Presentation is loading. Please wait.

Presentation is loading. Please wait.

Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley.

Published byNeal Simon Modified over 9 years ago

Similar presentations

Presentation on theme: "Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley."— Presentation transcript:

1 Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley Holliday and Travis Reid Presented by: Jesus F. Morales

2 2 Overview Introduction: the problem Proposed solution The experiment Results Observations Conclusions

3 3 Introduction The problem Distributed Denial of Service (DDoS) attacks Hacker toolkits January 2001 DDoS attack against websites hosting Hotmail, MSN, Expedia and other large services Services inaccessible for 22 hours

4 4 Current state of response Relies on expert, manual labor by network administrators Response includes two main activities: “Input debugging” Find router’s physical interfaces used for the attack (statistics, network traffic probes) Mitigation of network traffic flow Packet filtering or rate limiting at the associated router Contact upstream organizations

5 5 Current state of response: drawbacks Requires immediate availability of highly skilled network administrators Time consuming Downtime & costs It does not scale What about attacks involving hundreds of networks? “Whack a mole” attacks

6 6 Proposed solution Intruder Detection and Isolation Protocol (IDIP) Protocol for reporting intrusion-related events and coordinating attack tracebacks and automated response actions Cooperative Intrusion Traceback and Response Architecture (CITRA) The architecture based on IDIP Authors have adapted CITRA and IDIP for DDoS attacks

7 7 CITRA: components and attack traceback and mitigation

8 8 Attack response Policy mechanisms for each CITRA component along the attack path determine the adequate response Block attacked service port on all requests from attacker’s address or network for a specified amount of time At CITRA-enabled hosts Kill offending process Disable offending user’s account Goal: use the narrowest network response Stop the attack Minimize impact on legitimate users Reports with responses taken is sent to the Discovery Coordinator (DC) Global view and system topology allows, hopefully, for the best community-wide response

9 9 Experiment: Autonomic response to DDoS The problem Sophisticated DDoS toolkits generate traffic that “blends in” with legitimate traffic Cannot be blocked by router packet filters without blocking legitimate traffic Traffic rate limiting may be more useful Experiment goals Prove that CITRA and IDIP can defend against DDoS attacks In particular, against a Stacheldraht v4 attack

10 10 Experiment: Stacheldraht toolkit and test application Stacheldraht toolkit Can generate ICMP, UDP and TCP floods and Smurf attacks Provides one or more master servers that control agents (flood sources) Can target floods at arbitrary machines and ports Test application Audio/video streaming RealNetworks’ RealSystem sever RealPlayer client

11 11 Experiment: topology and scenario

12 12 Experiment: settings Test data 8-minute 11-seconds continuous motion video Encoded at 200.1 Kbps RealPlayet Best quality video setting (10 Mbps bandwidth) Data buffering: 5 seconds (the minimum) Transport protocol: UDP Attack Target is the RealSystem server UDP packets indistinguishable from control packets sent to the server from RealPlayer clients

13 13 Experiment: Stacheldraht flooding and autonomic rate limiting

14 14 Experiment results: Normal run

15 15 Experiment results: Flood run

16 16 Experimental results: Full recovery run

17 17 Experimental results: Degraded recovery run

18 18 Observations Degraded recovery probably due to detector’s slow response speed (366 MHz Pentium II) Independent experiment Results confirmed Full recovery obtained every time Higher performance detector CITRA’s response effective after 2 seconds vs. 10 – 12 seconds. Results are preliminary UDP allows traceback and mitigation request with one IP packet vs. TCP would require a three-way handshake first. May result in a slower propagation upstream

19 19 Conclusions DDoS attacks an increasing threat to the Internet Manual defense is inadequate CITRA prototype for DDoS with rate limiting function seems to be a promising automatic response

Download ppt "Autonomic Response to Distributed Denial of Service Attacks Paper by: Dan Sterne, Kelly Djahandari, Brett Wilson, Bill Babson, Dan Schnackenberg, Harley."

Similar presentations

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,

An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.

Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.

Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, Thanks.

CS155: Computer and Network Security Programming Project 3 – Spring 2008 Craig Gentry, Naef Imam, Arnab Roy {cgentry, nimam, Thanks.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.

1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.
Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park

Jaehoon (Paul) Jeong, Hyoungshick Kim, and Jung-Soo Park
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
Lecture 15 Denial of Service Attacks

Lecture 15 Denial of Service Attacks

Similar presentations

Ads by Google