Open-Eye Georgios Androulidakis National Technical University of Athens.

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
Computer Security and Penetration Testing
CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Supercomputing Center Measurement and Performance Analysis of Supercomputing Traffic by FlowScan+ 2.0 Supercomputing Center of KISTI Kookhan Kim August.
1 Reading Log Files. 2 Segment Format
Lecture 5: TCP/IP OSI layers 3 (IP) and 4 (TCP/UDP) IPv4 – addresses and routing, “best-effort” service Ethernet, Appletalk, etc wrap IP packets with their.
Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Application of NetFPGA in Network Security Hao Chen 2/25/2011.
RD-CSY /09 Distance Vector Routing Protocols.
1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.
Design and Implementation of SIP-aware DDoS Attack Detection System.
Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.
Netflow Overview PacNOG 6 Nadi, Fiji. Agenda Netflow –What it is and how it works –Uses and Applications Vendor Configurations/ Implementation –Cisco.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Traffic Monitoring, Estimation, and Engineering Nick Feamster CS 7260 February 19, 2007.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 4: Addressing in an Enterprise Network Introducing Routing and Switching in the.
A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
NetfFow Overview SANOG 17 Colombo, Sri Lanka. Agenda Netflow –What it is and how it works –Uses and Applications Vendor Configurations/ Implementation.
Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.
23 rd Annual Computer Security Application Conference Miami, Florida 12/13/2007 Dongqing Yuan Department of Information Technology Management University.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.
Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
FlowScan at the University of Wisconsin Perry Brunelli, Network Services.
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
Detection Unknown Worms Using Randomness Check Computer and Communication Security Lab. Dept. of Computer Science and Engineering KOREA University Hyundo.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Transmission Control Protocol TCP. Transport layer function.
24/10/2015draft-novak-bmwg-ipflow-meth- 03.txt 1 IP Flow Information Accounting and Export Benchmarking Methodology
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.
TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_a Routing Protocols: RIP, OSPF, BGP Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.
Workpackage 3 New security algorithm design ICS-FORTH Ipswich 19 th December 2007.
Net Flow Network Protocol Presented By : Arslan Qamar.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
DoS/DDoS attack and defense
DDoS flooding attack detection through a step-by-step investigation
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
Security System for KOREN/APII-Testbed
Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.
POSTECH DP&NM Lab Detailed Design Document NetFlow Generator 정승화 DPNM Lab. in Postech.
1 CURELAN TECHNOLOGY Co., LTD Flowviewer FM-800A CURELAN TECHNOLOGY Co., LTD
© 2002, Cisco Systems, Inc. All rights reserved..
1 Minneapolis‘ IETF IPFIX Aggregation draft-dressler-ipfix-aggregation-00.txt.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
ADDRESS MAPPING ADDRESS MAPPING The delivery of a packet to a host or a router requires two levels of addressing: logical and physical. We need to be able.
Network Security Laboratory Graduate School of Soongsil University Graduate School of Soongsil University Jeon Youngho
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Application Protocol - Network Link Utilization Capability: Identify network usage by aggregating application protocol traffic as collected by a traffic.
Distributed Systems.
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Network Monitoring System
Firewalls Purpose of a Firewall Characteristic of a firewall
Chapter 8: Monitoring the Network
Statistical based IDS background introduction
Presentation transcript:

Open-Eye Georgios Androulidakis National Technical University of Athens

Denial of Service Attacks  An attack to suspend the availability of a service  DoS: single machine sends an enormous amount of packets against the target machine  Distributed DoS: traffic flows from various sources to exhaust network or computing resources

Main Characteristics of DoS  Variable targets: Single hosts or whole domains Computer systems or networks Active network components (e.g. routers)  Variable uses & effects: Hacker wars High profile commercial targets (or just competitors…). Useful in cyber-warfare, terrorism etc.

Our Solution: An anomaly detection tool Open-Eye

Open-Eye  DDoS Attack Detection Tool  Analyses flows that are exported from Cisco Netflow enabled routers  Compatible with Netflow v9  Works with IPv4 and IPv6 traffic  Uses anomaly detection algorithm based on specific metrics and thresholds  Based on Panoptis (

NetFlow What is a flow? Defined by seven keys:  Source IP address  Destination IP address  Source Port  Destination Port  Layer 3 Protocol Type  TOS byte  Input logical interface (ifIndex)

NetFlow Sequence Router (from Cisco.com) 1.Create and update flows in NetFlow Cache Inactive timer expired (15 sec is default) Active timer expired (30 min is default) NetFlow cache is full (oldest flows expire) RST or FIN TCP Flag Export Packet Payload (flows) 2.Expiration 3.Aggregation? e.g. Protocol-Port Aggregation Scheme becomes 4.Export Version Yes No Aggregated Flows – export Version 8 or 9 Non-Aggregated Flows – export Version 5 or 9 5.Transport Protocol

Network Topology

Architecture (1)  Two main modules: - Collector The Collector is responsible for receiving flow data from the Netflow enabled routers, information is analyzed and stored in a local data structure. - Detector The Detector is responsible for calculating the metrics and comparing the results to detection thresholds. It is periodically activated, implements extensive logging of detection events and generates notifications with security alerts to the administrator.

Architecture (2)

Data structures (1)  Arrays for number of packets and number of flows for every pair of interfaces  Hash Tables with the Dst IP (key) and the number of packets and flows (values) for each IP for every pair of interfaces

Data structures (2)

DoS Detection Metrics Metrics for Packets/Flows based on deviation CP ij = Current Packets/Flows from interface i to j AP ij = Average Packets/Flows from interface i to j

Topology of our experiments

Attack Graphs (1)  Packet increase during the attack (TCP SYN Flood)

Attack Graphs (2)  Flow increase during the attack (TCP SYN Flood)

Attack Graphs (3)  Packet increase during the attack (TCP SYN Flood)

Attack Graphs (4)  Flow increase during the attack (TCP SYN Flood)

Attack Graphs (5)  Packet increase during the attack

Attack Graphs (6)  Number of flows is normal

Web Interface (1)

Web Interface (2)

Questions & Answers