) o Working towards solutions that do not require modifications to hardware or protocols o Current DDoS project: "Change and Anomaly Detection" (ChAD) o Using "passive adaptive decision tree" + Learns new concepts, pruning old ones out over time + Used by agent based system to compare against baseline data o Customer deployments + Research only - no products deployed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Distributed Denial-of-Service," by Jim Wellington (301.253.6499, jwellington@entercept.com) Entercept, http://www.entercept.com (Missed first part of presentation due to voice bridge problems.) o Focused on host-level detection o More of a host-level event monitoring tool (not a network level one.) Aimed at detecting installation of DDoS agents and handlers at time of compromise. o Uses agent/collector model for gathering data on attacks. o Main product Windows based, but have Linux product and are working on AIX, HP/UX, etc. (Q3 02) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Distributed Denial-of-Service," by Brian Watt (571-434-8402, bwatt@recourse.com), Recourse Technologies, http://www.recourse.com o Focused on detection and reaction o Use of IDS and honeypot for "threat management" o IDS components + Detection of attacks + Reaction to attacks + Deception o Working to complement IDS, firewall, and host logging + Aggregate and corelate events o The presentation specifically mentions the IETF iTrace effort, and the claim was made that this kind of real-time, multi-hop traceback is available in the ManTrap product today. This claim is based on the assumption that ManHunt agents are deployed across the entire domain, all the way back to the attacker's network. This is NOT the case in the current Internet, so this claim is actually that it is THEORETICALLY POSSIBLE to do this, NOT that it can be done today with Recourse's product. o They also claim to be developing a technology that will work (in a Carnivore like way, using recent legal relaxations of restrictions on trap and trace) designed to work across all ISPs and support real-time traceback and activity logging all the way back to an attacker. This is also a vapor-ware claim, and will certainly have privacy implications if it is ever to be widely deployed. o Note that Recourse also is pushing their "deception technology" (a form of simulated environment Honeypot) and they claim this can be used to detect and block DDoS attack network setup. Since ManTrap only runs on Solaris, this claim is only true for a very limited number of cases of DDoS tools. It is entirely useless against the most recent large scale worms, such as Code Red and Nimda. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Top Down Security Policy Management," by Dana Kuntz (703.318.0418, dana.kuntz@solsoft.com), Solsoft, http://www.solsoft.com o Provides centralized security policy management capabilities o Focused on prevention o Not intended to directly address DDoS attacks, but to instead improve an organization's security posture through the consistant implementation of security policies =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Distributed Denial-of-Service," by Matt McConnon (781-209-3221, mmcconnon@okena.com), OKENA, http://www.okena.com o Focused on host level detection o Two aspects two DDoS prevention + Prevention of installation of agents/handlers + Prevention of liability resulting from participation of your hosts in an attack o Utilize an "Intrusion prevention approach" + Correlation of events across the entire organization can allow you to detect DDoS network setup, or worm activity o Tested up to 2500 agents with one manager =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Reducing Fratricide in CyberWar," by Ed Sherman (esherman@aprisma.com), Aprisma/SSCI, http://www.aprisma.com o Focus on tactics for responding to attacks o Emphasized issues of incident response (e.g., forensics) that hinder effective resolution o Critical of IDSs for their false positive rate o (Could not see the slides, which were heavily used during the presentation. Aprisma sounds like they are heavily involved in DDoS response research, and were discussing the lessons they've learned and not marketing a product per se.) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= "Distributed Denial-of-Service," by Terence McCarthy (410-552-0375, terencem@trustwave.com) TrustWave, http://www.trustwave.com (Did not present.) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Personal comments on the conference =================================== Many companies make claims that they have DDoS related "solutions." Most do not take the time to explain the complexity of the DDoS problem (even at the high level I did at the top of this summary), and what issues their products do/do not address. This is great if you are a marketing person and all you care about is making sales. It is terrible if you are a customer and you are sold a product that makes you think you are now "safe from DDoS", when you may still have an exposure, or you are looking for that silver bullet and don't realize there isn't one. As always in these discussions, I encourage anyone trying to find a "DDoS solution" to first read the report of the Distributed Intruder Tools Workshop, sponsored by CERT/CC in November 1999 (go ahead... I'll wait): http://www.cert.org/reports/dsit_workshop-final.html Arbor, Mazu, and CS3 were the only vendors to present solutions that address DDoS from the network level, including some kind of active response to stop attacking floods. Of these, Arbor focuses more on fitting into existing infrastructures, while Mazu and CS3 picture their own hardware being part of the network infrastructure (CS3 going so far as to require it to get the full benefit of their ideas.) Recourse, which also has a network oriented solution (but limited more to detection and traceback, not response via filtering packets), requires wide-spread deployment of their technology in order to live up to their claims. If the timeline for a widely deployed solution is on the order of years, Mazu, CS3, and Recourse have a chance (as do solutions like IETF iTrace and the Host Identity Protocol) but they have chosen a difficult path. They will need to fight hard to convince the majority of the market to buy into their technologies and accept the changes to routing infrastucture architecture necessary to meet their pre-requisites, or for standards bodies and manufacturer to adopt the changes they require. If the timeline is more immediate, companies like Arbor, who is aiming to fit in with existing infrastucture (and Mazu, to a lesser degree if you leave out the TrafficMaster Enforcer component), will have a better fit in the short term, as they do not require significant changes to existing network infrastructure. Having to add a "bump in the wire" to a network sends shivers down the spines of most network engineers, who see this as added hardware and an added single point-of-failure (which fails off, causing disruptions to normal traffic.) Only supporting lower levels of optical speeds (OC-3 or below) means some networks are already too large for their offerings. Companies like Entercept, OKENA, and SolSoft focus on host level defenses, aimed at detection in real-time, to augment response. There is certainly a need to improve the security of end hosts, the ones exploited to install DDoS handlers and agents, and to be used as stepping stones by attackers. These capabilities are not really addressed by operating system vendors, who rely on third parties like Tripwire to provide integrity checking, and for the policy management and detection capabilities of an Entercept or SolSoft. These tools definately have a role, and their benefit is to both the sites that use them and the DDoS victims who were spared receiving packets from hosts on these networks. (There is still a large class of highly populated sites, such as broadband and DSL providers, whose customers' systems can easily -- trivially, and without any fear of discovery in some cases -- be used for setting up massive DDoS networks. This is the market for the Arbors, Mazus, and CS3s.) My biggest problem is with Recourse Technologies' "solutions." They offer ManHunt (for detection and traceback) and ManTrap (for deception.) I find the claims for these products to be highly exagerated. The presenter mentioned the Honeynet Project (of which I am a member) as a model for setting up deception networks, and went on to suggest that ManTrap is an ideal model of a deception network that the government can use to catch attackers. We recently released a paper on Honeynet (what they are, what benfits/costs are associated with their use, the risks they introduce, and some privacy and legal implications.) You can find this paper at: http://project.honeynet.org/papers/honeynet/ The Honeynet Project does not consider honeypots or honeynets to be defenses against DDoS, in anything other than a research mode. In fact, you actually risk INCREASING your downstream liability if you implement a honeypot without some method of data control, you don't monitor it carefully enough, and it is used to attack another site. The claim that ManTrap (which only runs on Solaris, and provides no control of what an intruder does once on the system) can be used to detect worms and DDoS network setup is highly over-sold, and the claim that it can be used to do real-time traceback of DDoS attacking hosts ala the IETF iTrace proposal (especially attacks that spoof source addresses), or to go through multiple stepping stones and actually catch an attacker is simply false. There is NO WAY this can be done, today, with existing tools, techniques, and current architecture of the Internet. It is still a painful, time consuming, manual process, and can easily be defeated by attackers who are smart enough in their use of stepping stones, and I think it will remain this way for quite some time. This is an area where the managed security services companies, and those doing research into incident response tactics and forensic techniques, like TrustWave, Solsoft, and Aprisma, are of most benefit. I personally think that incident response and forensic capabilities are still a highly neglected area of DDoS defense, causing some attacks to last for days or weeks. Recent focus on DDoS response and forensics by organizations such as SANS and the Air Force Research Lab, and several new books (like the following) are greatly improving the situation: "Handbook of Computer Crime Investigation: Forensic Tools and Technology," by Eoghan Casey "Computer Forensics: Incident Response Essentials," by Warren G. Kruse II and Jay Heiser "Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community," by The Honeynet Project "Incident Response: Investigating Computer Crime," by Chris Prosise and Kevin Mandia My final problem with Recourse's presentation was the claim they are working on technologies, which take advantage of relaxed laws on law enforcement "trap and trace", or on their lobbying Congress for further new legislation to allow automated, victim directed traceback of DDoS attacks, has serious privacy implications that were hotly debated in a CERIAS sponsored Attack Traceback Summit. The proceedings from that summit are available here: http://www.cerias.purdue.edu/traceback/ Even if the US populace was to accept further erosion of their privacy rights, and all US ISPs were to adopt and implement the changes that Recourse requires for their ManHunt to work as they claim, that still leaves the entire remainder of the world as places to use for stepping stones, which are outside the jurisdiction of US laws and law enforcement, and thus would defeat ManHunt. This is a very long way away from being "real-time traceback," and is also over-sold. Further resources on DDoS can be found at: http://staff.washington.edu/dittrich/misc/ddos/ Dave Dittrich =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=