Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,

Published byLauren Horton Modified over 9 years ago

Similar presentations

Presentation on theme: "Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,"— Presentation transcript:

1 Denial of Service A Brief Overview

2 Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate, Distributed Attacks – Botnets – Detection and Defense Strategies

3 Significance of DoS Accessibility to services is a key part of Internet Security. The number of web sites and companies effected by DoS attacks is high, and rising. Banking companies attacked for revenge. Businesses forced to pay criminals to prevent monetary losses caused by shutdown of their web sites.

4 ITU-T Recommendation X.805 Security Architecture [1]

5 Low-Rate TCP DoS Attack Periodic short burst exploiting the minimum retransmission timeout of TCP flows. Kuzmanovic and Knightly showed these attacks are feasible while difficult to detect. Sun et al. proposed a distributed detection mechanism employing pattern matching using Dynamic Time Warping.

6 TCP Retransmission Timer [6]

7 Low-Rate Attack Timing [8]

8 Dynamic Time Warping Histogram [8]

9 Proposed Defense Router detects matching traffic on output port, looks for it on each input port. If found on input port, push back detection to upstream routers. If not detected at input ports, assume distributed attack method is being used. Use Deficit Round Robin (DRR) scheduling to ensure fairness for flow from each input.

10 Distributed Denial of Service DDoS

11 Role of Botnets Botnet Creation Botnet Control Mechanism DDoS Defense Strategies

12 [5]

13 Estimated Size of Botnets Conficker (DownAdUp) worm (2008) – 7,000,000 to 10,500,000 hosts. Mariposa (2008) – 12,000,000 hosts Bredolab (2009) – 30,000,000 hosts Most botnets have not been fully infiltrated or shut down… total amount of remotely controlled machines is unknown. Source: F-Secure, Infosecurity (UK), and Kaspersky Lab

14 Botnet Creation Host computers are infected by worms, viruses, or by execution of trojan-horse software. Worm propagation between web servers causes normally safe and legitimate web sites to serve malicious content to users, infecting the user’s computer.

15 Worm-Based Botnet Creation [2]

16 Botnet Command and Control Most common method of control is through use of Internet Relay Chat (IRC) protocols and servers. Infected machines may also connect to controlling servers using HTTP protocol.

17 IRC Controlled Botnet [4]

18 DDoS Defense Strategies Monitoring and early detection. Adaptive detection and defense employing Hop-Count Filtering. Collaborative detection over multiple domains. Traffic Visualization

19 Monitoring and Detection Detect malware propagation during early, exponential growth phase. (trend detection) Look for similar statistical characteristics. Growth rate converges around a constant, positive exponential rate. Non-uniform scan worm (Blaster) detection benefits from a widely distributed detection network.

20 Worm Propagation Model [10]

21 Code Red and Blaster Propagation [9]

22 Worm Monitoring System [10]

23 Adaptive Defense Suitable for large traffic flows, such as worm propagation and DDoS. Relies a good estimation of attack severity. Works to minimize sum of the costs of false positives and false negatives, by choosing the optimal configuration. Easy to detect SYN flooding, but hard to filter. Hop count filtering.

24 Hop Count Filtering Spoofed packets may have a modified TTL in the IP header, but attackers cannot know the true hop count from the machines whose IP address it is faking to the target. Memory constraints prevent storage of hop- count for every address, so address aggregation is used. Filter selectivity adjusted adaptively.

25

26 Adaptive Defense Architecture [9]

27 Adaptive HCF Cost [9]

28 Adaptive Defense Performance [9]

29 Collaborative Detection Method Use a distributed system to leverage network topology. Implement in core ISP network domains covering edge networks where protected systems are physically connected. Detection at traffic superflow level Distributed Change-Point Detection (DCD) Change Aggregation Trees (CAT)

30 Superflow Traffic Model [3]

31 Distributed Change-Point Detection Hierarchical detection architecture Deployed over multiple domains Central CAT server in each domain Merges CAT sub-trees from collaborative servers into a global CAT, with the root at the victim’s location. Three layer organization.

32 DCD Three Layer Organization At lowest layer, a single router detects local traffic fluctuations using a change-point detection program. At each network domain, a CAT server constructs CAT sub-tree according to alerts collected from routers. At highest layer, CAT servers form an overlay network, communicating over VPN channels.

33 Visualization Research Example Using Hierarchical Network Maps Treemap approach, with each node in the hierarchy drawn as a box placed inside its parent. Using dimensions of IP address and time, the application of Internet monitoring can be realized.

34 Botnet Growth Example Rapid spread of botnet computers in China in August 2006 over an eight day period, as observed by a large service provider. Prefix labels anonymized here because of privacy concerns.

35 Botnet Infections: Day 1 [7]

36 Botnet Infections: Day 5 [7]

37 Botnet Infections: Day 9 [7]

38 Conclusion Denial of Service attacks are a continuing problem. Active research is underway to study vulnerabilities to attacks and methods of mitigation. Much work remains to be done before the problem will be solved.

39 Questions ?

40

Download ppt "Denial of Service A Brief Overview. Denial of Service Significance of DoS in Internet Security Low-Rate DoS Attacks – Timing and detection – Defense High-Rate,"

Similar presentations

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.

 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
1 Controlling High Bandwidth Aggregates in the Network.

1 Controlling High Bandwidth Aggregates in the Network.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.

Introduction. Overview of Pushback. Architecture of router. Pushback mechanism. Conclusion. Pushback: Remedy for DDoS attack.
Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Spring 2006.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Similar presentations

Ads by Google