330 likes | 883 Views
DoS & DDoS Project Ori Modai Yaniv Stern Instructor: Yoram Yihyie DoS – Denial of Service Characterized by an explicit attempt by attackers to deny legitimate users the availability of a service. Sample Attacker Intermediary Victim (Taken from grc.com site (
E N D
DoS & DDoS Project Ori Modai Yaniv Stern Instructor: Yoram Yihyie Technion – Computer Networks Lab - DDoS Project
DoS – Denial of Service Characterized by an explicit attempt by attackers to deny legitimate users the availability of a service. Sample Technion – Computer Networks Lab - DDoS Project
Attacker Intermediary Victim (Taken from grc.com site( DDoS – Distributed Denial of Service ? spoofing Technion – Computer Networks Lab - DDoS Project
Background Attack Generator Detection Platform Tests in Lab Results Analysis Project Phases Technion – Computer Networks Lab - DDoS Project
Brief History • Early 90’ – First appearance • 97’- 99’ – Automatic attack tools enhance attacks frequency and volume • Feb 00’ – Turning point Technion – Computer Networks Lab - DDoS Project
Brief History (cont.) 2000’ – Today • Thousands of attacks per week • Growing complexity • Estimated lost – 66M $ (per year) • Vandalistic, Economically & Politically motivated attacks DDoS attacks have evolved to be a major threat on the availability, accessibility and operations of many internet based services (Com. and Gov.) Technion – Computer Networks Lab - DDoS Project
Software vulnerability Bandwidth Protocol Attack classification Technion – Computer Networks Lab - DDoS Project
DoS & DDoS Projects Attack Generator Technion – Computer Networks Lab - DDoS Project
Attack Generator • Centralized Trigger • Attack Zombies • Academic research capabilities (Logging) • Synchronization Why Attack ? Technion – Computer Networks Lab - DDoS Project
Logging capability Synchronization New attack mode Attack parameter control Standardization of attack traffic TFN2K Attack Generator -modifications made: Technion – Computer Networks Lab - DDoS Project
DoS & DDoS Projects Detection Platform Technion – Computer Networks Lab - DDoS Project
Detection system Requirements • Installation on target server • Raw data accessibility • Statefull detection • Detection algorithm • Generic structure & scalability • Minimum resources consumption Why Detection? Technion – Computer Networks Lab - DDoS Project
Detection system architecture Detection parameters database Collector Threads Analysis Threads Sniffer Collector Kernel info Collector Post Collector ICMP Flood Analyzer TCP SYN Analyzer Sniffer-daemon (raw input probing) Netstat-daemon (kernel probing) UDP Flood Analyzer DRDoS Attack Analyzer Incoming server traffic Technion – Computer Networks Lab - DDoS Project
Collector Threads Sniffer Collector Kernel info Collector Post Collector Sniffer-daemon (raw input probing) Netstat-daemon (kernel probing) Collection Tier • Collect Kernel status and Network Traffic • Perform preliminary data processing • High Performance Technion – Computer Networks Lab - DDoS Project
Counter Histogram Estimator Scalar (Contains Post Collector Estimation) Average, Variance Maximum Average, Variance Maximum Database Tier Providesaccess to raw data and statistic properties such as variance and average (short and long term). Technion – Computer Networks Lab - DDoS Project
Analyzer Tier - General Analysis Threads • All Analyzers run simultaneously • Each analyzer works independently • Each analyzer examines and weights relevant parameters • For each parameter the analyzer checks changes in time ICMP Flood Analyzer TCP SYN Analyzer UDP Flood Analyzer DRDoS Attack Analyzer Technion – Computer Networks Lab - DDoS Project
Detection Platform - GUI Technion – Computer Networks Lab - DDoS Project
Detection parameters database Collector Threads Analysis Threads Sniffer Collector Kernel info Collector Post Collector ICMP Flood Analyzer TCP SYN Analyzer Sniffer-daemon (raw input probing) Netstat-daemon (kernel probing) UDP Flood Analyzer Listen to network comm. DRDoS Attack Analyzer IP Spoofing Faking source of packets Evaluation – No spoofing Technion – Computer Networks Lab - DDoS Project
Detection parameters database Collector Threads Analysis Threads Sniffer Collector Kernel info Collector Post Collector ICMP Flood Analyzer TCP SYN Analyzer Sniffer-daemon (raw input probing) Netstat-daemon (kernel probing) UDP Flood Analyzer spoofed comm. DRDoS Attack Analyzer IP Spoofing Evaluation – spoofing Technion – Computer Networks Lab - DDoS Project
DoS & DDoS Projects Analysis Samples Technion – Computer Networks Lab - DDoS Project
A: 192.5.6.66 C: 192.5.6.27 B: 192.5.6.99 Target: 192.5.6.31 Hub 1 Hub 2 Hub 3 E: 219.17.101.5 D: 223.8.152.9 219.17.101.144 223.8.152.52 219.17.101.111 223.8.15.55 Analysis Example - SYN Attack Data Sources: • Attackers’ logs • Detection platform analyzers • NetAlly© sampling Technion – Computer Networks Lab - DDoS Project
SYN – Results more Technion – Computer Networks Lab - DDoS Project
DoS & DDoS Projects Conclusions & Final words Technion – Computer Networks Lab - DDoS Project
Detection parameters database Collector Threads Analysis Threads Sniffer Collector Kernel info Collector Post Collector ICMP Flood Analyzer TCP SYN Analyzer Sniffer-daemon (raw input probing) Netstat-daemon (kernel probing) UDP Flood Analyzer DRDoS Attack Analyzer Conclusions & final words • Efficient working system • Fast response • Highly credible • Innovations • Generic & Scalable approach • Integrating several detection methods • Academic research capabilities • Ability to distinguish between different attack types Technion – Computer Networks Lab - DDoS Project
Conclusions & final words (cont) • From detection to protection The attack-detection platform can be used as a basis for future expansion and academic research in various fields related to network security Technion – Computer Networks Lab - DDoS Project
DoS & DDoS Projects Questions Technion – Computer Networks Lab - DDoS Project
Innovations • Generic & Scalable approach • Integrating several detection methods • Academic research capabilities • Ability to distinguish between different attack types Technion – Computer Networks Lab - DDoS Project Back
From detection to protection Attack Alert • Enabling IP hopping • Initiated server shutdown Filtering Indicators • Spoofed IP address prefixes • Port numbers • Protocols Remote router or firewall configuration Technion – Computer Networks Lab - DDoS Project Back
SYN – SYN & SYN/FIN analyzers Technion – Computer Networks Lab - DDoS Project Back
SYN – Spoof parameter Technion – Computer Networks Lab - DDoS Project Back
SYN flood Exploit the TCP-Three Way Handshake )Taken from grc.com site( Technion – Computer Networks Lab - DDoS Project