1 / 20

Sonia Fahmy Ness Shroff Students : Roman Chertov Rupak Sanjel

Sonia Fahmy Ness Shroff Students : Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University October 25 th , 2004. Experiments with DDoS and Routing. Objectives.

Download Presentation

Sonia Fahmy Ness Shroff Students : Roman Chertov Rupak Sanjel

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University October 25th, 2004 Experiments with DDoS and Routing

  2. Objectives • Design, integrate, and deploy a methodology and tools for performing realistic and reproducible DDoS experiments: • Tools to configure traffic and attacks • Tools for automation of experiments, measurements, and visualization of results • Integration of multiple third-party software components • Understand the testing requirements of different types of third party detection and defense mechanisms • Gain insight into the phenomenology of attacks including their first-order and their second-order effects, and impact on defenses

  3. Accomplishments • Designed and implemented experimental tools: • Scriptable event system to control and synchronize events at multiple nodes • Automated measurement tools, log processing tools, and plotting tools • Automated configuration of interactive and replayed background traffic, routing, attack parameters, and measurements • Generated requirements for DETER to easily support the testing of third party products (e.g., ManHunt, Sentivist)

  4. Accomplishments (cont’d) • Analytical characterization,simulations, and experiments for low-rate TCP-targeted DDoS attacks • Preliminary analysis of BGP behavior during DDoS, and BGP impact on DDoS

  5. TCP-Targeted Attacks • Varied: Attack burst length l and sleep period T-l • A. Kuzmanovic and E. W. Knightly. Low-rate targeted denial of service attacks. SIGCOMM 2003. • M. Guirguis et al. Exploiting the transients of adaptation for RoQ attacks on Internet resources. ICNP 2004. • H. Sun et al. Defending against low-rate TCP attacks: Dynamic detection and protection. ICNP 2004. • Objective: • Understand attack effectiveness (damage versus effort) in terms of application-level, transport-level, and network-level metrics at multiple nodes l l Rate T-l R Time

  6. Topology

  7. Throughput

  8. Web Clients/Server

  9. Attack Parameters vs. RTT 0.38 Mbps without an attack 0.75 Mbps without an attack Client with 63 ms RTT to the server

  10. Short RTT 1.00 Mbps without an attack 1.40 Mbps without an attack Client with 12.6 ms RTT to the server

  11. ttcp Experiments Attack 100-1000 Unacked data during 5MB file transfer (31.97 sec = 160.16 KB/sec)

  12. Emulation vs. Simulation • Effects of attack sleep period on the average congestion window of a single TCP (SACK) from TTCP tool • The attack flow is multiplexed with the data flow

  13. Routing • Need to understand magnitude of potential problems, causes, and defenses

  14. Scenario • At 222 sec, nodes 8, 11, and 14 attack node 9 (zebra router running BGP) for 400 seconds. • No activity for 200 seconds. Allow all nodes to stabilize. • Nodes 8, 11, and 14 attack node 9 for 400 seconds again. Node 36 attacks node 10 (neighbor of node 9) for 400 seconds.

  15. # BGP update messages

  16. Keep-alives at node 9

  17. Lessons Learned • Insights into sensitivity to emulation environment • Some effects we observe may not be observed on actual routers and vice versa (architecture and buffer sizes) • Emulab and DETER results significantly differ for the same test scenario (CPU speed) • Priority for routing packets in Cisco routers • Limit on the degree of router nodes, delays, bandwidths • Difficulties in testing third party products • Products (hardware or software) connect to hubs, switches, or routers • Layer 2/layer 3 emulation and automatic discovery/allocation can simplify DETER use for testing third party mechanisms • Due to licenses, we need to control machine selection in DETER • Windows XP is required to test some products, e.g., Sentivist administration interface • Difficult to evaluate performance when mechanism is a black box e.g., cannot mark attack traffic and must solely rely on knowledge of attack

  18. Plans • Continue development of experiment automation and instrumentation/plotting tools and documentation • Design increasingly high fidelity experimental suites • Continue investigation of TCP-targeted DDoS attacks in more depth, and compare analytical and simulation results with DETER testbed results to identify artifacts

  19. Plans (cont’d) • Investigate routing problems/attacks, and compare with DETER testbed results • Continue to collaborate with routing team and McAfee team to identify experimental scenarios and build tools for routing experiments

More Related