1 / 14

Institut für Telematik Universität Karlsruhe (TH) Germany IWAN 2005 – November 23th

An Extension to Packet Filtering of Programmable Networks. Marcus Schöller , Thomas Gamer, Roland Bless, and Martina Zitterbart. Institut für Telematik Universität Karlsruhe (TH) Germany IWAN 2005 – November 23th. Motivation. Building an attack detection system

gordon
Download Presentation

Institut für Telematik Universität Karlsruhe (TH) Germany IWAN 2005 – November 23th

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Thomas Gamer, Roland Bless, and Martina Zitterbart Institut für TelematikUniversität Karlsruhe (TH)Germany IWAN 2005 – November 23th

  2. Motivation • Building an attack detection system • DDoS and worm propagation are major threats • Victim can not take any countermeasures • Support from network operator needed • Detection as early as possible • Objectives • Be extensible to adept to new attacks • Be resource saving to fit in high-speed environments Application level view Build an anomaly based attack detection system based on packet selection

  3. Network level view Motivation • Building an attack detection system • DDoS and worm propagation are major threats • Victim can not take any countermeasures • Support from network operator needed • Detection as early as possible • Attack are constantly changing • Objectives • Be extensible to adept to new attacks • Be resource saving to fit in high-speed environments Build an anomaly based attack detection system based on packet selection

  4. Network level view Anomaly based detection system • Statistical anomaly in an aggregate suggests an attack • DDoS: Rapid increase of packets at aggregation point • Worm propagation: Exponential increase of packets

  5. Anomaly based detection system • Statistical anomaly in an aggregate suggests an attack • Rapid increase of packets • Exponential increase of packets • Protocol anomalies within such an aggregate • Verify the suggestion • TCP connection establishment • # TCP-SYN approx. # TCP-SYN-ACK • TCP-SYN-Flooding • (# TCP-SYN > # TCP-SYN-ACK) & TCP-RST • Packet selection to find statistical anomalies • Attack hints can be detected with lessresources

  6. Packet Selection – PSAMP WG • Packet filtering • Field match filtering • Hash based selection • Router state filtering • Packet sampling • Non-uniform probabilistic sampling • Systematic time based sampling • n-out-of-N sampling • Uniform probabilistic sampling • Systematic count based sampling NodeOS is currently limited to this class

  7. Execution Environment Packet sampling Packet processing inChan outChan NodeOS packet filter NodeOS specification • IPfix conform filtering at incoming channel (InChan) • Packet sampling within EE • Unnecessary delay for not selected packets • Resource consuming • High delay • Not applicable for high speed routers • Two issues • Select suitable packet selection scheme • Integrate packet selection in NodeOS

  8. Selecting a suitable packet selector • Building an attack detection system • Packet filtering is unsuitable • Attacker can circumvent detection by packet crafting • Non-uniform probabilistic sampling is unsuitable • Deep packet inspection necessary • Systematic time-based sampling is unsuitable • Bad estimation during low bandwidth utilization • n-out-of-N sampling is suitable to only a limited extend • Generation of unique random numbers necessary • Uniform probabilisticsampling is well suitable • Only random number generator required • Systematic count based sampling is very well suited • Least resource demanding

  9. Packet sampling experiment • Uniform probabilistic sampling • Sampling interval: 0,5s and 5s • Accuracy depends on number of packets per interval • Same results for systematic count based sampling Estimation failure of uniform probabilistic sampling

  10. Execution Environment Packet processing inChan NodeOS packet filtering packet sampling Extending the NodeOS specification • Packet selection in the incoming channel • Process copy of selected packets only • Preserve packet order • Reduce packet delay • Reduce memory usage • Systematic count based sampling • Lowest resource demands

  11. Selected packet 205 617 Tics 61 795 Tics Not-selected packet 1 076 Tics Evaluation results Average of overall processing time 3000 245 858 Tics 2500 2000 1500 Processing time [in 1000 processor tics] 1000 500 0 0 500 1000 1500 2000 Packet Index

  12. Conclusion • Programmable networks well suited • Analysis modules are instantiated on-demand • Resource saving • Packet selection • Reduce resource demands • Extend NodeOS specification • Other applications based on packet selection • Traffic measurement • Traffic accounting • Trajectory sampling

  13. Outlook • Eliminate simplification of our model • Internet routes are asymmetric • Cooperation of detection instances • Simultaneous attacks • Feedback between detection modules • Adaptive packet selection • Countermeasures • DDoS vs. flash crowds

  14. Thank you! Questions? Please visit www.tm.uka.de/projects/flexinetfor further information and downloads!

More Related