High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon

Slides:

Advertisements

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Advertisements

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National.

An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,

DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

DDoS: Distributed Denial of Service Cs5090: Advanced Computer Networks, fall 2004 Department of Computer Science Michigan Tech University Rock K. C. Chang.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

1 Telstra in Confidence Managing Security for our Mobile Technology.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Computer Security and Penetration Testing

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Web server security Dr Jim Briggs WEBP security1.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

DDos Distributed Denial of Service Attacks by Mark Schuchter.

COEN 252: Computer Forensics Router Investigation.

Lecture 15 Denial of Service Attacks

Design and Implementation of SIP-aware DDoS Attack Detection System.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.

Common forms and remedies Neeta Bhadane Raunaq Nilekani Sahasranshu.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.

Computer Science and Engineering 1 Csilla Farkas Associate Professor Center for Information Assurance Engineering Dept. of Computer Science and Engineering.

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.

Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.

Larry Clinton Operations Officer Internet Security Alliance

--Harish Reddy Vemula Distributed Denial of Service.

1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.

DISTRIBUTED tcpdump CAPABILITY FOR LINUX Research Paper EJAZ AHMED SYED Dr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson.

Lecture 18 Page 1 Advanced Network Security Distributed Denial of Service Attacks Advanced Network Security Peter Reiher August, 2014.

DoS/DoS Detection and Mitigation Mujahid Khan

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

Distributed Denial of Service Attacks

Group 8 Distributed Denial of Service. DoS SYN Flood DDoS Proposed Algorithm Group 8 What is Denial of Service? “Attack in which the primary goal is to.

Open-Eye Georgios Androulidakis National Technical University of Athens.

Denial of Service Attack 발표자 : 전지훈. What is Denial of Service Attack?  Denial of Service Attack = DoS Attack  Service attacks on a Web server floods.

Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.

Chapter 9 Cisco IOS Firewall. IOS Firewall  Stateful packet-filter firewall that runs on a router  Provides firewall capabilities and normal routing.

BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.

1 Distributed Denial of Service Attacks. Potential Damage of DDoS Attacks l The Problem: Massive distributed DoS attacks have the potential to severely.

DoS/DDoS attack and defense

Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. SANS ‘98 Conference -

Denial of Service Attacks Simulating Strategic Firewall Placement By James Box, J.A. Hamilton Jr., Adam Hathcock, Alan Hunt.

-SHAMBHAVI PARADKAR TE COMP  PORT SCANNING.  DENIAL OF SERVICE(DoS). - DISTRIBUTED DENIAL OF SERVICE(DDoS). REFER Pg.637 & Pg.638.

DOS Attacks Lyle YapDiangco COEN 150 5/21/04. Background DOS attacks have been around for decades Usually intentional and malicious Can cost a target.

Matt Jennings.  What is DDoS?  Recent DDoS attacks  History of DDoS  Prevention Techniques.

Denial of Service A comparison of DoS schemes Kevin LaMantia COSC 316.

Denail of Service(Dos) Attacks & Distributed Denial of Service(DDos) Attacks Chun-Chung Chen.

1  Carnegie Mellon University Overview of the CERT/CC and the Survivable Systems Initiative Andrew P. Moore CERT Coordination Center.

AP Waseem Iqbal.  DoS is an attack on computer or network that reduces, restricts or prevents legitimate of its resources  In a DoS attack, attackers.

Working at a Small-to-Medium Business or ISP – Chapter 8

Distributed Denial of Service Attacks

Distributed Denial of Service Attacks

Intrusion Detection system

DDoS Attack and Its Defense

Distributed Denial of Service Attacks

Presentation transcript:

High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon High Performance Research Network Dept. Supercomputing Center KISTI

High Performance Research Network Dept. / Supercomputing Center 2 Table of contents  Backgrounds  Motivations  Contribution and Results  Summaries and Future Plans

High Performance Research Network Dept. / Supercomputing Center 3 Backgrounds  DDoS attacks are being appeared continuously  February, 2000 Yahoo, Amazon  January, 2003 Korea

High Performance Research Network Dept. / Supercomputing Center 4 High Low password guessing password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools binary encryption Source: CERT/CC Backgrounds  Attack tools over time

High Performance Research Network Dept. / Supercomputing Center 5 Backgrounds Control Message Attack Flow target  The DDoS attack  Consumes host resources ( Memory & Processor Cycles )  Consumes network resources ( Bandwidth & Router resources ) legitimate user

High Performance Research Network Dept. / Supercomputing Center 6 10Gbps 40Gbps Daejeon SuperSIReN Seoul Motivation  DDoS attacks have been detected frequently  Manual reaction is too slow  Automatic DDoS detection and response system should be needed udp flooding tcp flooding ICMP Worm

High Performance Research Network Dept. / Supercomputing Center 7 Our Detection System  netflow data (version 5)  detection approaches  Signature-based Misuse TCP traffic Ex) It would be very unusual for a host to receive 10,000 connection attempts per second –If TCP Sync flow > and all flows go to a destination then alert  Anomaly-based What is typical? Non-TCP traffic Mean and standard deviation of numbers of flow

High Performance Research Network Dept. / Supercomputing Center 8 Our Response System  Response system traces back the nearest routers from DDoS agent in domain  Response system have a network topology  All routers have to export the netflow data  Response system applies ratelimit command to the nearest routers

High Performance Research Network Dept. / Supercomputing Center 9 Our Response System Detection system Response system x x x x x x x x An Administrative domain DDIP

High Performance Research Network Dept. / Supercomputing Center 10 Overview of NetWRAP  NetWRAP : NetWork Resource Abuse Preventive  NetWRAP system uses netflow data  Functions are  to detect DDoS attacks  to traceback DDoS agents  to control DDoS traffic Victim DDIP NetWRAP Server Rate Limit Victim IP Attack Direction Target Protocol NetWRAP Agent DDoS Agent DDoS Agent

High Performance Research Network Dept. / Supercomputing Center 11 Test Results   Router : Cisco 7200 series, IOS 12.3   Number of DDoS agents : 3   DDoS Attack Tool : flitz   Cross Traffic : UDP 19.0Mbps(iperf)   RTT/Loss Test between ‘Site P’ and ‘Site Q’ DDoS Agent DDoS Agent NetWRAP Agent Victim( ) DDIP NetWRAP Server Rate Limit Site P Site Q ISP A ISP B RTT/Loss Test 25Mbps 1Gbps

High Performance Research Network Dept. / Supercomputing Center 12 Normal Loss DDoS Attack DDOS Attack Loss Starting NetWRAP Test Results(skping) Loss: 0% RTT : 1.23ms Loss: 30.9% RTT : ms Loss: 8.73% RTT : ms Loss: 0% RTT : 4.65ms

High Performance Research Network Dept. / Supercomputing Center 13 Section of applying NetWRAP to STAR TAP Non-Applying Defending against TCP Sync Flooding Section of applying NetWRAP to STAR TAP TCP Sync Defending against Nachi Worm Results  Applying NetWRAP to STAR TAP link

High Performance Research Network Dept. / Supercomputing Center 14 Summaries  DDoS attacks are appeared continuously  We developed NetWRAP system using netflow data  We got successful test results  We deployed NetWRAP system to STAR TAP, international link

High Performance Research Network Dept. / Supercomputing Center 15 Future Plans  We plan to  update detecting engine (NetWRAP Agent) until June, 2004 Packet count

High Performance Research Network Dept. / Supercomputing Center 16 Welcome to join us  We would like  to form a shared infrastructure capable of defending network against DDoS attack we are going to update our system until June after June, we want to cooperate with other ISPs if anyone in NOC members are interested in our system, contact me