Denial of Service detection and mitigation on GENI

Slides:

Advertisements

Similar presentations

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

1 Reading Log Files. 2 Segment Format

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Firewalls and Intrusion Detection Systems

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Lecture 15 Denial of Service Attacks

Host Intrusion Prevention Systems & Beyond

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Denial of Service Bryan Oemler Web Enhanced Information Management March 22 nd, 2011.

Web Application Firewall (WAF) RSA ® Conference 2013.

Sungkyunkwan University (SKKU) Security Lab. A Framework for Security Services based on Software-Defined Networking Jaehoon (Paul) Jeong 1, Jihyeok Seo.

Othman Othman M.M., Koji Okamura Kyushu University 1.

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

IEEE Communications Surveys & Tutorials 1st Quarter 2008.

Information Fusion By Ganesh Godavari. Outline of Talk Problem Definition –Attack Types Correlation Solutions OSSIM Work Status.

Design and implementation of SIP-aware DDoS attack detection system By: Arif Iqbal.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Advanced Packet Analysis and Troubleshooting Using Wireshark 23AF

Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

Using Honeypots to Improve Network Security Dr. Saleh Ibrahim Almotairi Research and Development Centre National Information Centre - Ministry of Interior.

FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.

By: Surapheal Belay ITEC 6322 / Spring ABSTRACT NIST , guide to intrusion detection and prevention systems (IDPS), discusses four types of.

Denial of Service detection and mitigation on GENI

SIEM Rotem Mesika System security engineering

Denial of Service Mitigation with OpenFlow using SciPass

An Introduction To ARP Spoofing & Other Attacks

SDN and Security Security as a service in the cloud

Multi Node Label Routing – A layer 2.5 routing protocol

About Me Name: Yaokai Feng, from Kyushu University

Cybersecurity + Liberal Arts Workshop

Instructor Materials Chapter 5: Network Security and Monitoring

GENI, Cybersecurity, and Liberal Arts

Intrusion Detection Systems

Software defined networking: Experimental research on QoS

DDoS Attacks on Financial Institutions Presentation

IT443 – Network Security Administration Instructor: Bo Sheng

Xenia Mountrouidou (Dr. X)

Network Anti-Spoofing with SDN Data plane Authors:Yehuda Afek et al.

DDoS Defense for a Community of Peers

Distributed Network Traffic Feature Extraction for a Real-time IDS

Dispersing Asymmetric DDoS Attacks with SplitStack

Domain 4 – Communication and Network Security

Web Server Protection against Application Layer DDoS Attacks using Machine Learning and Traffic Authentication Jema David Nidbwile*, Kazuya Okada**, Youki.

Defending Against DDoS

Introduction to Networking

Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.

Chapter 5: Network Security and Monitoring

CyberPaths Interdisciplinary Modules

Implementation of Lawful Interception and Malicious traffic Prevention based on software defined network Speaker: Muhammad Reza Zulman Advisor: Dr. Kai-Wei.

Network Security: IP Spoofing and Firewall

DDoS Attack Detection under SDN Context

What Makes a Network Vulnerable?

SDN Based IoT-Cloud Comm.

i-Path : Network Transparency Project

Intro Cyber Security Labs on GENI

COVERT STORAGE CHANNEL MODULE

Autonomous Network Alerting Systems and Programmable Networks

Statistical based IDS background introduction

Session 20 INST 346 Technologies, Infrastructure and Architecture

COVERT STORAGE CHANNEL MODULE

PCAV: Evaluation of Parallel Coordinates Attack Visualization

Intrusion Detection Systems

Intro Cyber Security Labs on GENI

NetWarden: Mitigating Network Covert Channels without Performance Loss

Presentation transcript:

Denial of Service detection and mitigation on GENI Xenia Mountrouidou, Blaine Billings, College of Charleston

Collaborative research Tommy Chin (RIT), Xenia Mountrouidou, Xiangyang Li (JHU), Kaiqi Xiong (USF), “An SDN-Supported Collaborative Approach for DDoS Flooding Detection and Containment“, International Conference for Military Communications (MILCOM 2015), Tampa, Florida, 2015 Tommy Chin, Xenia Mountrouidou, Xiangyang Li, Kaiqi Xiong, “Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking (SDN)“, International Workshop on Computer and Networking Experimental Research Using Testbeds (CNERT 2015), Columbus, Ohio, June, 2015

Outline Motivation Collaborative detection and mitigation Implementation Demo Conclusions

Motivation DDoS Threat Computer Networks Today Half of enterprises worldwide hit by DDoS attacks (Darkreading, 2014) DDoS attacks: a perfect smoke screen for APTs and silent data breaches (CSO online, 2015) $150 can buy a week long DDoS attack (TrendMicro) >2,000 DDoS attacks observed every day (Arbor Networks) 1/3 of all downtime incidents attributed to DDoS (Verisign/Merrill Research) IoT: Mirai Botnet Computer Networks Today Big data Complex topologies

Motivation SDN Capabilities Drop flows Redirect flows Duplicate flows Information available & accessible on different network layers Source: https://www.opennetworking.org/sdn-resources/sdn-definition

DDoS TCP SYN Flood Insights: Traffic pattern Spoofed IPs Send Spoofed SYN Send SYN-ACK Resend SYN-ACK Attacker Server Spoofed Client Insights: Traffic pattern Spoofed IPs

Challenges Intrusion Detection System (IDS) SDN Controller Data availability is limited Effectiveness depends on position in network SDN Controller Bottleneck – cannot analyze every packet Accuracy vs Performance Real world implementation

Solutions Discrete attack signature constituents IDS elements Increase in SYN packets Spoofed source IPs for certain DDoS instances IDS elements Distributed Communication with SDN controllers SDN controllers posses critical information Flow table Add/remove flows Duplicate flows Emulation with Global Environment for Network Innovations

Increase of normal traffic Processing overhead Attack Increase of normal traffic Network traffic Detection Stage Monitor(s) t Alert message Correlation Stage Evidence/ command Reset message Reset Correlator(s) t Mitigation Stage Attack confirmed Reset Controller(s) t

M2 Controller C2 Attacker OVS2 Client Backbone OVS OVS1 OVS3 Server Monitor M1 Server (Victim) Correlator/ Controller C1 OVS1 M2 Controller C2 Backbone OVS M3 Attacker OVS3 OVS2 C3 MB Controller CB

Monitor-Correlator Communication Controller (Correlator) Client OpenvSwitch Monitor Server Request Content Insert Flow OvS Mirror Traffic Forward Traffic Send Alert Detail Query OvS Flow Table Return Flow Table Data Insert Flow to OvS

Monitor Listen for IDS alerts Alert threshold = # SYN packets / sec Send alert flag to correlator Send IPs of selected SYN packets to correlator Flag can be attack type

Monitor – real time snort alert monitoring

Monitor – send alert to correlator

Correlator Key Value port1 IP1 port2 IP2 port3 IP3 … portn IPn Key Hash table based on the original flow table of OVS switch Query this table using the IP addresses from the monitor to look for any unknown IPs Additional queries to a second hash table created based on the current flow table Flow Table Snapshot2 Original Flow Table Flow Table Snapshot1

Correlator – parse and process flowdump

Correlator – block the port of attack

Role of SDN in Implementation Duplicate flows Flow table information detects attacker Drop flows to mitigate Duplication is implemented with Mirroring We may mitigate real traffic – flash crowd Deep packet inspection Second chance

Demo Video & Live

Conclusions and Future Work Synergistic strategy monitoring detection mitigation Scalable solution to process high volume of traffic and large scale attacks Future work Scalability optimizations Different security applications – covert channel

More security experimentation on GENI Covert Storage Channel Detection: Yiyuan Hu, Xiangyang Li, Xenia Mountrouidou, “Improving Covert Storage Channel Analysis with SDN and Experimentation on GENI“, National Cyber Summit 2016 Covert Timing Channel: ACM Research competition poster “Time Lord: Covert Timing Channel Implementation and Realistic Experimentation”, Eduardo Castillo, Xenia Mountrouidou, Xiangyang Li Moving Target Defense

Acknowledgements

Questions? Thank you!

Links Project CyberPaths: http://blogs.cofc.edu/cyberpaths/ Intrusion Detection Lab: http://mountrouidoux.people.cofc.edu/CyberPaths/intrusiondetectio nsystemgenidesk_v2.html Correlation & Mitigation lab: http://mountrouidoux.people.cofc.edu/CyberPaths/correlation_genid esk.html