Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

Slides:



Advertisements
Similar presentations
CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Advertisements

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,
Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.
Security Awareness: Applying Practical Security in Your World
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Pi : A Path Identification Mechanism to Defend against DDos Attacks.
Fast Portscan Detection Using Sequential Hypothesis Testing Authors: Jaeyeon Jung, Vern Paxson, Arthur W. Berger, and Hari Balakrishnan Publication: IEEE.
HoneyD (Part 2) Small Business NIDS This presentation demonstrates the ability for Small Businesses to emulate virtual operating systems and conduct.
Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.
Distributed Denial of Service CRyptography Applications Bistro Presented by Lingxuan Hu April 15, 2004.
--Harish Reddy Vemula Distributed Denial of Service.
SOS: Security Overlay Service Angelos D. Keromytis, Vishal Misra, Daniel Rubenstein- Columbia University ACM SIGCOMM 2002 CONFERENCE, PITTSBURGH PA, AUG.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
A Dynamic Packet Stamping Methodology for DDoS Defense Project Presentation by Maitreya Natu, Kireeti Valicherla, Namratha Hundigopal CISC 859 University.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,
Lecture 22 Network Security CS 450/650 Fundamentals of Integrated Computer Security Slides are modified from Hesham El-Rewini.
A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time Lusheng Ji†, Joint work with Changxi Zheng‡, Dan Pei†, Jia Wang†, Paul Francis‡
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.
Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.
CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 25 November 16, 2004.
DoS/DDoS attack and defense
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.
Secure Single Packet IP Traceback Mechanism to Identify the Source Zeeshan Shafi Khan, Nabila Akram, Khaled Alghathbar, Muhammad She, Rashid Mehmood Center.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Comparison of Network Attacks COSC 356 Kyler Rhoades.
1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.
Network security Vlasov Illia
Introduction to Information Security
Introduction Wireless devices offering IP connectivity
DNS-sly: Avoiding Censorship through Network Complexity
Managing Secure Network Systems
Domain 4 – Communication and Network Security
Outline Basics of network security Definitions Sample attacks
Defending Against DDoS
CPS 512 midterm exam #1, 10/5/17 Your name please: NetID:_______ Sign for your honor:____________________________.
Honeypots at CESNET/MU
Spoofing Basics Presentation developed by A.F.M Bakabillah Cyber Security and Networking Consultant MCSA: Messaging, MCSE RHCE ITIL CEH.
DNS security.
Network Security: IP Spoofing and Firewall
Defending Against DDoS
DRDoS Attacks Jacob Wood.
12/6/2018 Honeypot ICT Infrastructure Sashan
Friday, December 07, 2018 Honeypot ICT Infrastructure Sashan Kantonsspital Graubunden ICT Department.
Starting TCP Connection – A High Level View
Firewalls Jiang Long Spring 2002.
Identifying Slow HTTP DoS/DDoS Attacks against Web Servers DEPARTMENT ANDDepartment of Computer Science & Information SPECIALIZATIONTechnology, University.
DDoS Attack and Its Defense
The Case for DDoS Resistant Membership Management in P2P Systems
Amplification Hell: Revisiting Network Protocols for DDoS Abuse
Outline The spoofing problem Approaches to handle spoofing
Outline Basics of network security Definitions Sample attacks
Presentation transcript:

Identifying the scan and attack infrastructures behind amplification DDoS attacks Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016) Presented by - Aditya Walanj

Motivation Amplification DDoS attacks have become serious threat to Internet users. Attack bandwidths can be several 100’s of Gbit/s Attackers can spoof source IP of requests sent to Open Internet Services. Victims don’t know who to contact to prevent these attacks. Goal is to render a network unusable by flooding target network with huge traffic.

Background All amplification attacks are UDP based since it’s a connection-less protocol. Four parties: Attacker: Sends requests with spoofed IP Amplifiers: Servers which act as reflectors Victim: Source IP specified in request Scanner: Used to find amplifiers by sending requests and recording responses. Attacker leverages the amplification vectors in Network Protocols

Problem A little is known about origin of attack Revealing attack sources is a significant problem Spoofed nature of traffic makes it difficult False source address provided to hide identity or impersonate another system Solution: Attributing attacks to Scan infrastructures using honeypot techniques. Mapping Scan infrastructure to attackers using TTL trilateration techniques.

Solution Background Method fulfils three important goals: Works at real time so we can attribute attacks on the fly Attribution does not require cooperation between ISP’s Provides probabilistic guarantees showing confidence levels of attribution outcomes. A honeypot is computer security mechanism that contains valuable data which is monitored to detect unauthorised use. AMPPOT emulates a server offering 7 different UDP protocols that are abused. E.g. NTP, DNS Selective response scheme AMPPOT only selectively replies to requests Each scanner will see a different set of deployed honeypots  Distinct attribution feature Implement by fixing fraction of network to respond to scan  fraction set to 0.5

Solution Background (cont) Three /28 Networks  48 Honeypot IPs Each Scanner scans all 48 Honeypot IPs and has unique reply set of 24 IPs In real world, may not query with one source but with multiple sources Confidence levels determine how robust attribution is in real world conditions Two sets: Query set and Reply set Find probability p to falsely accuse a scanner Confidence = 1- p

Methodology: Step 1 Potential Scanner behind attack In attack set Attack: A stream of at least 100 packets from same source to same port within 1 hour. Amplifier set depends greatly on scan prior to attack. For every honeypot IP, maintain all aware sources (scanners). Potential Scanner behind attack In attack set

Results Three cases: Zero candidates: No scanner was aware of amplifiers  Non Attributable (2.5 %) Exactly one candidate: Single scanner was aware of amplifiers  Attributable (79.9 %) More than one candidate: Multiple scanners were aware of amplifiers  Non Unique (17.6 %) Most attributed attacks and scanners were from US, Netherlands, and Lithuania.

Methodology: Step 2 Were the infrastructure used to perform scans also used to launch attacks ? Distance (source, receiver) = TTL at source (Attacker) – TTL at receiver (Honeypot) Assumption: Initial TTL is fixed and equal hop distance from same source to same honeypot. Compare hop distances to identify if two packets originate from same source. Validate TTL metric using RIPE Atlas: Select 200 random probes to send packets to 11 most prominent honeypots Honeypots record TTL values Compute minimal distance from every pair of source using recorded TTL values Derive thresholds from distances

Methodology: Step 2 (cont) Measurements < threshold  same source Measurements > threshold  different sources True Positive: 1 Probe had two measurements below threshold False Positive: 2 different Probes have two measurements below threshold Apply methodology to dataset of scanners by comparing TTL vectors of scan event and attributed attacks. 34 out of 286 scanner were found malicious with 99.9 % confidence.

Criticism Limitations Improvements Amplifier set used in attack was scanned with single public IP Attackers may identify AMPPOT by its behaviour Initial TTL is fixed  Randomization is possible. All networks considered Scanner doesn’t spoof source address during scanning Increase Network size and decrease response ratio Run AMPPOT in “proxy” mode Better approach  IP traceback (marking packets) Ignore Networks provided by ISP that prevent spoofing Extend method to further validate scan infrastructures before mapping

Thankyou for listening

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.