An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,

Slides:

Advertisements

Similar presentations

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

Advertisements

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

A Brief History of Distributed Denial of Service Attacks Uniforum Chicago August 22, 2000 Viki Navratilova Security Architect, BlueMeteor, Inc.

Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.

FIREWALLS Chapter 11.

Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Computer Security and Penetration Testing

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.

2005 Stanford Computer Systems Lab Flow Cookies Bandwidth Amplification as Flooding Defense Martin Casado, Pei Cao Niels Provos.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Lecture 11 Reliability and Security in IT infrastructure.

Web server security Dr Jim Briggs WEBP security1.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lecture 15 Denial of Service Attacks

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

APA of Isfahan University of Technology In the name of God.

Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Denial of Service Attacks: Detection and Reaction Georgios Koutepas, Basil Maglaris National Technical University of Athens, Greece Cyprus Conference on.

Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,

Honeypot and Intrusion Detection System

Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.

--Harish Reddy Vemula Distributed Denial of Service.

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

Lecture 18 Page 1 Advanced Network Security Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

Open-Eye Georgios Androulidakis National Technical University of Athens.

Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.

Denial of Service Attack 발표자 : 전지훈. What is Denial of Service Attack?  Denial of Service Attack = DoS Attack  Service attacks on a Web server floods.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

________________ CS3235, Nov 2002 (Distributed) Denial of Service Relatively new development. –Feb 2000 saw attacks on Yahoo, buy.com, ebay, Amazon, CNN.

Security in Cloud Computing Zac Douglass Chris Kahn.

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

DoS/DDoS attack and defense

Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon

SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.

Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.

Web Security Introduction (Some of the slides were adapted from Oppliger’s online slides at

An Analysis of Using Reflectors for Distributed Denial-of- Service Attacks Paper by Vern Paxson.

1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.

1 Figure 4-11: Denial-of-Service (DoS) Attacks Introduction  Attack on availability  Act of vandalism Single-Message DoS Attacks  Crash a host with.

Role Of Network IDS in Network Perimeter Defense.

ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.

DOS Attacks Lyle YapDiangco COEN 150 5/21/04. Background DOS attacks have been around for decades Usually intentional and malicious Can cost a target.

Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.

Comparison of Network Attacks COSC 356 Kyler Rhoades.

Computer Data Security & Privacy

Defending Against DDoS

Presentation transcript:

An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10, 2003

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 What is "Denial of Service"? An attack to suspend the availability of a service Until recently the "bad guys" tried to enter our systems. Now its: "If not us, then Nobody" No break-in attempts, no information stealing, although they can be combined with other attacks to confuse Intrusion Detection Systems. No easy solutions! DoS is still mostly a research issue

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Main Characteristics of DoS Variable targets: –Single hosts or whole domains –Computer systems or networks –Important –Important: Active network components (e.g. routers) also vulnerable and possible targets! Variable uses & effects: –Hacker "turf" wars –High profile commercial targets (or just competitors…). –Useful in cyber-warfare, terrorism etc…

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Brief History First Phase (starting in the '90s): Single System DoS Started as bug/vulnerability exploitation The targets are single hosts - single services One single malicious packet many times is enough Second Phase ( ): Resource Consuming DoS Resource consuming requests from many sources Internet infrastructure used for attack amplification Third Phase (after 2000): Distributed DoS Bandwidth of network connections is the main target Use of many pirated machines, possibly many attack stages, that will have an escalating effect to saturate the victim(s)

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Brief History (cont.) Important Events: February : Big commercial sites (CNN, Yahoo, E-Bay) are taken down by flooding of their networks. –The attacks capture the attention of the media –The US President assembles emergency council members of Internet, e-commerce companies, civil liberties organizations, and security experts to jointly announce actions strengthening Internet and computer network security January 2002: The British ISP CloudNine suspends operations because of continuous interruption in Internet connectivity.

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw Taking Control 2. Commanding the attack Distributed DoS Target domain "zombies" Pirated machines Domain A Pirated machines Domain B Attacker X

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 A DDoS Attack Domain-wise Sources of the attack Innocent Domains, but their connectivity is affected Attack Transit Domains Target Domain Sources of the attack

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 DDoS Facts Some hundred of persistent flows are enough to knock a large network off the Internet outsideIncoming traffic has to be controlled, outside the victims domain, at the upstream providers spoofedUsually source IPs spoofed on attack packets Offending systems may be controlled without their users suspecting it Possibly many levels of command & control: –Attacker-Manager-Agents Examples of automatic tools for such attacks: "Trinoo", "Stacheldraht", and "TFN2K", also called rootkits

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Multi-tier attack Multi-tier attack Target domain "zombies" Attack Agents Attacker X Attack Master Attack Master

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Reflection DDoS Attack Reflection DDoS Attack Target domain "zombies" Attacker X Attack Master Routers Web or other servers Legitimate TCP SYN requests TCP SYN-ACK answers

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Reaction to DDoS The malicious flows have to be determined. Timely reaction is critical! The attack characteristics have to be communicated (in any way possible) upstream. This usually has to be done manually and is an uncertain and time-consuming procedure. Filters that will block attack traffic must be set up and maintained. Their effectiveness must be verified. The bandwidth penalty is still present throughout all the affected networks. Actions are required on all the networks along the attack path

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Reaction to DDoS (cont.) Another possible solution (helps the ISP): stop all traffic to the target. Direct it to a central point and discard it. Completes the attack! Trace-back efforts: –Following the routing (if sources not spoofed) –Step by step through ISPs. Difficult to convince them if not concerned about the bandwidth penalty Conclusion: Its not a matter of a single site

Our Solution: Inter-Domain Cooperative IDS Entities

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Inter-Domain Cooperative IDS Entities Cooperative IDS Entity Non-participating Domain Participating Domain Notification Propagation (Multicast) Activation of filters and reaction according to local Policies The Cooperative IDS Entities constitute an Overlay Network

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Main Design Characteristics: Architecture Unit of Reaction to the attack: each administrative domain Requires agreement between domains but this is not difficult, since they preserve their independence Actions along the attack path in as many networks as possible Minimizing the bandwidth loss not only at the victim but at each step in the attack. Non-malicious traffic has then better chances to get-through

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 The Entities The Entities compose the infrastructure –They are the trusted points for the domain –They manage all communications and reaction within the domain, aimed to stopping an on-going attack –Communications by multicast methods –They are on the top of the local IDS hierarchy, thus combine the local picture with the one from peers –They are controlled locally according to the choices and policies of the administrator They can implement reaction filters to routers, BUT: –Their duration is controlled, the admin is aware of them and its possible to adjust to shifting attack patterns

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Main Design Characteristics: Entity Implementation Lightweight and Modular software architecture, different components performing the various tasks Java Management Extensions (JMX) framework for control and configuration Using the Intrusion Detection Message Exchange Format (IDMEF) in all messages achieves compatibility with standards and inter-operability with installed IDS infrastructure Multicast advantages: –Independence from specific installation host –Stealthy presence –Possible parallel operation of backup Entities

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Main Design Characteristics: Internal Entity Architecture Alerts Heartbeats Local Notifications Communication Unit Filtering Unit Analysis Unit Event Info Configuration Transcription Response Unit JMX Infrastructure Response Policies Management Console Peer Entities Local Network Components

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 What happens during an Attack Cooperative IDS Entity Non-participating Domain Hot-spare Entities (1) The Attack may be detected in many places in the same time with the help of local IDS ! ! ! ! ! ! (2) The alerted Entities notify all other ones in their community, using multicast (3) Some of them may determine that they are not on the attack path (4) The rest, automatically, set up filters to suppress the attack

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Additional Concepts It is possible to create communities of entities and distribute the notifications only within. Only events transcending two communities will be let to pass, thus limiting traffic and notification overhead The communities can be set up thanks to multicast either: –Geographically (by the TTL on the packets) –According to common interests etc. (by different groups) Security –The messages are encrypted against eavesdropping BUT by symmetric cryptography –Additionally there are timestamps and digital signatures on the messages to avoid repetition attacks

Adaptable Inter-Domain Infrastructure Against DoS Attacks, SSGRRw 2003 Current Status Currently developing a prototype –Linking with a Panoptis / Netflow detection engine Plans to deploy it in the Greek Academic Network Testing the effectiveness of a peer-2-peer communications scheme in addition to multicast Developing the Hot-Spare concepts

Questions and Answers