Denial of Service detection and mitigation on GENI

Slides:



Advertisements
Similar presentations
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
1 Reading Log Files. 2 Segment Format
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewalls and Intrusion Detection Systems
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Testing Intrusion Detection Systems: A Critic for the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory By.
Lecture 15 Denial of Service Attacks
Host Intrusion Prevention Systems & Beyond
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
FIREWALL Mạng máy tính nâng cao-V1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Web Application Firewall (WAF) RSA ® Conference 2013.
Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.
Othman Othman M.M., Koji Okamura Kyushu University 1.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
INTERNATIONAL NETWORKS At Indiana University Hans Addleman TransPAC Engineer, International Networks University Information Technology Services Indiana.
Sujayyendhiren RS, Kaiqi Xiong and Minseok Kwon Rochester Institute of Technology Motivation Experimental Setup in ProtoGENI Conclusions and Future Work.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
Chapter 5: Implementing Intrusion Prevention
Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status.
Design and implementation of SIP-aware DDoS attack detection system By: Arif Iqbal.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.
FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
CAMPUS LAN DESIGN GUIDE Design Considerations for the High-Performance Campus LAN.
The Network Aware IoT Service at Edge Guoxi Wang.
SIEM Rotem Mesika System security engineering
Denial of Service Mitigation with OpenFlow using SciPass
An Introduction To ARP Spoofing & Other Attacks
SDN and Security Security as a service in the cloud
IoT Security Part 2, The Malware
Denial of Service detection and mitigation on GENI
Multi Node Label Routing – A layer 2.5 routing protocol
Cybersecurity + Liberal Arts Workshop
Instructor Materials Chapter 5: Network Security and Monitoring
GENI, Cybersecurity, and Liberal Arts
Intrusion Detection Systems
Software defined networking: Experimental research on QoS
IT443 – Network Security Administration Instructor: Bo Sheng
Xenia Mountrouidou (Dr. X)
Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.
Domain 4 – Communication and Network Security
GENI, Cybersecurity, and Liberal Arts
Web Server Protection against Application Layer DDoS Attacks using Machine Learning and Traffic Authentication Jema David Nidbwile*, Kazuya Okada**, Youki.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.
Chapter 5: Network Security and Monitoring
CyberPaths Interdisciplinary Modules
Implementation of Lawful Interception and Malicious traffic Prevention based on software defined network Speaker: Muhammad Reza Zulman Advisor: Dr. Kai-Wei.
Li Yang, Carson Woods (University of Tennessee at Chattanooga
i-Path : Network Transparency Project
Chapter 4: Protecting the Organization
Intro Cyber Security Labs on GENI
COVERT STORAGE CHANNEL MODULE
Autonomous Network Alerting Systems and Programmable Networks
Session 20 INST 346 Technologies, Infrastructure and Architecture
COVERT STORAGE CHANNEL MODULE
PCAV: Evaluation of Parallel Coordinates Attack Visualization
Intrusion Detection Systems
Intro Cyber Security Labs on GENI
CyberPaths Interdisciplinary Modules
Presentation transcript:

Denial of Service detection and mitigation on GENI Xenia Mountrouidou, Blaine Billings, College of Charleston

Collaborative research Tommy Chin (RIT), Xenia Mountrouidou, Xiangyang Li (JHU), Kaiqi Xiong (USF), “An SDN-Supported Collaborative Approach for DDoS Flooding Detection and Containment“, International Conference for Military Communications (MILCOM 2015), Tampa, Florida, 2015 Tommy Chin, Xenia Mountrouidou, Xiangyang Li, Kaiqi Xiong, “Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking (SDN)“, International Workshop on Computer and Networking Experimental Research Using Testbeds (CNERT 2015), Columbus, Ohio, June, 2015

Outline Background Motivation Collaborative detection and mitigation Implementation Demo Conclusions

Background Cybersecurity Research Experimentation on GENI Denial of Service Detection and Mitigation using SDN Covert Storage Channel Detection Covert Timing Channel Implementation Cybersecurity Education: experiential learning on GENI CyberPaths: GENI Cybersecurity Modules Liberal Arts Modules: Law, Cyber Insurance, Privacy, Finance

Motivation DDoS Threat Computer Networks Today Half of enterprises worldwide hit by DDoS attacks (Darkreading, 2014) DDoS attacks: a perfect smoke screen for APTs and silent data breaches (CSO online, 2015) $150 can buy a week long DDoS attack (TrendMicro) >2,000 DDoS attacks observed every day (Arbor Networks) 1/3 of all downtime incidents attributed to DDoS (Verisign/Merrill Research) IoT: Mirai Botnet Computer Networks Today Big data Complex topologies

Motivation SDN Capabilities Drop flows Redirect flows Duplicate flows Information available & accessible on different network layers Source: https://www.opennetworking.org/sdn-resources/sdn-definition

DDoS TCP SYN Flood Insights: Traffic pattern Spoofed IPs Send Spoofed SYN Send SYN-ACK Resend SYN-ACK Attacker Server Spoofed Client Insights: Traffic pattern Spoofed IPs

Challenges Intrusion Detection System (IDS) SDN Controller Data availability is limited Effectiveness depends on position in network SDN Controller Bottleneck – cannot analyze every packet Accuracy vs Performance Real world implementation

Solutions Discrete attack signature constituents IDS elements Increase in SYN packets Spoofed source IPs for certain DDoS instances IDS elements Distributed Communication with SDN controllers SDN controllers posses critical information Flow table Add/remove flows Duplicate flows Emulation with Global Environment for Network Innovations

Increase of normal traffic Processing overhead Attack Increase of normal traffic Network traffic Detection Stage Monitor(s) t Alert message Correlation Stage Evidence/ command Reset message Reset Correlator(s) t Mitigation Stage Attack confirmed Reset Controller(s) t

M2 Controller C2 Attacker OVS2 Client Backbone OVS OVS1 OVS3 Server Monitor M1 Server (Victim) Correlator/ Controller C1 OVS1 M2 Controller C2 Backbone OVS M3 Attacker OVS3 OVS2 C3 MB Controller CB

Monitor-Correlator Communication Controller (Correlator) Client OpenvSwitch Monitor Server Request Content Insert Flow OvS Mirror Traffic Forward Traffic Send Alert Detail Query OvS Flow Table Return Flow Table Data Insert Flow to OvS

Monitor Listen for IDS alerts Alert threshold = # SYN packets / sec Send alert flag to correlator Send IPs of selected SYN packets to correlator Flag can be attack type

Monitor – real time snort alert monitoring

Monitor – send alert to correlator

Correlator Key Value port1 IP1 port2 IP2 port3 IP3 … portn IPn Key Hash table based on the original flow table of OVS switch Query this table using the IP addresses from the monitor to look for any unknown IPs Additional queries to a second hash table created based on the current flow table Flow Table Snapshot2 Original Flow Table Flow Table Snapshot1

Correlator – parse and process flowdump

Correlator – block the port of attack

Role of SDN in Implementation Duplicate flows Flow table information detects attacker Drop flows to mitigate Duplication is implemented with Mirroring We may mitigate real traffic – flash crowd Deep packet inspection Second chance

Demo Video & Live

Conclusions and Future Work Synergistic strategy monitoring detection mitigation Scalable solution to process high volume of traffic and large scale attacks Future work Scalability optimizations Different security applications – covert channel

More security experimentation on GENI Covert Storage Channel Detection: Yiyuan Hu (JHU), Xiangyang Li (JHU), Xenia Mountrouidou, “Improving Covert Storage Channel Analysis with SDN and Experimentation on GENI“, National Cyber Summit 2016 Covert Timing Channel: ACM Research competition poster “Time Lord: Covert Timing Channel Implementation and Realistic Experimentation”, Eduardo Castillo, Xenia Mountrouidou, Xiangyang Li (JHU) Firewalls - CoC VPNs - CoC XSS -JHU Certificates -JHU

Acknowledgements

Questions? Thank you!

Links Project CyberPaths: http://blogs.cofc.edu/cyberpaths/ Intrusion Detection Lab: http://mountrouidoux.people.cofc.edu/CyberPaths/intrusiondetectio nsystemgenidesk_v2.html Correlation & Mitigation lab: http://mountrouidoux.people.cofc.edu/CyberPaths/correlation_genid esk.html

Appendix Results

Results Multiple attackers Multiple users Goals: Identify bottlenecks Demonstrate effectiveness

Results – multiple attackers Time in msec Number of Attackers

Results – multiple attackers Monitor Overhead Correlator Overhead Time in msec Time in msec Time in msec Number of Attackers Number of Attackers t4 : time to process monitor’s alert t5 : time needed to query OVS t6 : time needed to issue new rule to drop flow t1 : time for mirrored traffic to reach monitor t2 : time for alert to be raised t3 : time to communicate with Correlator

Results - ROC M2, C2: Monitor & Correlator 2

Results – Multiple Users Need to describe x, y axis!!!

Results – Multiple Users t4 : time to process monitor’s alert t5 : time needed to query OVS t6 : time needed to issue new rule to drop flow t1 : time for mirrored traffic to reach monitor t2 : time for alert to be raisd t3 : time to communicate with Correlator