Presentation is loading. Please wait.

Presentation is loading. Please wait.

DoS attacks on transit network - David Harmelin ( ) Denial of Service attacks on transit networks David Harmelin DANTE.

Published byEdwin Chambers Modified over 8 years ago

Similar presentations

Presentation on theme: "DoS attacks on transit network - David Harmelin ( ) Denial of Service attacks on transit networks David Harmelin DANTE."— Presentation transcript:

1 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Denial of Service attacks on transit networks David Harmelin DANTE

2 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) DANTE advanced network services for the European research community: TEN-155, GÉANT active in testing and evaluating emerging technologies http://www.dante.net/tf-ngn DANCERT (dancert@dante.org.uk) http://www.dante.net/security

3 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Connecting 30 NRENs Backbone and access speeds up to 622 Mbps Research interconnections to North America (USA & Canada) and Asia-Pacific Multiple interconnections with the commercial Internet

4 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Definition of a DoS attack DoS attack DoS attack: an attack on a network or computer, the primary aim of which is to disrupt access to a given service. networked flood-based In this presentation, only DoS attacks involving flooding of networks are considered (networked flood-based DoS attacks).

5 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Example of a networked DoS ( http://www.dante.net/pubs/dip/42/42.html )

6 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Why care about DoS attacks? DoS attacks add to the overall costs : –when unnoticed –one target, many outages –elements not targeted may still be victims all users (using the starved resource) suffer. No quick fix in sight! Need for better co-operation between ISPs.

7 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Are you affected by DoS attacks? Everybody running/using IP networks or services is. DoS attacks are rarely reported in the media. Most organisations do not notice when affected. Management may not be notified.

8 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) DANTE and DoS attacks 1999: DoS attacks noticed regularly on TEN-155. Beginning 2000: DoS attacks against major companies in the news. 2000: first tool based on peer-peer matrix analysis. Failed. End 2000: second tool, based on sampled flow data. DANCERT relies on it to reduce the amount of DoS attacks.

9 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Detecting DoS attacks (1)

10 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Detecting DoS attacks (2) Central server: every X minutes, samples every PoP WS with rate 1/Y flows, during Z seconds. For each router, if more than N flows are received with the same destination IP, raise an alarm. Current values in use: –Routers with regular netflow: X=15, Y=100, Z=10, N=10 »most attacks > 100 pkts/s are detected –Routers with sampled netflow (rate: 1/200 packets): X=15, Y=10, Z=60, N=10 »most attacks > 330 pkts/s are detected

11 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Results Running the tool on 4 core routers since 12/2000. Logging all attacks detected since 03/2001 Trade-off between –accuracy (confirmed attacks/alarms raised=98%) –detection effectiveness (>100 pkt/s). Average of 34 different attacks per day logged, up to 5-6 concurrent (96 polls per day). 90% “C class” attacks - easily traceable. 75% of attacks are 40 bytes TCP packets.

12 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Results - “C class” attacks Spoofed source addresses within the /24 of the source. Coded by default in some DoS tools. Appears as if coming from: 192.168.0.1, 192.168.0.2, …. 192.68.0.254

13 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Results - Durations Most attacks last less than 15 minutes. Fast inter-domain tracing required to find the source.

14 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Results - Traffic generated Approximate values only. Low accuracy due to sampling. Highest: 27000 pkts/s Highest: 32 Mbps

15 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Known limitations of this method Routers capabilities (netflow required) Detecting networked flood-based DoS attacks only... … but not ALL. Detection helps, but further need for co-operation.

16 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) Other approaches exist No detection Human detection Monitoring CPU load, and traffic counters. IETF working on itrace Passive monitoring Other flow monitoring approaches

17 DoS attacks on transit network - David Harmelin ( david.harmelin@dante.org.uk ) IP network operators: –automatic detection and logging of DoS attacks –co-operation between CERT teams –SLAs End-sites: –prevention –trace when DoS traffic sources are reported DANTE: –http://www.dante.net/security/dos/ –gives away the in-house software to transit providers. Who should help? How?

Download ppt "DoS attacks on transit network - David Harmelin ( ) Denial of Service attacks on transit networks David Harmelin DANTE."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.

Denial of Service Attack History What is a Denial of Service Attack? Modes of Attack Performing a Denial of Service Attack Distributed Denial of Service.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.

Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.

Chapter 10 Firewalls. Introduction seen evolution of information systems now everyone want to be on the Internet and to interconnect networks has persistent.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks
Design and Implementation of SIP-aware DDoS Attack Detection System.

Design and Implementation of SIP-aware DDoS Attack Detection System.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.

Similar presentations

Ads by Google