Presentation is loading. Please wait.

Presentation is loading. Please wait.

High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon

Published byTobias Pierce Modified over 8 years ago

Similar presentations

Presentation on theme: "High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon"— Presentation transcript:

1 High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon yulli@kisti.re.kr High Performance Research Network Dept. Supercomputing Center KISTI

2 High Performance Research Network Dept. / Supercomputing Center 2 Table of contents  Backgrounds  Motivations  Contribution and Results  Summaries and Future Plans

3 High Performance Research Network Dept. / Supercomputing Center 3 Backgrounds  DDoS attacks are being appeared continuously  February, 2000 Yahoo, Amazon  January, 2003 Korea

4 High Performance Research Network Dept. / Supercomputing Center 4 High Low 1980198519901995 2001 password guessing password cracking exploiting known vulnerabilities disabling audits back doors hijacking sessions sniffers packet spoofing GUI automated probes/scans denial of service www attacks Tools Attackers Intruder Knowledge Attack Sophistication “stealth” / advanced scanning techniques burglaries network mgmt. diagnostics distributed attack tools binary encryption Source: CERT/CC Backgrounds  Attack tools over time

5 High Performance Research Network Dept. / Supercomputing Center 5 Backgrounds Control Message Attack Flow target  The DDoS attack  Consumes host resources ( Memory & Processor Cycles )  Consumes network resources ( Bandwidth & Router resources ) legitimate user

6 High Performance Research Network Dept. / Supercomputing Center 6 10Gbps 40Gbps Daejeon SuperSIReN Seoul Motivation  DDoS attacks have been detected frequently  Manual reaction is too slow  Automatic DDoS detection and response system should be needed udp flooding tcp flooding ICMP Worm

7 High Performance Research Network Dept. / Supercomputing Center 7 Our Detection System  netflow data (version 5)  detection approaches  Signature-based Misuse TCP traffic Ex) It would be very unusual for a host to receive 10,000 connection attempts per second –If TCP Sync flow > 10000 and all flows go to a destination then alert  Anomaly-based What is typical? Non-TCP traffic Mean and standard deviation of numbers of flow

8 High Performance Research Network Dept. / Supercomputing Center 8 Our Response System  Response system traces back the nearest routers from DDoS agent in domain  Response system have a network topology  All routers have to export the netflow data  Response system applies ratelimit command to the nearest routers

9 High Performance Research Network Dept. / Supercomputing Center 9 Our Response System Detection system Response system x x x x x x x x An Administrative domain DDIP

10 High Performance Research Network Dept. / Supercomputing Center 10 Overview of NetWRAP  NetWRAP : NetWork Resource Abuse Preventive  NetWRAP system uses netflow data  Functions are  to detect DDoS attacks  to traceback DDoS agents  to control DDoS traffic Victim DDIP NetWRAP Server Rate Limit Victim IP Attack Direction Target Protocol NetWRAP Agent DDoS Agent DDoS Agent

11 High Performance Research Network Dept. / Supercomputing Center 11 Test Results   Router : Cisco 7200 series, IOS 12.3   Number of DDoS agents : 3   DDoS Attack Tool : flitz   Cross Traffic : UDP 19.0Mbps(iperf)   RTT/Loss Test between ‘Site P’ and ‘Site Q’ DDoS Agent DDoS Agent NetWRAP Agent Victim(203.230.7.205) DDIP NetWRAP Server Rate Limit Site P Site Q ISP A ISP B RTT/Loss Test 25Mbps 1Gbps

12 High Performance Research Network Dept. / Supercomputing Center 12 Normal Loss DDoS Attack DDOS Attack Loss Starting NetWRAP Test Results(skping) Loss: 0% RTT : 1.23ms Loss: 30.9% RTT : 190.15ms Loss: 8.73% RTT : 189.98ms Loss: 0% RTT : 4.65ms

13 High Performance Research Network Dept. / Supercomputing Center 13 Section of applying NetWRAP to STAR TAP Non-Applying Defending against TCP Sync Flooding Section of applying NetWRAP to STAR TAP TCP Sync Defending against Nachi Worm Results  Applying NetWRAP to STAR TAP link

14 High Performance Research Network Dept. / Supercomputing Center 14 Summaries  DDoS attacks are appeared continuously  We developed NetWRAP system using netflow data  We got successful test results  We deployed NetWRAP system to STAR TAP, international link

15 High Performance Research Network Dept. / Supercomputing Center 15 Future Plans  We plan to  update detecting engine (NetWRAP Agent) until June, 2004 Packet count

16 High Performance Research Network Dept. / Supercomputing Center 16 Welcome to join us  We would like  to form a shared infrastructure capable of defending network against DDoS attack we are going to update our system until June after June, we want to cooperate with other ISPs if anyone in NOC members are interested in our system, contact me –yulli@kisti.re.kr

Download ppt "High Performance Research Network Dept. / Supercomputing Center 1 DDoS Detection and Response System NetWRAP : Running on KREONET Yoonjoo Kwon"

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National.

DETECTING A CYBER-ATTACK SOURCE IN REAL TIME R. Romanyak 1), A. Sachenko 1), S. Voznyak 1), G. Connolly 2), G. Markowsky 2) 1) Ternopil Academy of National.
An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,

An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,
DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/7 2003.

DDoS A look back from 2003 Dave Dittrich The Information School / Computing & Communications University of Washington I2 DDoS Workshop - August 6/
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
DDoS: Distributed Denial of Service Cs5090: Advanced Computer Networks, fall 2004 Department of Computer Science Michigan Tech University Rock K. C. Chang.

DDoS: Distributed Denial of Service Cs5090: Advanced Computer Networks, fall 2004 Department of Computer Science Michigan Tech University Rock K. C. Chang.
Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.

Distributed Denial of Service Attacks: Characterization and Defense Will Lefevers CS522 UCCS.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
1 Telstra in Confidence Managing Security for our Mobile Technology.

1 Telstra in Confidence Managing Security for our Mobile Technology.
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.

Defending Against Flooding Based DoS Attacks : A tutorial - Rocky K.C. Chang, The Hong Kong Polytechnic University Presented by – Ashish Samant.
100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

Similar presentations

Ads by Google