Abstract

With funding from the Defense Advanced Research Projects Agency (DARPA) and the California Technology Investment Partnership (CALTIP), Cs3 is constructing building blocks for a more secure and robust Internet. The technologies being developed solve long-standing problems such as elimination of IP source address forgery and pave the way for defenses against packet flooding and associated Denial of Service attacks. Key parts of these technologies are patent-pending. Implementation and testing of these technologies is under way for both IPv4 and IPv6.

Contents

• 1. Infrastructure Vulnerabilities
  
• 2. Existing Solutions
  
• 3. Cs3's Proposed Solutions
  
• 4. Analysis of Benefits and Costs
  
• 5. Implementation Status

Denial of Service (DoS) and Distributed DoS (DDoS) attacks are a prime symptom of underlying infrastructure deficiencies. In February 2000, coordinated attacks lasting just a few hours on EBay, CNN, and Yahoo! are estimated to have caused over $1 billion in damages [- Yankee Group-]. Another attack in January 2001 on Microsoft is still being assessed, but dented the company's reputation. The Computer Emergency Response Team (CERT), itself targeted in successful DDoS attacks in March 2001, warns repeatedly that there is currently no technology to deal with this problem and recommends general vigilance and administrative measures to minimize the potentially devastating impact of a DDoS attack.

Responding to the above and other kinds of security problems on the Internet is complicated by the fact that those wanting to cause mischief can forge a packet's origin or source address, and thus escape detection. A major weakness in the Internet protocols is that it is possible for packet source forgery to occur.

Some problems with "the Internet" are caused by bugs in the programs that implement its protocols. These bugs are predictably exploited to do great damage. Recent furors over inadequacies in implementations of TCP and Domain Name Servers are examples of problems that will eventually be solved by removing the bugs from those implementations. The focus of this paper is on the inadequacies of the Internet protocols as specified, not the particular deficiencies of particular flawed implementations of the specification.

With near universal availability of permanent and faster connections to the Internet, and with the attendant decrease of network security expertise per individual computer, many DDoS attacks are being launched by attackers through "slave" computers (or "zombies") that they have managed to compromise. Often, attack scripts or programs are installed on these computers, enabling the unleashing of a well-disguised, distributed, coordinated DDoS attack that cannot be traced back to the attacker. All ISPs, universities, and major infrastructure administrators must be concerned about their computers being used in this fashion.

2. Existing Solutions (return)
At present there is no deployed and fully automated solution to combat problems such as source forgery or Denial of Service attacks. Traditional network security products, such as firewalls and intrusion detection systems, are not equipped to address infrastructure-level problems like these. Some tools, various manual procedures, and administrative processes are used to combat these problems:

• CERT's advisories specifically about DDoS attacks. CERT suggests that every installation should protect its own machines to prevent them from being used as "slaves" in mounting attacks on third parties.
  
• WWW Security FAQ:
  Securing Against Denial of Service Attacks
  
• Cisco's recommended measures (both forensics and preventive) in reaction to DDoS attacks
  ISPs are advised to implement ingress filtering , which is supposed to filter exiting packets that do not have source addresses within their purview. This can reduce the packet source forgery problem. However, few ISPs do this because there is no direct benefit to their subscribers.
  
• Resisting Zombie Infestation:
  This category includes Intrusion Detection Systems, which try to safeguard computers from being taken over by hackers. In addition, like virus scanning, the system administrator can periodically use tools to ensure that the computers within the network do not have attack scripts with known signatures. Unfortunately, all the tools that fight zombie infestation rely on known intrusion and attack signatures.

While the above measures are certainly useful to some small degree they do not constitute practical, reliable solutions to these important problems.

Finally, a number of recent startup companies have advocated an approach to the DDoS problem that we refer to as "smart filtering." These companies recognize that it is too late to solve the problem when the packets arrive at their destination (i.e., the victim's site). While we are not familiar with all the details of these proprietary approaches (because they have not been published), it seems that these approaches work through intelligent, rule-based analysis of patterns and rates of the traffic flowing through ISPs or at points even further upstream. The problem is that this approach can, at best, only recognize attacks that have been seen and analyzed before. The result is likely to be similar to what we see today in virus scanning software: defenses are always trying to keep up with (and always fall a little behind) the attackers. Further, any analysis that makes use of the contents of packets is likely to fail as encryption becomes more widespread.

3. Cs3's Proposed Solutions (return)
In today's Internet, security and robustness are NOT simply properties of a single site. A site that requires communication over the Internet can be no more safe or reliable than the public infrastructure upon which it depends for critical functions. True, CIO's can only control their own sites, but increasingly they are suffering the devastating consequences of being connected to a vulnerable infrastructure.

The central premise motivating this company is that it is possible to build the key mission-critical characteristics of security and reliability into the public infrastructure so that everyone can derive the benefits without adversely affecting performance, and without compromising the essential nature of the Internet as an open, decentralized, affordable, and universally available utility. In particular, Cs3 focuses attention where it belongs: on the fundamental protocols of the Internet infrastructure itself and the providers of that infrastructure. There are several important initial thrusts in the Cs3 technological approach to upgrading the Internet's reliability as a whole:

• Elimination of Source Forgery:
  This is an important first step to reducing Internet vulnerabilities: a sender of packets should not be able to fake the source addresses of those packets. Cs3 is proposing an enhancement to the Internet Protocol (IP) called Path Enhanced IP (PEIP). With PEIP, a packet carries its own path information that is NOT controlled by the sender. More details about PEIP may be found in the Cs3 white paper IP Changes to Eliminate Source Forgery.
  
• Establishing Cooperative Neighborhoods:
  Central to the idea of infrastructure reliability is the need for a group-level abstraction larger than a site, and, smaller than the entire Internet. A group of topologically adjacent routers that are similarly enabled (e.g., with PEIP and other useful capabilities) define a cooperative neighborhood. In Cs3's technologies, the cooperative neighborhood is used as the basis to provide enhanced collective security and reliability -- much more effectively than a single site could possibly be.
  
• Fair Service Scheduling to Defend Against Distributed Denial of Service Attacks:
  Cs3 has a patent-pending "fair-service" approach to defending against packet flooding and related DoS attacks that allows customers their fair, uninterrupted share of shared resources even in the face of attacks. More technical details maybe found in Cs3's white paper A Fair Service Approach to Defending Against Packet Flooding Attacks. This technology essentially proposes new queuing and scheduling schemes for routers.
  
• Control of Outgoing Traffic at Potential Attack Sites:
  Understandably, most of the attention of those devising defenses against DDoS attacks has focused on stopping incoming traffic at the victim site or at upstream routers. Interestingly, however, it is much easier to choke off these attacks closer to their origin by relatively simple analysis of the outgoing traffic. Cs3's patent-pending Reverse Firewall implements a mechanism to limit the rate of outgoing "unexpected" packets from a network and ensures fair service scheduling as described above. ISPs, universities, and other infrastructure owners vulnerable to DDoS zombies can use this device to protect their computers from being used to mount DDoS attacks. The Reverse Firewall is described in more detail in the Cs3 white paper The Reverse Firewall: Defeating DDoS Attacks Emanating from a Local Area Network, and technical details about the rate limiting mechanism maybe found in Cs3's white paper A Fair Service Approach to Defending Against Packet Flooding Attacks.

4. Analysis of Benefits and Costs (return)
In the short term, using Cs3's reverse firewall technology to rate limit unexpected packets at the points where they exit ISPs, universities, and other infrastructure owners will make a significant dent in the ability of DDoS attackers to use those sites to launch attacks. There are immediate benefits to both the infrastructure owner and to the Internet:

• A DDoS attack from a particular network cripples the the ability of other users of the network (presumably its legitimate customers) to communicate with the outside. The Reverse Firewall attenuates the effect of DDoS attackers, thereby preserving the ability of legitimate users to have unencumbered access to their share of the bandwidth.
  
• As DDoS attacks become more common and more damaging in their impact, being proactive and diligent in preventing DDoS attacks will be seen as minimal requirements for responsible ownership of infrastructure. The Reverse Firewall provides a viable solution here.

Longer term, through the use of cooperative neighborhoods, one can accurately trace packet sources and even paths down to the LAN where they originate. Establishing large cooperative neighborhoods would have the following major benefits to all Internet users:

• Defenses Against Packet Flooding Attacks:
  Unlike the "smart filters" approach to defending against an incoming DDoS attack, Cs3's approach requires no updates to keep up with new modes of attack.
  
• Forensics and Network Management:
  Few tools exist to treat the Internet as a true global network utility where organizations can see where problems are originating, and plan around those problems. Large neighborhoods can form the foundation for such tools.
  
• Mission Critical Utilities:
  Neighborhoods that have eliminated source forgery enable a host of new services and products such as filtering based on accurate packet sources, smarter allocation schemes for resources, and other services.

The major issues raised by the infrastructure changes proposed are as follows:

• Size of Neighborhoods:
  The larger the neighborhood, the more effective the elimination of source forgery and the more effective the DDoS defense. While some benefits accrue to individual sites with the Cs3 DDoS defense, even greater value is gained when there are larger neighborhoods.
  
• PEIP Technology Issues:
  Issues of compatibility between IP and PEIP have been analyzed in more detail, but these ideas can be refined further as users of beta implementations and reviewers provide added feedback.
  Costs of PEIP: PEIP requires that packets carry path data. This raises issues of bandwidth and latency. Neither of these appears to present a real problem. For more detailed analysis of various tradeoffs, see Cs3 White Paper on elimination of source forgery.
  
• Adoption Issues:
  While Cs3's Reverse Firewall will yield immediate benefits by limiting attacks emanating from a local area network, the larger vision of the infrastructure changes advocated by Cs3 does raise some practical adoption issues. These issues are being tackled technologically -- via tunneling between cooperating neighborhoods to share path information between non-adjacent neighborhoods -- and through the standardization process of the Internet Engineering Task Force (IETF).
  

5. Implementation Status (return)
Cs3 is developing these technologies (under the brand name "MANAnet^TM") using funding from Defense Advanced Research Projects Agency (DARPA) and the California Technology Investment Partnership (CALTIP). Implementations for IPv4 and IPv6 are being completed on different platforms. The major product milestones are as follows:

• MANAnet Linux Router and MANAnet Reverse Firewall^TM Releases:
  A MANAnet Linux router that implements PEIP and fair service scheduling is now available for external and commercial use. A MANAnet Reverse Firewall, implementing the rate limiting of outgoing unexpected packets, is targeted for external and commercial use by August 1, 2001.
  
• freeBSD Versions Due:
  freeBSD implementations of the MANAnet Router and Reverse Firewall are due in Fall 2001.
  
• Cs3 Internet Consortium:
  Cs3 has organized an Internet Consortium, consisting of influential commercial companies, research laboratories, Department of Defense agencies, universities, and law enforcement agencies. This Consortium is currently evaluating and refining the MANAnet technology and will be early adopters of production versions. Please see the Cs3 website for the latest participant information and test results.
  
• PEIP as a Standard:
  In Fall 2001 Cs3 will draft a Request for Comment (RFC) before the IETF, proposing PEIP as a viable protocol to replace IP. Comments are welcome from all readers as they review the documents cited herein.
  
• Proprietary Routers and Firewalls:
  Versions of PEIP and fair service scheduling on proprietary commercial routers and firewalls are targeted for release in Fall 2001.