210 likes | 319 Views
Denial of Service attacks on transit networks David Harmelin DANTE. DANTE. advanced network services for the European research community: TEN-155, GÉANT active in testing and evaluating emerging technologies http://www.dante.net/tf-ngn
E N D
Denial of Service attacks on transit networksDavid Harmelin DANTE
DANTE • advanced network services for the European research community: TEN-155, GÉANT • active in testing and evaluating emerging technologies http://www.dante.net/tf-ngn • DANCERT (dancert@dante.org.uk)http://www.dante.net/security
Connecting 30 NRENs • Backbone and access speeds up to 622 Mbps • Research interconnections to North America (USA & Canada) and Asia-Pacific • Multiple interconnections with the commercial Internet
Definition of a DoS attack DoS attack: an attack on a network or computer, the primary aim of which is to disrupt access to a given service. In this presentation, only DoS attacks involving flooding of networks are considered (networked flood-based DoS attacks).
Example of a networked DoS ( http://www.dante.net/pubs/dip/42/42.html )
DANTE and DoS attacks • 1999: DoS attacks noticed regularly on TEN-155. • Beginning 2000: DoS attacks against major companies in the news. • 2000: first tool based on peer-peer matrix analysis. Failed. • End 2000: second tool, based on sampled flow data. DANCERT relies on it to reduce the amount of DoS attacks.
Detecting DoS attacks (2) • Central server: every X minutes, samples every PoP WS with rate 1/Y flows, during Z seconds. • For each router, if more than N flows are received with the same destination IP, raise an alarm. • Current values in use: • Routers with regular netflow:X=15, Y=100, Z=10, N=10 • most attacks > 100 pkts/s are detected • Routers with sampled netflow (rate: 1/200 packets):X=15, Y=10, Z=60, N=10 • most attacks > 330 pkts/s are detected
“C class” attacks Spoofed source addresses within the /24 of the source.Coded by default in some DoS tools. Appears as if coming from:192.168.0.1, 192.168.0.2, …. 192.68.0.254
Results • Running the tool on 4 core routers since 12/2000. • Logging all attacks detected since 03/2001 • Trade-off between • accuracy (confirmed attacks/alarms raised=98%) • detection effectiveness (>100 pkt/s). • Average of 34 different attacks per day logged, up to 5-6 concurrent (96 polls per day). • 90% “C class” attacks - easily traceable. • 75% of attacks are 40 bytes TCP packets.
Results - Durations Most attacks last less than 15 minutes.Fast inter-domain tracing required to find the source.
Results - Traffic generated Highest: 32 Mbps Highest: 27000 pkts/s Approximate values only. Low accuracy due to sampling.
Results - All attacks (pkts/s) Bubble size = duration
Results - All attacks (Kbps) Bubble size= duration
From alarms to DANCERT tickets DoS attack potentially disruptive? Randomlyspoofed attack? Alarm receivedby DANCERT yes Identify peersoriginating thetraffic yes no no yes DoS attack appears in otherrecent alarms? Identify sourceswithin peer Existing DANCERTticket withsame source? no no Do nothing yes Send reminder to peer Issue DANCERT ticket to peers
Known limitations of this method • Routers capabilities (netflow required) • Detecting networked flood-based DoS attacks only... • … but not ALL. • Detection helps, but further need for co-operation.
Who should help? How? • IP network operators: • automatic detection and logging of DoS attacks • co-operation between CERT teams • SLAs • End-sites: • prevention • trace when DoS traffic sources are reported • DANTE: • http://www.dante.net/security/dos/ • gives away the in-house software to transit providers.