Presentation is loading. Please wait.

Presentation is loading. Please wait.

Institut für Telematik Universität Karlsruhe (TH) Germany IWAN 2005 – November 23th An Extension to Packet Filtering of Programmable Networks Marcus Schöller,

Published byAngelica Small Modified over 9 years ago

Similar presentations

Presentation on theme: "Institut für Telematik Universität Karlsruhe (TH) Germany IWAN 2005 – November 23th An Extension to Packet Filtering of Programmable Networks Marcus Schöller,"— Presentation transcript:

1 Institut für Telematik Universität Karlsruhe (TH) Germany IWAN 2005 – November 23th An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Thomas Gamer, Roland Bless, and Martina Zitterbart

2 An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 2 Motivation  Building an attack detection system  DDoS and worm propagation are major threats  Victim can not take any countermeasures  Support from network operator needed  Detection as early as possible  Objectives  Be extensible to adept to new attacks  Be resource saving to fit in high-speed environments Build an anomaly based attack detection system based on packet selection Application level view

3 An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 3 Motivation  Building an attack detection system  DDoS and worm propagation are major threats  Victim can not take any countermeasures  Support from network operator needed  Detection as early as possible  Attack are constantly changing  Objectives  Be extensible to adept to new attacks  Be resource saving to fit in high-speed environments Build an anomaly based attack detection system based on packet selection Network level view

4 An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 4 Anomaly based detection system  Statistical anomaly in an aggregate suggests an attack  DDoS: Rapid increase of packets at aggregation point  Worm propagation: Exponential increase of packets Network level view

5 An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 5 Anomaly based detection system  Statistical anomaly in an aggregate suggests an attack  Rapid increase of packets  Exponential increase of packets  Protocol anomalies within such an aggregate  Verify the suggestion  TCP connection establishment # TCP-SYN approx. # TCP-SYN-ACK  TCP-SYN-Flooding (# TCP-SYN > # TCP-SYN-ACK) & TCP-RST  Packet selection to find statistical anomalies  Attack hints can be detected with less resources

6 An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 6 Packet Selection – PSAMP WG  Packet filtering  Field match filtering  Hash based selection  Router state filtering  Packet sampling  Non-uniform probabilistic sampling  Systematic time based sampling  n-out-of-N sampling  Uniform probabilistic sampling  Systematic count based sampling NodeOS is currently limited to this class

7 An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 7 NodeOS specification  IPfix conform filtering at incoming channel (InChan)  Packet sampling within EE Unnecessary delay for not selected packets Resource consuming High delay Not applicable for high speed routers  Two issues  Select suitable packet selection scheme  Integrate packet selection in NodeOS Execution Environment Packet processing outChan inChan NodeOS packet filter Packet sampling

8 An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 8 Selecting a suitable packet selector  Building an attack detection system  Packet filtering is unsuitable Attacker can circumvent detection by packet crafting  Non-uniform probabilistic sampling is unsuitable Deep packet inspection necessary  Systematic time-based sampling is unsuitable Bad estimation during low bandwidth utilization  n-out-of-N sampling is suitable to only a limited extend Generation of unique random numbers necessary  Uniform probabilistic sampling is well suitable Only random number generator required  Systematic count based sampling is very well suited Least resource demanding

9 An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 9 Packet sampling experiment  Uniform probabilistic sampling  Sampling interval: 0,5s and 5s  Accuracy depends on number of packets per interval  Same results for systematic count based sampling Estimation failure of uniform probabilistic sampling Packet average per sampling interval Selection probability 20%30%40% ICMP87,921,81%16,47%13,5% ICMP890,826,84%5,04%4,39% UDP1041,956,15%4,77%3,8% UDP10451,292,15%1,52%1,27% TCP9343,112,11%1,54%1,27% TCP93423,880,69%0,49%0,42%

10 An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 10 Extending the NodeOS specification  Packet selection in the incoming channel  Process copy of selected packets only  Preserve packet order  Reduce packet delay  Reduce memory usage  Systematic count based sampling  Lowest resource demands Execution Environment Packet processing inChan NodeOS packet filtering packet sampling

11 An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 11 61 795 Tics Evaluation results Packet Index Processing time [in 1000 processor tics] 0 500 1000 1500 2000 2500 3000 5001000150020000 245 858 Tics Average of overall processing time Selected packet 205 617 Tics Not-selected packet 1 076 Tics

12 An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 12 Conclusion  Programmable networks well suited  Analysis modules are instantiated on-demand  Resource saving  Packet selection  Reduce resource demands  Extend NodeOS specification  Other applications based on packet selection  Traffic measurement  Traffic accounting  Trajectory sampling

13 An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 13 Outlook  Eliminate simplification of our model  Internet routes are asymmetric Cooperation of detection instances  Simultaneous attacks Feedback between detection modules  Adaptive packet selection  Countermeasures  DDoS vs. flash crowds

14 An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 14 Thank you! Questions? Please visit www.tm.uka.de/projects/flexinet for further information and downloads!

Download ppt "Institut für Telematik Universität Karlsruhe (TH) Germany IWAN 2005 – November 23th An Extension to Packet Filtering of Programmable Networks Marcus Schöller,"

Similar presentations

NETFLOW & NETWORK-BASED APPLICATION RECOGNITION

NETFLOW & NETWORK-BASED APPLICATION RECOGNITION
A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.

A Search Memory Substrate for High Throughput and Low Power Packet Processing Sangyeun Cho, Michel Hanna and Rami Melhem Dept. of Computer Science University.
Layer 3 Switching. Routers vs Layer 3 Switches Both forward on the basis of IP addresses But Layer 3 switches are faster and cheaper However, Layer 3.

Layer 3 Switching. Routers vs Layer 3 Switches Both forward on the basis of IP addresses But Layer 3 switches are faster and cheaper However, Layer 3.
A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.

A Scalable and Reconfigurable Search Memory Substrate for High Throughput Packet Processing Sangyeun Cho and Rami Melhem Dept. of Computer Science University.
Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.

Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.
1 Enhanced EDF Scheduling Algorithms for Orchestrating Network-wide Active Measurements Prasad Calyam, Chang-Gun Lee Phani Kumar Arava, Dima Krymskiy OARnet,

1 Enhanced EDF Scheduling Algorithms for Orchestrating Network-wide Active Measurements Prasad Calyam, Chang-Gun Lee Phani Kumar Arava, Dima Krymskiy OARnet,
Analysis of RAMCloud Crash Probabilities Asaf Cidon Stanford University.

Analysis of RAMCloud Crash Probabilities Asaf Cidon Stanford University.
Evaluation of Header Field Entropy for Hash-Based Packet Selection Evaluation of Header Field Entropy for Hash-Based Packet Selection Christian Henke,

Evaluation of Header Field Entropy for Hash-Based Packet Selection Evaluation of Header Field Entropy for Hash-Based Packet Selection Christian Henke,
FLAME: A Flow-level Anomaly Modeling Engine

FLAME: A Flow-level Anomaly Modeling Engine
1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:

1 Design of Bloom Filter Array for Network Anomaly Detection Author: Jieyan Fan, Dapeng Wu, Kejie Lu, Antonio Nucci Publisher: IEEE GLOBECOM 2006 Presenter:
Modeling Network Traffic as Images Seong Soo Kim and A. L. Narasimha Reddy Computer Engineering Department of Electrical Engineering Texas A&M University.

Modeling Network Traffic as Images Seong Soo Kim and A. L. Narasimha Reddy Computer Engineering Department of Electrical Engineering Texas A&M University.
Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.

Reverse Hashing for High-speed Network Monitoring: Algorithms, Evaluation, and Applications Robert Schweller 1, Zhichun Li 1, Yan Chen 1, Yan Gao 1, Ashish.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.

Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.

Mitigating Bandwidth- Exhaustion Attacks using Congestion Puzzles XiaoFeng Wang Michael K. Reiter.
Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.

Performance Evaluation of IPv6 Packet Classification with Caching Author: Kai-Yuan Ho, Yaw-Chung Chen Publisher: ChinaCom 2008 Presenter: Chen-Yu Chaug.
Real-time Traffic monitoring and containment A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A & M University

Real-time Traffic monitoring and containment A. L. Narasimha Reddy Dept. of Electrical Engineering Texas A & M University
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.

“On Scalable Attack Detection in the Network” Ramana Rao Kompella, Sumeet Singh, and George Varghese Presented by Nadine Sundquist.
Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.

Analyzing Cooperative Containment Of Fast Scanning Worms Jayanthkumar Kannan Joint work with Lakshminarayanan Subramanian, Ion Stoica, Randy Katz.
Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Towards a High-speed Router-based Anomaly/Intrusion Detection System (HRAID) Zhichun Li, Yan Gao, Yan Chen Northwestern.

Similar presentations

Ads by Google