High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

Slides:

Advertisements

Similar presentations

Computer Networks TCP/IP Protocol Suite.

Advertisements

1 UNIT I (Contd..) High-Speed LANs. 2 Introduction Fast Ethernet and Gigabit Ethernet Fast Ethernet and Gigabit Ethernet Fibre Channel Fibre Channel High-speed.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

E2E performance measurement

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National.

Chapter 1: Introduction to Scaling Networks

Defending Against Denial of Service Attacks Presented By: Jordan Deveroux 1.

TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.

DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Suneeta Chawla Web Security Presentation Topic : IP Spoofing Date : 03/24/04.

The Latest In Denial Of Service Attacks: “Smurfing” Description and Information to Minimize Effects Craig A. Huegen Cisco Systems, Inc. NANOG 11 Interprovider.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932

Web server security Dr Jim Briggs WEBP security1.

Lesson 19: Configuring Windows Firewall

DDos Distributed Denial of Service Attacks by Mark Schuchter.

COEN 252: Computer Forensics Router Investigation.

Design and Implementation of SIP-aware DDoS Attack Detection System.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Science and Engineering 1 Csilla Farkas Associate Professor Center for Information Assurance Engineering Dept. of Computer Science and Engineering.

Being an Intermediary for Another Attack Prepared By : Muhammad Majali Supervised By : Dr. Lo’ai Tawalbeh New York Institute of Technology (winter 2007)

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Broadband Communication Lab. Asymmetric Path Detection in BGP Routing 29 January, 2004 Eun Mi, Park Korea Univ. Dept. of Electronics and Computer Engineering.

Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.

This courseware is copyrighted © 2015 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

Final Introduction ---- Web Security, DDoS, others

FlowScan at the University of Wisconsin Perry Brunelli, Network Services.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

Transmission Control Protocol TCP. Transport layer function.

Chapter 5: Implementing Intrusion Prevention

DoS/DoS Detection and Mitigation Mujahid Khan

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

Distributed Denial of Service Attacks

Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.

Open-Eye Georgios Androulidakis National Technical University of Athens.

1 SOS: Secure Overlay Services A. D. Keromytis V. Misra D. Runbenstein Columbia University.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

ISACA – Charlotte Chapter June 3, 2014 Mark Krawczyk, CISA, CISSP, CCNA.

1 Distributed Denial of Service Attacks. Potential Damage of DDoS Attacks l The Problem: Massive distributed DoS attacks have the potential to severely.

DoS/DDoS attack and defense

Security System for KOREN/APII-Testbed

Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. SANS ‘98 Conference -

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.

1  Carnegie Mellon University Overview of the CERT/CC and the Survivable Systems Initiative Andrew P. Moore CERT Coordination Center.

1 Netflow Collection and Aggregation in the AT&T Common Backbone Carsten Lund.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)

Instructor Materials Chapter 5: Network Security and Monitoring

Working at a Small-to-Medium Business or ISP – Chapter 8

Distributed Denial of Service Attacks

Chapter 5: Network Security and Monitoring

Session 3 Response Measure

Intrusion Detection system

Distributed Denial of Service Attacks

Presentation transcript:

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo Kwon High Performance Research Network Dept. Supercomputing Center KISTI

High Performance Research Network. Development Lab. / Supercomputing Center 2 Table of contents Motivations Motivations DDoS Activities (In KREONET) DDoS Activities (In KREONET) DDR System DDR System Test Results Test Results Summary Summary Future Plans Future Plans

High Performance Research Network. Development Lab. / Supercomputing Center 3 Motivations DDoS attacks are being appeared continuously DDoS attacks are being appeared continuously DDoS attack DDoS attack Consumes host resources Consumes host resources Memory Processor cycles Consumes network resources Consumes network resources Bandwidth Router resources (its a host too!) Attack tools are more sophisticated as time passed. Attack tools are more sophisticated as time passed. In terms of ISP, we need to respond to DDoS attack for protecting network users and network resources In terms of ISP, we need to respond to DDoS attack for protecting network users and network resources

High Performance Research Network. Development Lab. / Supercomputing Center 4 High Low password guessing password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Intruder Knowledge Attack Sophistication stealth / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools binary encryption Source: CERT/CC Attack tools over time

High Performance Research Network. Development Lab. / Supercomputing Center 5 10Gbps 40Gbps Daejeon SuperSIReN Seoul DDoS Activities (In KREONET) status We have monitored amount of network traffic in KREONET using flowscan and flowscan+. DDoS attacks are detected continuously. After Jan. 25, 2003, various worms which include DDoS features has shown up frequently So far, the reaction was done by manual configurations. So we thought the automatic DDoS Detection and Response system should be needed. udp flooding tcp flooding

High Performance Research Network. Development Lab. / Supercomputing Center 6 Our System DDR system : DDoS Detection and Response system DDR system : DDoS Detection and Response system DDR system uses netflow data DDR system uses netflow data Functions are Functions are to detect DDoS attacks to detect DDoS attacks to traceback DDoS agents to traceback DDoS agents to control DDoS traffic to control DDoS traffic Overview of DDR system Overview of DDR system DDoS Agent DDoS Agent DDR Agent Victim DDIP DDR Server Rate Limit Victim IP Attack Direction Target Protocol

High Performance Research Network. Development Lab. / Supercomputing Center 7 Components of DDR system DDR Agent DDR Agent Analyze netflow data Analyze netflow data Checks DDoS attack Checks DDoS attack Sends information of DDoS attack to DDR Server Sends information of DDoS attack to DDR Server Attack Info. Receiver DDoS Agent Tracer Router Command Applier Traceback Module Edge Router Netflow Collector Finishing Checkup Module DDR Server Edge Router Traffic Checker Router command Remover Edge Routers Sending Netflows Removing router commands(ratelimit) Applying router commands (ratelimit) DB Netflow Collector DDoS detector Reactor Detection Module Inner Command Sender Communication Module Router Command Applier Inner Command Sender Control Module DDR Agent backbone Router DDIP

High Performance Research Network. Development Lab. / Supercomputing Center 8 Whether are network connections to a destination or from a source over 85% of current flows or not? DDoS Detection Algorithm of DDR Agent Two level tests for DDoS Detection Two level tests for DDoS Detection Level 1 Test : whether current flow is abnormal or not Level 1 Test : whether current flow is abnormal or not Level 2 Test : whether the flow trend is DDoS Attack or not Level 2 Test : whether the flow trend is DDoS Attack or not time # of flow per protocol time # of flow per protocol time # of inbound flow # of outbound flow abnormal traffic models final standard of judge on DDoS attack

High Performance Research Network. Development Lab. / Supercomputing Center 9 Traceback : Finding DDoS agents Start at the router which detected DDoS attack Start at the router which detected DDoS attack For the router identify the interfaces on which the attack flow came in. For the router identify the interfaces on which the attack flow came in. For each input interface, identify the remote router. (Need to know the topology) For each input interface, identify the remote router. (Need to know the topology) For each remote router, repeat until DDR Server meets the edge router. For each remote router, repeat until DDR Server meets the edge router. Apply ratelimit command to edge-routers Apply ratelimit command to edge-routers

High Performance Research Network. Development Lab. / Supercomputing Center 10 Daejeon Seoul V V

High Performance Research Network. Development Lab. / Supercomputing Center 11 Traceback : After finding DDoS agents We know where the traffic came from We know where the traffic came from We can filter the traffic at the ingress if we need. We can filter the traffic at the ingress if we need. We can identify the peer network and contact them We can identify the peer network and contact them

High Performance Research Network. Development Lab. / Supercomputing Center 12 Test Environment Cross Traffic : UDP 19.0Mbps(iperf) DDoS Attack Tool : flitz Number of DDoS agents : 3 RTT/Loss Test between Site P and Site Q Router : Cisco 7200 series, IOS 12.3 DDoS Agent DDoS Agent DDR Agent Victim( ) DDIP DDR Server Rate Limit Site P Site Q ISP A ISP B RTT/Loss Test 25Mbps 1Gbps

High Performance Research Network. Development Lab. / Supercomputing Center 13 Normal Loss DDoS Attack DDOS Attack Loss Starting DDR System Test Results(skping) Loss: 0% RTT : 1.23ms Loss: 30.9% RTT : ms Loss: 8.73% RTT : ms Loss: 0% RTT : 4.65ms

High Performance Research Network. Development Lab. / Supercomputing Center 14 Summary DDoS attacks are appeared continuously DDoS attacks are appeared continuously We developed DDR system using netflow data We developed DDR system using netflow data We got some test results in test environment We got some test results in test environment

High Performance Research Network. Development Lab. / Supercomputing Center 15 Future Plans We plan to We plan to deploy DDR system to STAR TAP, international link. deploy DDR system to STAR TAP, international link. deploy DDR system to a section of KREONET deploy DDR system to a section of KREONET update detecting engine (DDR Agent) periodically update detecting engine (DDR Agent) periodically These days, worms which include DDoS features have been increased We would like We would like to form a shared infrastructure capable of accurate backtracing to form a shared infrastructure capable of accurate backtracing that our result of this topic contribute to Asia- Pacific Research that our result of this topic contribute to Asia- Pacific Research