Étude de l impact des attaques distribuées et multi-chemins sur les solutions de sécurité réseaux Damien Riquet Gilles Grimaud Michaël Hauspie Team 2xS Université Lille 1, France 29 Octobre 2012 D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 1/24
Study on security of cloud computing structure Cloud Computing: a popular model to process large data set Several layers according to the needs of customers Store confidential data Growing concern about its security Security could delay cloud adoption "62% of companies decided to wait at least 12 months because of the common mistrust to cloud security" [Spi10] Attacks on the cloud Distributed attacks to evade security solutions [RGH12] Weaknesses of cloud structure D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 2/24
Structure weaknesses of cloud computing D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 3/24
Structure weaknesses of cloud computing D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 3/24
Structure weaknesses of cloud computing D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 3/24
Structure weaknesses of cloud computing D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 3/24
Goals of this paper Study security solutions used by Cloud Computing Show that distributed attacks could be very efficient Multi-path architecture Use-case: distributed portscan D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 4/24
Outline Security of the cloud 1 Security of the cloud 2 3 D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 5/24
Outline Security of the cloud Security solutions commonly used Previous work 1 Security of the cloud Security solutions commonly used Previous work 2 3 D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 6/24
Security solutions commonly used Previous work Cloud security - Security solutions commonly used Firewalls [BC94] At the border of the network Analyze traffic between two networks Security policies Intrusion Detection System (IDS) [Ped05] Network or Host based Passive device: raise alarms Pattern-matching, analyze traffic D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 7/24
Previous work Security of the cloud Security solutions commonly used Previous work Large-scale coordinated attacks : Impact on the cloud security [RGH12] Our first study on the impact of distributed attacks Focuses on one-path architecture Security solutions: Open-source / Industrial Various variables on the distributed portscan use-case Few attackers were enough to remain undetected Goals of this paper Multipath architecture Worst cases of [RGH12] D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 8/24
Outline Security of the cloud Purpose Distributed portscan Structure topology 1 Security of the cloud 2 Purpose Distributed portscan Structure topology 3 D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 9/24
Purpose of experimentations Purpose Distributed portscan Structure topology Study the impact of attacks on large structure [RGH12] Identify weaknesses on such architecture, Know how many hosts are necessary to lead incognito an attack, Elaborate a way to collaboratively detect intrusion. Key variables Distribution methods, Attacks variables (techniques, timing, etc), Multipath structures. D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 10/24
Distributed portscan: a use case Purpose Distributed portscan Structure topology Usage and goals Reconnaissance phase, Discover weaknesses of a network, Used by worms, malicious hackers. Distribution methods Naive distribution, Loop distribution. D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 11/24
Network topology Security of the cloud Purpose Distributed portscan Structure topology Cloud Computing Internet host Cloud host Firewall / IDS D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 12/24
Multipath structures (1/3) Purpose Distributed portscan Structure topology Attackers Targets Attackers Targets D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 13/24
Multipath structures (2/3) Purpose Distributed portscan Structure topology Attackers Targets Attackers Targets D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 14/24
Multipath structures (3/3) Purpose Distributed portscan Structure topology Attackers Targets Attackers Targets D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 15/24
Outline Security of the cloud 1 Security of the cloud 2 3 D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 16/24
Evaluation Security of the cloud Attacker Success Rate n = Number of ports successfully scanned before detection T = Total number of ports to scan ASR = n T Gain p = Number of possible paths ASR x = ASR for an attack on a x-path structure Gain p = ASR p ASR 1 D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 17/24
- 1 path, Connect scanning 30 25 Naive - 50ms Naive - 250ms Naive - 1000ms Loop - 50ms Loop - 250ms Loop - 1000ms ASR (Percentage) 20 15 10 5 0 5 10 15 20 25 30 Number of attackers D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 18/24
- Multipath, Loop distribution, 32 attackers, 250ms 7 6 T1 - SYN T2 - SYN T3 - SYN T1 - Connect T2 - Connect T3 - Connect 5 Gain 4 3 2 1 2 3 4 5 6 7 8 Number of paths D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 19/24
conclusion Keypoints Few scanners could be enough to remain undetected Weakness of a network is proportionnal to number of paths Basic distribution methods D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 20/24
Impact of distributed attacks on multipath architecture Few scanners are enough to remain undetected Effectiveness of the attack proportionnal to the number of paths No network noise, basic distribution methods Future work Collaborative IDS using virtual and physical probes Design of a Language for this security application domain D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 21/24
Questions Security of the cloud Security probes all over the cloud Damien Riquet - damien.riquet@lifl.fr Gilles Grimaud - gilles.grimaud@lifl.fr Michaël Hauspie - michael.hauspie@lifl.fr http://www.lifl.fr/ riquetd/ D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 22/24
References I Security of the cloud S. M Bellovin and W. R Cheswick, Network firewalls, IEEE Communications Magazine 32 (1994), no. 9, 50 57. Naga Raju Peddisetty, State-of-the-art intrusion detection: Technology, challenges, and evaluation, 2005. Damien Riquet, Gilles Grimaud, and Michael Hauspie, Large-scale coordinated attacks : Impact on the cloud security, The Second International Workshop on Mobile Commerce, Cloud Computing, Network and Communication Security 2012 (2012), 558 (Anglais). Spiceworks, New study sees rise in cloud services adoption among small and medium businesses in first half of 2010, 2010. D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 23/24
Collaborative security system DSL Host Hypervisor Virtual probe FPGA Guest OS Guest OS Physical probe Virtual probe D. Riquet, G. Grimaud, M. Hauspie Étude de l impact des attaques distribuées... 24/24