Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage Presented by Qian.

Slides:



Advertisements
Similar presentations
Worms – Code Red BD 480 This presentation is an amalgam of presentations by David Moore, Randy Marchany and Ed Skoudis. I have edited and added material.
Advertisements

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Use of Measurements in Anomaly Detection CS 8803: Network Measurements Seminar Instructor: Constantinos Dovrolis Fall 2003 Presenter: Buğra Gedik.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan Savage Presented by Thangam.
CS-495 Advanced Networking J. Scott Miller, Spring 2005 Against Internet Intrusions (paper)
Understanding the Network-Level Behavior of Spammers Anirudh Ramachandran Nick Feamster.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Defending against Flooding-Based Distributed Denial-of-Service Attacks: A tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Rocky K. C. Chang.
Understanding the Network-Level Behavior of Spammers Mike Delahunty Bryan Lutz Kimberly Peng Kevin Kazmierski John Thykattil By Anirudh Ramachandran and.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Measurement and Diagnosis of Address Misconfigured P2P traffic Zhichun Li, Anup Goyal, Yan Chen and Aleksandar Kuzmanovic Lab for Internet and Security.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
Practical Network Support for IP Traceback Internet Systems and Technologies - Monitoring.
10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Kavita Chada & Viji Avali CSCE 790.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
Understanding Network Failures in Data Centers: Measurement, Analysis and Implications Phillipa Gill University of Toronto Navendu Jain & Nachiappan Nagappan.
Lecture 15 Denial of Service Attacks
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Lecture 22 Page 1 Advanced Network Security Other Types of DDoS Attacks Advanced Network Security Peter Reiher August, 2014.
15-1 More Chapter 15 Goals Compare and contrast various technologies for home Internet connections Explain packet switching Describe the basic roles of.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
CIS 450 – Network Security Chapter 3 – Information Gathering.
Cloak and Dagger: Dynamics of Web Search Cloaking David Y. Wang, Stefan Savage, and Geoffrey M. Voelker University of California, San Diego 左昌國 Seminar.
Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.
--Harish Reddy Vemula Distributed Denial of Service.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
Lecture 18 Page 1 Advanced Network Security Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.
Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion.
Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.
The UCSD Network Telescope A Real-time Monitoring System for Tracking Internet Attacks Stefan Savage David Moore, Geoff Voelker, and Colleen Shannon Department.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,
Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
02/25/02DDoS/Traceback-Characterisation Ozgur Ozturk 1 DDoS/Traceback Paper Group # 23: Characterization Ozgur Ozturk CSE W02 Internet Technologies.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim.
Denial of Service Datakom Ht08 Jesper Christensen, Patrick Johansson, Robert Kajic A short introduction to DoS.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
An Internet-Wide View of Internet-Wide Scanning.  Scanning  IPv4  Horizontal scanning – individual ports  Network telescope - darknet What is internet.
Exploiting Network Structure for Proactive Spam Mitigation Shobha Venkataraman * Joint work with Subhabrata Sen §, Oliver Spatscheck §, Patrick Haffner.
Inferring Denial of Service Attacks David Moore, Geoffrey Volker and Stefan Savage Presented by Rafail Tsirbas 4/1/20151.
DoS/DDoS attack and defense
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
Harness Your Internet Activity. Random Subdomain Attacks Plaguing the Internet.
1 Apricot2001 Effectiveness of VLAN Chan Wai Kok Faculty of Information Technology Salim Beg Faculty of Engineering.
ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.
Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish:
By Steve Shenfield COSC 480.  Definition  Incidents  Damages  Defense Mechanisms Firewalls/Switches/Routers Routing Techniques (Blackholing/Sinkholing)
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Distributed Network Traffic Feature Extraction for a Real-time IDS
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Chapter Goals Compare and contrast various technologies for home Internet connections Explain packet switching Describe the basic roles of various network.
DDoS Attack and Its Defense
Presentation transcript:

Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage Presented by Qian HE (Steve) CS 577 – Prof. Bob Kinicki 1

How prevalent are DoS attacks in the Internet? 2

Agenda Introduction Background Methodology Attack Detection and Classification Analysis of Denial-Of-Service Activity Conclusion 3

Agenda Introduction Background Methodology Attack Detection and Classification Analysis of Denial-Of-Service Activity Conclusion 4

Introduction - Examples Feb 2000, Yahoo, Ebay, and E*trade. Jan 2001, Microsoft’s name server. 2002, root DNS servers. Late 2003, SCO’s corporate Website. 5 “2,000–3,000 active denial-of-service attacks per week” “68,700 attacks on over 34,700 distinct Internet hosts belonging to more than 5,300 distinct organizations”

Introduction - Motivation Many of the attacks are motivated by mischief or spite, others are likely born out of religious, ethnic or political tensions, and still others have been clearly focused around commercial gain. 6

Introduction - Problems There is little quantitative data about the prevalence of these attacks nor any representative characterization of their behavior. Obstacles hampering the collection of an authoritative DoS traffic dataset: – ISPs consider such data sensitive and private – Measuring Internet-wide attacks presents a significant logistical challenge. 7

Agenda Introduction Background Methodology Attack Detection and Classification Analysis of Denial-Of-Service Activity Conclusion 8

Background - Attack Types There are two principal classes of attacks: – Logic Attacks – Resource Attacks (this paper focuses solely on) 9

Background - Resource Attacks Related consequences: – Overwhelm the capacity of intervening network devices. – Overwhelm the capacity of CPU. 10

Background - IP Spoofing Spoof the IP source address of each packet the attacker send This paper focuses solely on attacks using random address spoofing 11

Agenda Introduction Background Methodology Attack Detection and Classification Analysis of Denial-Of-Service Activity Conclusion 12

Methodology - Ideas Attacker’s source address is selected at random. Victim’s responses are also distributed across the entire Internet address space. 13

Methodology - Backscatter 14 Borrowed from Geoffrey M. Voelker’s Presentation

Methodology - Backscatter Analysis During an attack of m packets, the p of 1 given host receiving at least 1 unsolicited response from the victim is If 1 monitors n distinct IP addresses, then the expected p of observing at least 1 packet from the attack is 15

Methodology - Backscatter Analysis The expected number of unsolicited responses seen during an attack of m packets at a single host is The expected number of monitoring n distinct IP addresses, the responses seen is 16

Methodology - Backscatter Analysis Use the average arrival rate of unsolicited responses directed at the monitored address range to estimate the actual rate of the attack being directed at the victim: 17

Methodology - Analysis Limitations Address uniformity: attackers spoof source addresses at random. Reliable delivery: attack traffic is delivered reliably to the victim and backscatter is delivered reliably to the monitor. Backscatter hypothesis: unsolicited packets observed by the monitor represent backscatter. 18

Methodology - Analysis Limitations Address Uniformity – Many attacks today do not use address spoofing at all. – “Reflector attacks” pose a second problem for source address uniformity. – Motivation for address spoofing has been reduced. 19

Methodology - Analysis Limitations Reliable Delivery – Packets may be queued and dropped. from the attacker from victim – Packets may be filtered or rate-limited by firewall or intrusion detection software. – Some forms of attack traffic (e.g. TCP RST messages) do not typically elicit a response. 20

Methodology - Analysis Limitations Backscatter Hypothesis – Any server in the Internet is free to send unsolicited packets. – Misinterpretation of random port scans as backscatter – Vast majority of attacks can be trivially differentiated from typical scanning activity. 21

Methodology “In spite of its limitations, we believe our overall approach is sound and provides at worst a conservative estimate of current denial-of- service activity. “ – this paper 22

Agenda Introduction Background Methodology Attack Detection and Classification Analysis of Denial-Of-Service Activity Conclusion 23

Attack Detection and Classification Extracting Backscatter Packets Flow-Based Classification – Flow-Based Identification – Flow Timeout Deriving Denial-of-Service Attacks – Packet Threshold – Attack Duration – Packet Rate Extracted Information 24

Extracting Backscatter Packets Remove – packets involving legitimate hosts – packets that do not correspond to response traffic – traffic from hosts that use TCP RST packets for scanning – duplicate packet with the same flow tuple in the last five minutes 25

Flow-Based Classification Flow-Based Identification – Flow is a series of consecutive packets sharing the same victim IP address. – The first packet seen for a victim creates a new flow. – If the packets arrive at the telescope from that victim within a fixed timeout relative to the most recent packet in this flow, we associate these packets with that flow. 26

Flow-Based Classification Flow Timeout (5 minutes) 27

Deriving Denial-of-Service Attacks Packet Threshold (> 25 packets) Attack Duration (> 60 seconds) Packet Rate (> 0.5 pps) 28

Extracted Information IP protocol TCP flag settings ICMP payload (copies of the original packet) Port settings DNS information (source address, the victim). 29

Agenda Introduction Background Methodology Attack Detection and Classification Analysis of Denial-Of-Service Activity Conclusion 30

Analysis of Denial-Of-Service Activity 31 Borrowed from Thangam Seenivasan & Rabin Karki’s Presentation

Summary of Attack Activity From 02/01/2001 to 02/25/ traces of DoS activity Each trace roughly spans one week 68,700 attacks to 34,700 unique victim IP addresses in 5,300 distinct DNS domains 1,066 million backscatter packets (less than 1/256 of the backscatter traffic) 32

Interesting Features No strong diurnal patterns. Rate of attack doesn’t change significantly over the period of time. Attacks were not clustered on particular subnets. Exhibits daily periodic behavior. At the same time everyday, attack increases from est. 2,500 pps to 100, ,000 pps. Attack persists for one hour before subsiding again. Tuesdays off (suggests attacks are scripted). 33

Attack Classification Attack Protocols – The vast majority of attacks (93%) and packets (88%) use TCP – 2.6% used ICMP – Most popular services targeted are HTTP (port 80), IRC (6667), port 0, and Authd (113) Attack Rate – 500 SYN pps is enough to overwhelm a server – 65% of attacks had an estimated rate of this rate or higher – A server can be disabled by a flood of 14,000 pps – 4% of attacks would compromise these attack-resistant firewalls Attack Duration – 60% attacks less than 10 min – 80% are less than 30 min – 85% last less than 1 hr – 2.4% are greater than 5 hrs – 1.5% are greater than 10 hrs – 0.53% span multiple days 34

Victim Classification Victim Type Top-Level Domains Victims of Repeated Attacks 35

Victim Type roughly half of the victims are broadband users slightly less than 10% are dial-up 5–10% of the victims are located on educational networks a small number of victims appear to be Internet hosting centers the majority of victims of the attacks are home users and small businesses a significant number of attacks against victims running IRC many reverse DNS mappings have been clearly compromised by attackers (e.g. “is.on.the.net.illegal.ly”). a small but significant fraction of attacks directed against network infrastructure Over 1.3% of attacks target routers 1.7% target name servers 36

Top-Level Domains over 10% of the attacks targeted the.com and.net TLDs fewer attacks (1.3–1.7%) targeted the.edu and.org domains a disproportionate concentration of attacks to a small group of countries attackers targeted Romania (.ro) as frequently as.net and.com attackers targeted Brazil (.br) more than.edu and.org combined. 37

Victims of Repeated Attacks most victims (89%) were attacked in only one trace (typically spanning roughly one week) most of the remaining victims (7.8%) appear in two traces victims can appear in multiple traces because of attacks that span trace boundaries 74% of the victims in each trace were targeted only during the collection of that trace a small percentage of victims (3%) appear in more than three traces 38 Trace: attack that covers a week or more)

Validation Nearly all of the packets are attributed to backscatter that does not itself provoke a response (e.g. TCP RST, ICMP Host Unreachable) Distribution of destination addresses is consistent with a uniform distribution at the 0.05 significance level. Data from several university-related networks in Northern California and Asta Networks qualitatively confirmed it. 39

Conclusion presented a new technique, “backscatter analysis,” for estimating DoS attack activity in the Internet observed widespread DoS attacks in the Internet witnessed over 68,000 attacks the size and length of the attacks were heavy-tailed a surprising number of attacks directed at a few foreign countries, at home machines, and towards particular Internet services 40

Thanks Q & A 41