Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.

Slides:

Advertisements

Similar presentations

IDPS (Intrusion Detection & Prevention System )

Advertisements

MULTOPS A data-structure for bandwidth attack detection Thomer M. Gil Vrije Universiteit, Amsterdam, Netherlands MIT, Cambridge, MA, USA

Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.

Snort Roy INSA Lab.. Outline What is “ Snort ” ? Working modes How to write snort rules ? Snort plug-ins It ’ s show time.

Defensive Measures for DDoS By Farhan Mirza. Contents Survey Topics Survey Topics Introduction Introduction Common Target of DoS Attacks Common Target.

Computer Security and Penetration Testing

Intrusion Detection Systems and Practices

Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.

Design and Implementation of Alternative Route Against DDOS Jing Yang and Su Li.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Design of an Autonomous Anti-DDOS Network (A2D2) Angela Cearns Thesis Proposal Master of Software Engineering University of Colorado, Colorado Springs.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Information Networking Security and Assurance Lab National Chung Cheng University Snort.

Design of an Autonomous Anti-DDOS Network (A2D2) Angela Cearns Thesis Defense Thursday October 24, 2002 Master of Software Engineering Department of Computer.

Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Lecture 15 Denial of Service Attacks

INTRUSION DETECTION SYSTEM

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

USENIX LISA ‘99 Conference © Copyright 1999, Martin Roesch Snort - Lightweight Intrusion Detection for Networks Martin Roesch.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Penetration Testing Security Analysis and Advanced Tools: Snort.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.

COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

SNORT Feed the Pig Vicki Insixiengmay Jon Krieger.

What is a “Network Intrusion Detection System (NIDS)"?

CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies

Snort Intrusion Detection. What is Snort Packet Analysis Tool Most widely deployed NIDS Initial release by Marty Roesch in 1998 Current version

Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.

Design and implementation of SIP-aware DDoS attack detection system By: Arif Iqbal.

Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Snort - Lightweight Intrusion Detection for Networks YOUNG Wo Sang Program Committee, PISA

Inferring Denial of Service Attacks David Moore, Geoffrey Volker and Stefan Savage Presented by Rafail Tsirbas 4/1/20151.

Selective Packet Inspection to Detect DoS Flooding Using Software Defined Networking Author : Tommy Chin Jr., Xenia Mountrouidou, Xiangyang Li and Kaiqi.

DoS/DDoS attack and defense

Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon

DOS Attacks Lyle YapDiangco COEN 150 5/21/04. Background DOS attacks have been around for decades Usually intentional and malicious Can cost a target.

Version 4.0 Living in a Network Centric World Network Fundamentals – Chapter 1.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

DIVYA K 1RN09IS016 RNSIT1. Cloud computing provides a framework for supporting end users easily through internet. One of the security issues is how to.

CompTIA Security+ Study Guide (SY0-401)

Snort – IDS / IPS.

Proventia Network Intrusion Prevention System

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Defending Against DDoS

CompTIA Security+ Study Guide (SY0-401)

Firewalls at UNM 11/8/2018 Chad VanPelt Sean Taylor.

Defending Against DDoS

Intrusion Detection Systems (IDS)

Intrusion Detection system

Presentation transcript:

Lan Nguyen Mounika Namburu 1

 DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate Limiting  A2D2 Implementation Test-bed  A2D2 Test-bed Performance Results  Future Works  Conclusion 2

3 DDoS Defense Research 3 main research areas:  Intrusion Prevention General security policy Ingress & Egress filtering  Intrusion Detection Anomaly Detection Misuse Detection  Intrusion Response Source Identification  Intrusion Tolerance ◦ Fault Tolerance ◦ Quality of Service (QoS)  Intrusion Tolerant QoS Techniques  Rate Limiting  Class-Based Queuing (CBQ)  Intrusion Tolerant QoS Systems  XenoService  Pushback Mechanisms  Cooperative Intrusion Traceback and Response Architecture (CITRA)

 Intrusion Tolerance Techniques ◦ Not autonomous ◦ Time-consuming ◦ Require knowledgeable staff  Intrusion Tolerance Systems ◦ Expensive ◦ Worldwide agreements ◦ Extensive Collaboration 4

 Autonomous Anti-DDoS Network (A2D2) ◦ A2D2 Target Audience  Home network, small to medium sized networks ◦ Design Principles  Affordable  Manageable  Configurable  Portable ◦ Design of A2D2 is divided into 3 main areas: 1.Intrusion Detection – Snort (slides 6-10) 2.Intrusion Response (slides 11-13) 3.Autonomy System (slide 14) 5 Research-Oriented

 Snort is the only free, open source lightweight IDS and is selected to be the detection component of A2D2  Snort can be operated in 3 modes: a straight packet sniffer similar to tcpdump a packet logger a full-blown network intrusion detection system  As an IDS, Snort performs real-time protocol analysis, content searching and matching, and real-time alert 6 Detection Engine (Rule Based) Preprocessor (Perform logic) Attack detection is mainly based on a signature recognition detection engine as well as a modular plugin architecture for more sophisticated behavior analysis.

 Flood threshold  Flood preprocessor Initiation  Flood preprocessor Data structure  Subnet flood detection  Flood preprocessor logic flow 7

8  DDoS attack agent sends attack packets with an array of randomly generated source addresses, all of them within the subnet of the attack agent  Each spoofed address is used in a limited number of packets to reduce suspicion

 A2D2 is designed to detect 3 types of generic flooding: Individual attack host against individual victim host Subnet attack agents against individual victim host Subnet attack agents against victim subnet hosts  A2D2 assumes a /24 subnet flood detection  A2D2 also assumes many networks implement ingress and egress filtering 9

 Additional Features Additional Features ◦ FloodIgnoreHosts Preprocessor ◦ FloodRateLimiter Preprocessor 10

 Intrusion Response ◦ Security policy ◦ Class Based Queuing ◦ Multi-level Rate Limiting 11

 CBQ supports a maximum of 8 separate queues, or classes 12

13

 Autonomy System ◦ Rate Limiting Configuration & Expiration: config file (defines basic parameters based on which Rate Limiting can be automatically applied) ◦ Snort Customization – FloodRateLimiter Preprocessor (Keeps track of incoming packet rate from a “presumed” attack source. If arrival rate continues to reach the max allowable rate, send message to firewall, apply stricter rate limiting until block level is reached) ◦ Alert Interface (Snort sends alert messages to UNIX socket. Alert message is parsed for attack host’s source IP address which Multi-level Rate Limiting is then applied to) 14

15

 Attack Tool  StacheldrahtV4 stable, sophisticated, & able to launch attacks in ICMP, UDP and TCP protocols can be downloaded from internet for free  Client Bandwidth Measurement Tools  plot.pl--->written and installed in Linux clients to capture bandwidth usage information  Drawing Tool--->gnuplot version

17 BaselineShort 1-minute attack with no mitigation strategy Non-stop attack with no mitigation strategyNon-stop UDP attack with security policy

18 Non-stop ICMP attack with security policyNon-stop ICMP attack with security policy & CBQ Non-stop TCP-SYN attack with security policy & CBQ Non-stop TCP-SYN attack with security policy, CBQ, & autonomous multi-level rate-limiting

 TCP – SYN Attack  Firewall Processing Speed  Alternate Routing  Scalability  Anomaly Detection  Fault Tolerant 19

 Intrusion Tolerance  A2D2 effectively combines firewall policy, CBQ, multi-level rate-limiting and DDoS flood detection in an autonomous architecture  A2D2 Clients Enjoy QoS during Various Types of Attack 20

   David Moore, Geoffrey M. Voelker and Stefan Savage. Inferring Internet Denial-of-Service Activity  ITWorld.com. CERT hit by DDoS attack for a third day. May 24,  Steve Bellovin, Marcus Leech, and Tom Taylor. ICMP Traceback Messages. Internet Draft: draft-ieft-itrace-01.txt. Expires April

22