T2TRG Syed. M. Sajjad, Ed. Internet-Draft M. Yousaf Intended status: Standards Track Riphah Institute of Systems Engineering Expires: January 23, 2019 July 22, 2018 An Architecture for Collaborative Security and Proactive Defence against IoT Botnets draft-sajjad-t2trg-colsec-00 Abstract This document proposes an architecture for Collaborative Security and Proactive Defence against IoT Botnets. The proposed architecture is based on the violation of the Manufacturer Usage Description policy. This architecture provides a means of sharing the attacker information including its Command and Control Server information with the peers in order to not only achieve proactive defense against Internet of Things botnets but also mitigate them at its source end. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 23, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must M. Sajjad & Yousaf Expires January 23, 2019 [Page 1] Internet-Draft Architecture for Collaborative Security July 2018 include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Motivation and Use cases . . . . . . . . . . . . . . . . . . 3 2.1. Usecase-01: Timely Sharing of IoT Botnets source Command and Control Server domain in order to proactively safeguard devices from its access . . . . . . . . . . . . 3 2.2. Usecase-02: Timely sharing of Threat Intelligence data between manufacturers and Vendors . . . . . . . . . . . . 3 2.3. Usecase-03: Timely Sharing of IoT Botnets source Command and Control Server domain with Attacker ISP for its Source Mitigation . . . . . . . . . . . . . . . . . . . . 4 3. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 4 4. Limitations of Existing Techniques . . . . . . . . . . . . . 5 5. Terminologies . . . . . . . . . . . . . . . . . . . . . . . . 5 6. Architecture . . . . . . . . . . . . . . . . . . . . . . . . 6 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 10. Normative References . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Distributed Denial of Service (DDoS) attacks is generally detected and mitigated at the destination end. Companies are deploying costly detection appliances to safeguard themselves from DDoS so as to continue their routine critical business processes. Destination end DDoS detection and mitigation have implementation complexities and cost overhead. It is also to be noted that destination end detection and mitigation does not detect and mitigate the source of the DDoS attack. There is a need to detect and mitigate Distributed Denial of Service (DDoS) attacks at its source end. Individual Security Systems, deployed on the premises of different organization for the detection of emerging threats, works on the attack knowledge gained in a specific locality. Moreover scalable and sophisticated techniques used by the attacker make it difficult for individual security systems to provide effective security. Slow reaction to zero-day attacks and inconspicuousness to newer emerging attacks are threats to security systems. To handle these challenges, M. Sajjad & Yousaf Expires January 23, 2019 [Page 2] Internet-Draft Architecture for Collaborative Security July 2018 collaborative security mechanisms are used in which each participating entity performs a specific task in order to strengthen the security of the network. Collaborative Security is a method that is categorized by five important features: Raising Confidence and Protecting Opportunities: The aim of security is to increase confidence on the Internet and to make sure the constant realization of the Internet as a driver for social and economic novelties. Collective Responsibility: Internet users share an obligation towards the smooth functioning of the system. Essential Properties and Values: Security systems should be well- suited with fundamental human rights and reserve the essential properties of the internet. Development and Consensus: Operative security depends on active evolutionary actions based on the expertise of wide-range participants. Think Globally, Act Locally: Most effective solutions are expected to be achieved by means of voluntary approaches. 2. Motivation and Use cases IoT Devices acting as bots go unnoticed and undetected, causing a huge loss at the destination end. There is a need to not only detect ddos at its source end but also mitigate it. This section discusses three usecases of the proposed architecture. 2.1. Usecase-01: Timely Sharing of IoT Botnets source Command and Control Server domain in order to proactively safeguard devices from its access In the First phase, command and control server of the Internet of Things botnets scans for vulnerable devices. Timely disposing of the attacker command and control domain will alert the receiver. The receiver will block the CNC access to its deployed IoT devices. 2.2. Usecase-02: Timely sharing of Threat Intelligence data between manufacturers and Vendors This architecture may also be used for sharing of threat intelligence data in order to protect their customers from different attacks. M. Sajjad & Yousaf Expires January 23, 2019 [Page 3] Internet-Draft Architecture for Collaborative Security July 2018 2.3. Usecase-03: Timely Sharing of IoT Botnets source Command and Control Server domain with Attacker ISP for its Source Mitigation Attacker command and control server is a domain against a public IPs or pole of public IPs. These IPs are obtained from an Internet Service Provider. If the command and control server information is shared with the attacker ISP in the bot propagation phase, the ISP will take down the malicious CNC before causing any major attack. 3. Requirements There are Certain requirements for the sharing of attack data with the peers: Trust Establishment: Trust should be established while sharing threat information between senders and receivers. Temper Proof Integrity: Temper Proof integrity of the shared information must be maintained. Confidentiality: The data shared must be encrypted in order to ensure its confidentiality. Non-Repudiation: There should be a defined mechanism by which a user cannot deny the data sharing. Correctness: Temper proof integrity and encryption provides correctness in the shared data. Legal Written Contract Between Participants: Attack report exploits of the vulnerabilities and weakness present in the deployment of any organization. public exposing of such kind of sensitive information may lead to serious privacy concerns. There must be a written agreement between the entities and vendors involved in the sharing of attack data. Lightweight and low-cost Mud based Architecture: The proposed Architecture must be MUD based, light-weight, having low implementation complexity. Proactive Defense: Timely sharing of attack detection reports with the peers should provide a means of proactive defense. Accuracy: The shared data must be accurate. M. Sajjad & Yousaf Expires January 23, 2019 [Page 4] Internet-Draft Architecture for Collaborative Security July 2018 4. Limitations of Existing Techniques There are Certain limitations of existing techniques designed for attack data sharing: Design and Implementation Complexity: Mostly attack data sharing standards are designed for enterprise-level networks. They have Implementation complexities. For IoT, there is a need for lightweight protocol requirement using detection based on MUD policy violation. Lack of a Written Legal Contract/agreement: There isn't any written legal agreement between the participants in the existing attack sharing mechanisms. 5. Terminologies MUD Monitor: System that monitors current access on devices and compares it with MUD policies. In case of Mud policy violation, compile the attack vector, take hash of it, encrypt it and securely send it to all the participants in the network. MUD Policy Violation: MUD defines access policies for IoT devices. Any access attempt not defined in MUD policy is termed as MUD Policy Violation. Smart Contract: A computer code running on top of a blockchain containing a set of rules under which the parties to that smart contract agree to interact with each other. If and when the predefined rules are met, the agreement is automatically enforced. The smart contract code facilitates, verifies, and enforces the negotiation or performance of an agreement or transaction. Non-Repudiation: There should be a defined mechanism by which a user cannot deny the data sharing. Participants: Any entity which is a signatory of the smart contract e.g Manufacturer, Vendors, Internet Service Providers, End User etc. Command and Control Server: Server Machine having Public IPs and domain name acting and controlling authority of the Bots. Proactive Defense: Proactively safeguarding devices from an attack in advance. M. Sajjad & Yousaf Expires January 23, 2019 [Page 5] Internet-Draft Architecture for Collaborative Security July 2018 6. Architecture We propose a block-chain and smart contract based collaborative mitigation framework. The block-chain is a distributed structure of data that is shared among the members present in the network. The smart contract is a software-based set of contract or negotiation agreed by all the parties, which is able to be executed, confirmed and reinforced automatically. The main idea of the proposed collaborative mitigation system is to send the IP addresses of the attacker and details of the attacked ports, identified by the detection system, with multiple members using smart contract and block-chain. The proposed Collaborative mitigation system is depicted in the Figure 1. In the proposed collaborative mitigation system, each participant in the smart contract has agreed to share the attack information with the member of the network. Each member has its own detection system. Upon receiving the attacker information, the member takes preventive measures through mitigator. Following are the steps of the Proposed Celebrative Mitigation. As a first step, a block-chain based smart contract is formed. This smart contract contains the condition of sharing attack detection report with the member of the contract, in case there is an attack on IoTs devices of any member. Different vendors of IoTs devices having global threat intelligence capabilities, Manufacturers and Internet Service Providers join the smart contract. In case of an attack on any of vendor IoTs devices, MUD Monitor detects the attack based on mud policy violation. MUD Monitor digitally signs the attack report with its private key. MUD Monitor then encrypt digitally signed transaction with receivers public keys one by one and send it to all the members present in the block-chain smart contract. The receiver Mud Monitor decrypts the receiving transaction with its private key. The receiver Mud Monitor then verifies the digital signature of the receiver by decrypting the signed message with the sender public key. Upon receipt of attacker information, MUD Monitor adds the attacker information to its global threat intelligence and take precautionary mitigating measures. M. Sajjad & Yousaf Expires January 23, 2019 [Page 6] Internet-Draft Architecture for Collaborative Security July 2018 ......................... .Manufacturer 1/Vender 1. ________ . ______ ___________ . | | .| | | | . |Attacker| .|Device| |Mud Policy | . | |------>| | | Monitor | . | | .| | | | . |________| .|______| |___________| . ....................|.... | .............. _______________ | . ________ . | |<--| . | | . | Smart | . | Mud |--->| Contract | . | Policy | . | |<---| . |Monitor | . |_______________| | . |________| . | . . | . _______ . .....................|...... . | | . . _______ _________|___ . . |Device | . .| | | | . . | | . .|Device | | Mud Policy | . . | | . .| | | Monitor | . . |_______| . .| | | | . .Manufac- . .|_______| |_____________| . .turer 3 . . . .Vender 3 . .Manufacturer 3/ Vender 3 . .............. ............................ Figure 1 7. Security Considerations Some of the benefits of the block-chain based smart contract collaborative mitigation mechanism are: Trust Establishment: Trust establishment is one of the main challenges in sharing threat information. Block-chain based smart contract provides a means of mutual trust to all the collaborators. Temper Proof Integrity: Digital Signature of the receiver and hashes of transaction provides temper proof integrity. Confidentiality: Encrypting the digitally signed transaction with receivers public keys to provide confidentiality. M. Sajjad & Yousaf Expires January 23, 2019 [Page 7] Internet-Draft Architecture for Collaborative Security July 2018 Non-Repudiation: A user cannot deny a transaction as it is signed by it. Correctness: Temper proof integrity and encryption provides correctness in the shared data. Proactive Defense: Timely sharing of attack detection reports with the peers provides a means of proactive defense. Accuracy: Temper proof integrity and encryption also provides accuracy of the shared data. 8. Acknowledgements 9. IANA Considerations 10. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . Authors' Addresses Syed Muhammad Sajjad (editor) Riphah Institute of Systems Engineering Aga Khan Road, Sector F-5/1 Islamabad, Federal Capital 44000 Pakistan Email: abuammarhashmi@gmail.com Muhammad Yousaf Riphah Institute of Systems Engineering Aga Khan Road, Sector F-5/1 Islamabad, Federal Capital 44000 Pakistan Email: Muhammad.Yousaf@riu.edu.pk M. Sajjad & Yousaf Expires January 23, 2019 [Page 8]