Presentation is loading. Please wait.

Presentation is loading. Please wait.

Real-time Traffic monitoring and containment A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A & M University

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Real-time Traffic monitoring and containment A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A & M University"— Presentation transcript:

1 Real-time Traffic monitoring and containment A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A & M University reddy@ee.tamu.edu http://ee.tamu.edu/~reddy/

2 Narasimha Reddy Texas A & M University 2 Acknowledgements Deying Tong, Smitha, Phani Achanta Seong Soo Kim

3 Narasimha Reddy Texas A & M University 3 Outline Motivation DOS attacks –Partial state routers DDOS attacks, worms –Aggregate Packet header data as signals –Signal/image based anomaly/attack detectors

4 Narasimha Reddy Texas A & M University 4 Real-time traffic monitoring Attacks motivate us to monitor network traffic –Potential anomaly/attack detectors –Potentially contain/throttle them as they happen Line speeds are increasing –Need simple, effective mechanisms Attacks constantly changing –CodeRed yesterday, MyDoom today, what next

5 Narasimha Reddy Texas A & M University 5 Motivation Most current monitoring/policing tools are tailored to known attacks –Look for packets with port number 1434 (CodeRed) –Contain Kaaza traffic to 20% of the link Become ineffective when traffic patterns or attacks change –New threats are constantly emerging

6 Narasimha Reddy Texas A & M University 6 Motivation Can we design generic (and generalized) mechanisms for attack detection and containment? Can we make them simple enough to implement them at line speeds?

7 Narasimha Reddy Texas A & M University 7 Introduction Why look for Kaaza packets –They consume resources –Consume resources more than we want Not much different from DOS flood –Consumes resources to stage attacks Why not monitor resource usage? –Do not want to rely on attack specific info

8 Narasimha Reddy Texas A & M University 8 Attacks DOS attacks –Few sources = resource hogs DDOS attacks, worms –Many sources –Individual flows look normal –Look at the aggregate picture

9 Narasimha Reddy Texas A & M University 9 DOS attacks & Network Flows Too many flows to monitor each flow Maintain a fixed amount of state/memory –State not enough to monitor all flows (Partial state) –Manage the state to monitor high-bandwidth flows –How? Sample packets –High-BW flows more likely to be selected Use a cache and employ LRU type policy –Traffic driven –Cache retains frequently arriving flows

10 Narasimha Reddy Texas A & M University 10 Partial State Approach Similar to how caches are employed in computer memory systems –Exploit locality Employ an engineering solution in an architecture-transparent fashion

11 Narasimha Reddy Texas A & M University 11 Identifying resource hogs Lots of web flows –Tend to corrupt the cache quickly Apply probabilistic admission into cache –Flow has to arrive often to be included in cache –Most web flows not admitted Works well in identifying high-BW flows Can apply resource management techniques to contain cached/identified flows

12 Narasimha Reddy Texas A & M University 12 LRU with probabilistic admission Employ a modified LRU On a miss, flow admitted with probability p –When p is small, keeps smaller flows out –High-BW flows more likely admitted –Allows high-BW flows to be retained in cache Nonresponsive flows more likely to stay in cache

13 Narasimha Reddy Texas A & M University 13 Traffic Driven State Management Monitor top 100 flows at any time –Don’t know the identity of these flows –Don’t know how much BW these may consume

14 Narasimha Reddy Texas A & M University 14 Policy Driven State Management An ISP could decide to monitor flows above 1Mbps –Will need state >= link capacity/1 Mbps Could monitor flows consuming more than 1% of link capacity –For security reasons –At most 100 flows with 1% BW consumption

15 Narasimha Reddy Texas A & M University 15 Partial State –Trace-driven evaluation

16 Narasimha Reddy Texas A & M University 16 Partial State –Trace-driven Evaluation

17 Narasimha Reddy Texas A & M University 17 UDP Cache Occupancy

18 Narasimha Reddy Texas A & M University 18 TCP Cache Occupancy

19 Narasimha Reddy Texas A & M University 19 Resource Management

20 Narasimha Reddy Texas A & M University 20 Preferential Dropping drop prob Queue length drop prob for high bandwidth flows minthmaxth maxp 1 drop prob for other flows

21 Narasimha Reddy Texas A & M University 21 Multiple possibilities SACRED: Monitor flows above certain rate (policy driven), differential RED, (iwqos99) LRU-RED: Traffic driven state management, differential RED (Globecom01) –Approximately fair BW distribution LRU-FQ: Traffic driven state management, fair queuing (ICC 04) –Contain DOS attacks –Provide shorter delays for short-term flows

22 Narasimha Reddy Texas A & M University 22 SACRED Sampling And Caching RED Maintain flow rate as state for cached flows If flow rate > threshold, drop at higher rate –Drop rate keeps increasing if flow stays above threshold –Tends to punish nonresponsive flows, high-BW flows If flow rate < threshold, remove from cache –Make room for another flow

23 Narasimha Reddy Texas A & M University 23 SACRED results -10% state

24 Narasimha Reddy Texas A & M University 24 SACRED – cache associativity

25 Narasimha Reddy Texas A & M University 25 SACRED --Additive

26 Narasimha Reddy Texas A & M University 26 SACRED –TCP only

27 Narasimha Reddy Texas A & M University 27 LRU-FQ Resource Management

28 Narasimha Reddy Texas A & M University 28 LRU-FQ flow chart – enqueue event Packet Arrival Is Flow in Cache? Yes No Does Cache Have space? Yes Admit flow with Probability ‘p’ No Is Flow Admitted? Record flow details Initialize ‘count’ to 0 Yes Increment ‘count’ Move flow to top of cache No Is ‘count’ >= ‘threshold’ No Yes Enqueue in Partial state Queue Enqueue in Normal Queue

29 Narasimha Reddy Texas A & M University 29 Linux IP Packet Forwarding Packet Arrival Check & Store Packet Enqueue pkt Request Scheduler To invoke bottom half Device Prepares packet Packet Departure Error checking Verify Destination Route to destination Update Packet Packet Enqueued Scheduler invokes Bottom half Scheduler runs Device driver Local packet Deliver to upper layers UPPER LAYERS IP LAYER LINK LAYER Design space

30 Narasimha Reddy Texas A & M University 30 Linux Kernel traffic control Filters are used to distinguish between different classes of flows. Each class of flows can be further categorized into sub-classes using filters. Queuing disciplines control how the packets are enqueued and dequeued

31 Narasimha Reddy Texas A & M University 31 LRU-FQ Implementation LRU component of the scheme is implemented as a filter. –All parameters: threshold, probability and cache size are passed as parameters to the filter Fair Queuing employed as a queuing discipline. –Scheduling based on queue’s weight. –Start-time Fair Queuing

32 Narasimha Reddy Texas A & M University 32 Experimental Setup

33 Narasimha Reddy Texas A & M University 33 Long-Term flow differentiation Probability = 1/25Cache size= 11 threshold= 125 Normal TCP fraction = 0.07

34 Narasimha Reddy Texas A & M University 34 Long-term flow differentiation Probability = 1/25Cache size= 11 threshold= 125

35 Narasimha Reddy Texas A & M University 35 Protecting Web Mice

36 Narasimha Reddy Texas A & M University 36 Protecting Web mice 1:1LRU : Normal Queue 11LRU Cache Size 125Threshold 1/50Probability 20Web Clients 2 – 4LongTerm UDP Flows 20Long Term TCP Flows Experimental Setup

37 Narasimha Reddy Texas A & M University 37 Protecting Web Mice Bandwidth Results 0.0656.2192789.134 0.0585.55128489.803 0.0625.88131389.452 TCP Fraction TCP Tput # Web Requests UDP Tput UDP Flows 0.4944.511363246.244 0.4944.831382845.733 0.4944.921391545.732 TCP Fraction TCP Tput # Web Requests UDP Tput UDP Flows Normal Router LRU-FQ Router

38 Narasimha Reddy Texas A & M University 38 Protecting Web Mice Timing Results Normal Router LRU-FQ Router

39 Narasimha Reddy Texas A & M University 39 Summary of Partial-State Sampling and Caching allows simple identification of resource hogs Provides a good control of DOS attacks with limited number of flows Provides fairer distribution of link BW Partial state packet handling cost -not an issue at 100Mbps/1Gbps. –1Gbps implemented on Intel Network processor

40 Narasimha Reddy Texas A & M University 40 Applications of Partial State More intelligent control of network traffic Accounting and measurement of high bandwidth flows Denial of Service (DOS) attack prevention Tracing of high bandwidth flows QOS routing

41 Narasimha Reddy Texas A & M University 41 Aggregated packet analysis

42 Narasimha Reddy Texas A & M University 42 Approach Network Traffic Signal Generation & Data Filtering (Address correlation) Anomaly Detection (Thresholding) Detection Signal Statistical or Signal Analysis (Wavelets or DCT)

43 Narasimha Reddy Texas A & M University 43 Signal Generation Traffic volume (bytes or packets) –Analyzed before –May not be a great signal when links are always congested (typical campus access links) Lot more information in packet headers –Source address –Destination address –Protocol number –Port numbers

44 Narasimha Reddy Texas A & M University 44 Signal Generation Per packet cost is important driver Update a counter for each packet header field –Too much memory to put in SRAM Break the field into multiple 8-bit fields –32-bit address into four 8-bit fields –1024 locations instead of 2^32 locations –In general, 256* (k/8) instead of 2^k –k/8 counter updates instead of 1

45 Narasimha Reddy Texas A & M University 45 Signal Generation What kind of signals can we generate with addresses, port numbers and protocol numbers?

46 Narasimha Reddy Texas A & M University 46 Addresses are correlated Most of us have habits –Access same web sites Large web sites get significant part of traffic –Google.com, hp.com, yahoo.com Large downloads correlate over time –ftp, video On an aggregate, addresses are correlated

47 Narasimha Reddy Texas A & M University 47 Address Correlation –attacks? Address correlation changes when traffic patterns change abruptly –Denial of service attacks –Flash crowds –Worms Results in differences in correlation –High --single attack victim –Low – lots of addresses --worm

48 Narasimha Reddy Texas A & M University 48 Address correlation signals Address correlation: Simplified Address correlation:

49 Narasimha Reddy Texas A & M University 49 Address Correlation Signals

50 Narasimha Reddy Texas A & M University 50 Address Correlation Signals

51 Narasimha Reddy Texas A & M University 51 Signal Analysis Capture information over a sampling period –Of the order of a few seconds to minutes Analyze each sample to detect anomalies –Compare with historical norms Post-mortem/Real-time analysis –May use different amounts of data & analysis Detailed information of past few samples Less detailed information of older samples

52 Narasimha Reddy Texas A & M University 52 Signal Analysis Address correlation as a time series signal Employ known techniques to analyze time series signals Wavelets –one powerful technique –Allows analysis in both time and frequency domain Per-sample analysis has more flexibility –Not in forwarding path

53 Narasimha Reddy Texas A & M University 53 Does this work?

54 Narasimha Reddy Texas A & M University 54 Analysis of address signal

55 Narasimha Reddy Texas A & M University 55 Image based analysis Treat the traffic data as images Apply image processing based analysis Treat each sample as a frame in a video –Video compression techniques lead to data reduction –Scene change analysis leads to anomaly detection –Motion prediction leads to attack prediction

56 Narasimha Reddy Texas A & M University 56 Signal Generation

57 Narasimha Reddy Texas A & M University 57 Two dimensional images Horizontal/vertical lines indicate anomalies –Infected machine contacting multiple destinations (worm propagation) –Multiple source machines targeting a destination (DDOS)

58 Narasimha Reddy Texas A & M University 58 DCT analysis of addresses

59 Narasimha Reddy Texas A & M University 59 Semi-random attacks

60 Narasimha Reddy Texas A & M University 60 Random attacks

61 Narasimha Reddy Texas A & M University 61 Complex attacks

62 Narasimha Reddy Texas A & M University 62 Better than volume analysis

63 Narasimha Reddy Texas A & M University 63 Evaluation True Positive Rate False Alarm Rate or False Positive Rate True Negative Rate False Negative Rate LR = true positive rate/ false positive rate NLR = false negative rate/true –ve rate Ideally, LR = infinity, NLR = 0

64 Narasimha Reddy Texas A & M University 64 Comparison of Scalar signals

65 Narasimha Reddy Texas A & M University 65 Protocol Composition During attack, attack protocol volume will be higher –Observation of changes can lead to detection

66 Narasimha Reddy Texas A & M University 66 Protocol Composition

67 Narasimha Reddy Texas A & M University 67 Address based signals

68 Narasimha Reddy Texas A & M University 68 Port Number Domain

69 Narasimha Reddy Texas A & M University 69 Thresholds vs. Detection

70 Narasimha Reddy Texas A & M University 70 Motion prediction

71 Narasimha Reddy Texas A & M University 71 Advantages Not looking for specific known attacks Generic mechanism Works in real-time –Latencies of a few samples –Simple enough to be implemented inline

72 Narasimha Reddy Texas A & M University 72 Prototypes Linux-PC boxes On Intel Network processors –Can push to Gbps packet forwarding rates –Forwarding throughput not impacted –Sampling rates of a few ms possible

73 Narasimha Reddy Texas A & M University 73 Related Work Resource usage monitoring –Estan & Verghese –Bloom filters –Kodialam & Lakshman – Run detection –Mahajan et al – RED-PD –Duffield (AT & T) – Sampling –Others

74 Narasimha Reddy Texas A & M University 74 Related Work –Worms Payload monitoring –Singh, Savage & Verghese, Tang & Chen –Look for matches against constant length payloads Sampling, Rabin Signatures –Prototype implementation –Detects worms within 5-30 seconds –Effective with polymorphic worms

75 Narasimha Reddy Texas A & M University 75 Related Work -- Worms Look for TCP Reset signals –Weaver & Paxson –Random host scan at a specific ports –Not all hosts open attack port –Attacking worm will get many Resets –Too many Resets => Attacker –Effective for TCP based attacks –Can detect/contain in real-time

76 Narasimha Reddy Texas A & M University 76 Related Work -- Worms Quick spreading worms use randomly generated addresses –Normal users use names, DNS –Worms don’t have DNS activity –Lots of accesses without DNS requests => Worms –Many detectors within a campus Local DNS servers

77 Narasimha Reddy Texas A & M University 77 Related Work -- Worms Address honeypots –Arbor networks, Paxson, CrowCroft –Configure machines to accept packets for unassigned addresses –Only worms will contact these machines –Capture payloads to analyze –Quickly propagate signatures

78 Narasimha Reddy Texas A & M University 78 Related Work -- Worms IP Traceback – Savage et al –Address spoofing makes origin of attacks difficult to detect –Tracing, if universal, will limit attacks Fear of detection –Post-attack detection Not helpful in mitigating or detection –Most attack machines are innocent participants

79 Narasimha Reddy Texas A & M University 79 Related Work –host based Limit the number of new connections of individual hosts –TwyCross & Williamson (HP) –Reduces the speed at which a worm can spread –Can be used to detect worms Monitor application execution sequences –Profiling based indication of anomalous behavior => Detect and sandbox worms

80 Narasimha Reddy Texas A & M University 80 Conclusion Real-time resource accounting is feasible Real-time traffic monitoring is feasible –Simple enough to be implemented inline Can rely on many tools from signal/image processing area –More robust offline analysis possible –Concise for logging and playback

81 Narasimha Reddy Texas A & M University 81 Thank you !! For more information, http://ee.tamu.edu/~reddy reddy@ee.tamu.edu

82 Narasimha Reddy Texas A & M University 82 LRU-RED Results

83 Narasimha Reddy Texas A & M University 83 RTT Bias -TCP flows

84 Narasimha Reddy Texas A & M University 84 Impact of Cache size Effect of varying cache size –to study impact of cache size on performance of the scheme –probability= 1/55, threshold = 125 –number of TCP flows=20 –equal weights for both queues.

85 Narasimha Reddy Texas A & M University 85 Results – Cache size

86 Narasimha Reddy Texas A & M University 86 Normal Workloads Performance under normal workloads –working of scheme when non-responsive loads are absent or use their fair share of bandwidth –cache size = 9, threshold =125 –probability = 1/55

87 Narasimha Reddy Texas A & M University 87 Results – Normal workload

88 Narasimha Reddy Texas A & M University 88 Normal Mixed workload

Download ppt "Real-time Traffic monitoring and containment A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A & M University"

Similar presentations

Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.

Martin Suchara, Ryan Witt, Bartek Wydrowski California Institute of Technology Pasadena, U.S.A. TCP MaxNet Implementation and Experiments on the WAN in.
QoS Strategy in DiffServ aware MPLS environment Teerapat Sanguankotchakorn, D.Eng. Telecommunications Program, School of Advanced Technologies Asian Institute.

QoS Strategy in DiffServ aware MPLS environment Teerapat Sanguankotchakorn, D.Eng. Telecommunications Program, School of Advanced Technologies Asian Institute.
RED-PD: RED with Preferential Dropping Ratul Mahajan Sally Floyd David Wetherall.

RED-PD: RED with Preferential Dropping Ratul Mahajan Sally Floyd David Wetherall.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

20.1 Chapter 20 Network Layer: Internet Protocol Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Review: Routing algorithms Distance Vector algorithm. –What information is maintained in each router? –How to distribute the global network information?

Review: Routing algorithms Distance Vector algorithm. –What information is maintained in each router? –How to distribute the global network information?
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,

PERSISTENT DROPPING: An Efficient Control of Traffic Aggregates Hani JamjoomKang G. Shin Electrical Engineering & Computer Science UNIVERSITY OF MICHIGAN,
© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.

© 2007 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. The Taming of The Shrew: Mitigating.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
A Case for Relative Differentiated Services and the Proportional Differentiation Model Constantinos Dovrolis Parameswaran Ramanathan University of Wisconsin-Madison.

A Case for Relative Differentiated Services and the Proportional Differentiation Model Constantinos Dovrolis Parameswaran Ramanathan University of Wisconsin-Madison.
Network Elements based on Partial State A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A & M University

Network Elements based on Partial State A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A & M University
Real-time Traffic monitoring and containment A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A & M University

Real-time Traffic monitoring and containment A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A & M University
Modeling Network Traffic as Images Seong Soo Kim and A. L. Narasimha Reddy Computer Engineering Department of Electrical Engineering Texas A&M University.

Modeling Network Traffic as Images Seong Soo Kim and A. L. Narasimha Reddy Computer Engineering Department of Electrical Engineering Texas A&M University.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
USENIX LISA’05 NetViewer: A Network Traffic Visualization and Analysis Tool Seong Soo Kim A.L. Narasimha Reddy Electrical and Computer Engineering Texas.

USENIX LISA’05 NetViewer: A Network Traffic Visualization and Analysis Tool Seong Soo Kim A.L. Narasimha Reddy Electrical and Computer Engineering Texas.
A & M University1 Design, and Evaluation of a Partial State Router Phani Achanta A. L. Narasimha Reddy Dept. of Electrical Engineering.

A & M University1 Design, and Evaluation of a Partial State Router Phani Achanta A. L. Narasimha Reddy Dept. of Electrical Engineering.
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
Real-time Traffic monitoring and containment A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A & M University

Real-time Traffic monitoring and containment A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A & M University
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Similar presentations

Ads by Google