Presentation is loading. Please wait.

Presentation is loading. Please wait.

Open-Eye Georgios Androulidakis National Technical University of Athens.

Similar presentations


Presentation on theme: "Open-Eye Georgios Androulidakis National Technical University of Athens."— Presentation transcript:

1 Open-Eye Georgios Androulidakis National Technical University of Athens

2 Denial of Service Attacks  An attack to suspend the availability of a service  DoS: single machine sends an enormous amount of packets against the target machine  Distributed DoS: traffic flows from various sources to exhaust network or computing resources

3 Main Characteristics of DoS  Variable targets: Single hosts or whole domains Computer systems or networks Active network components (e.g. routers)  Variable uses & effects: Hacker wars High profile commercial targets (or just competitors…). Useful in cyber-warfare, terrorism etc.

4 Our Solution: An anomaly detection tool Open-Eye

5 Open-Eye  DDoS Attack Detection Tool  Analyses flows that are exported from Cisco Netflow enabled routers  Compatible with Netflow v9  Works with IPv4 and IPv6 traffic  Uses anomaly detection algorithm based on specific metrics and thresholds  Based on Panoptis (http://panoptis.sourceforge.net)

6 NetFlow What is a flow? Defined by seven keys:  Source IP address  Destination IP address  Source Port  Destination Port  Layer 3 Protocol Type  TOS byte  Input logical interface (ifIndex)

7 NetFlow Sequence Router (from Cisco.com) 1.Create and update flows in NetFlow Cache Inactive timer expired (15 sec is default) Active timer expired (30 min is default) NetFlow cache is full (oldest flows expire) RST or FIN TCP Flag Export Packet Payload (flows) 2.Expiration 3.Aggregation? e.g. Protocol-Port Aggregation Scheme becomes 4.Export Version Yes No Aggregated Flows – export Version 8 or 9 Non-Aggregated Flows – export Version 5 or 9 5.Transport Protocol

8 Network Topology

9 Architecture (1)  Two main modules: - Collector The Collector is responsible for receiving flow data from the Netflow enabled routers, information is analyzed and stored in a local data structure. - Detector The Detector is responsible for calculating the metrics and comparing the results to detection thresholds. It is periodically activated, implements extensive logging of detection events and generates e-mail notifications with security alerts to the administrator.

10 Architecture (2)

11 Data structures (1)  Arrays for number of packets and number of flows for every pair of interfaces  Hash Tables with the Dst IP (key) and the number of packets and flows (values) for each IP for every pair of interfaces

12 Data structures (2)

13 DoS Detection Metrics Metrics for Packets/Flows based on deviation CP ij = Current Packets/Flows from interface i to j AP ij = Average Packets/Flows from interface i to j

14 Topology of our experiments

15 Attack Graphs (1)  Packet increase during the attack (TCP SYN Flood)

16 Attack Graphs (2)  Flow increase during the attack (TCP SYN Flood)

17 Attack Graphs (3)  Packet increase during the attack (TCP SYN Flood)

18 Attack Graphs (4)  Flow increase during the attack (TCP SYN Flood)

19 Attack Graphs (5)  Packet increase during the attack

20 Attack Graphs (6)  Number of flows is normal

21 Web Interface (1)

22 Web Interface (2)

23 Questions & Answers


Download ppt "Open-Eye Georgios Androulidakis National Technical University of Athens."

Similar presentations


Ads by Google