1 / 15

Design of the Detection and Response System against DDoS attacks

Explore the design, implementation, and test results of a Detection and Response System against DDoS attacks in KREONET by Yoonjoo Kwon from KISTI. Learn about motivations, DDoS activities, system components, test environment, results, and future plans.

rbartram
Download Presentation

Design of the Detection and Response System against DDoS attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Design of the Detection and Response System against DDoS attacks Yoonjoo Kwon yulli@kisti.re.kr High Performance Research Network Dept. Supercomputing Center KISTI

  2. Table of contents • Motivations • DDoS Activities (In KREONET) • DDR System • Test Results • Summary • Future Plans

  3. Motivations • DDoS attacks are being appeared continuously • DDoS attack • Consumes host resources • Memory • Processor cycles • Consumes network resources • Bandwidth • Router resources (it’s a host too!) • Attack tools are more sophisticatedas time passed. • In terms of ISP, we need to respond to DDoS attack for protecting network users and network resources

  4. Attack tools over time binary encryption Tools “stealth” / advanced scanning techniques High denial of service packet spoofing distributed attack tools sniffers Intruder Knowledge www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking Attackers password guessing Low 2001 1980 1985 1990 1995 Source: CERT/CC

  5. udp flooding tcp flooding DDoS Activities (In KREONET) Seoul • status • We have monitored amount of network traffic in KREONET using flowscan and flowscan+. • DDoS attacks are detected continuously. • After Jan. 25, 2003, various worms which include DDoS features has shown up frequently • So far, the reaction was done by manual configurations. • So we thought the automatic DDoS Detection and Response system should be needed. 10Gbps Daejeon SuperSIReN 10 Gbps 40Gbps

  6. DDR Agent Victim Our System • DDR system : DDoS Detection and Response system • DDR system uses netflow data • Functions are • to detect DDoS attacks • to traceback DDoS agents • to control DDoS traffic • Overview of DDR system Attack Direction Victim IP Target Protocol DDR Server DDIP Rate Limit Rate Limit DDoS Agent DDoS Agent

  7. Components of DDR system Edge Routers Sending Netflows Applying router commands (ratelimit) • DDR Agent • Analyze netflow data • Checks DDoS attack • Sends information of DDoS attack to DDR Server Removing router commands(ratelimit) DDR Server DB Router command Remover Router Command Applier Edge Router Traffic Checker DDoS Agent Tracer Edge Router Netflow Collector Attack Info. Receiver Traceback Module Finishing Checkup Module DDIP DDR Agent Control Module Communication Module Inner Command Sender Inner Command Sender Router Command Applier backbone Router Reactor DB DDoS detector Netflow Collector Detection Module

  8. # of flow per protocol # of flow per protocol time time DDoS Detection Algorithm of DDR Agent • Two level tests for DDoS Detection • Level 1 Test : whether current flow is abnormal or not • Level 2 Test : whether the flow trend is DDoS Attack or not abnormal traffic models # of inbound flow time # of outbound flow final standard of judge on DDoS attack Whether are network connections to a destination or from a source over 85% of current flows or not?

  9. Traceback : Finding DDoS agents • Start at the router which detected DDoS attack • For the router identify the interfaces on which the attack flow came in. • For each input interface, identify the remote router. (Need to know the topology) • For each remote router, repeat until DDR Server meets the edge router. • Apply ratelimit command to edge-routers

  10. V Seoul Daejeon

  11. Traceback : After finding DDoS agents • We know where the traffic came from • We can filter the traffic at the ingress if we need. • We can identify the peer network and contact them

  12. Test Environment • Cross Traffic : UDP 19.0Mbps(iperf) • DDoS Attack Tool : flitz • Number of DDoS agents : 3 • RTT/Loss Test between ‘Site P’ and ‘Site Q’ • Router : Cisco 7200 series, IOS 12.3 ISP B ISP A DDR Server DDIP DDR Agent Rate Limit RTT/Loss Test 25Mbps 1Gbps Victim(203.230.7.205) DDoS Agent DDoS Agent Site P Site Q

  13. Normal DDoS Attack Loss DDOS Attack Starting DDR System Loss Loss Test Results(skping) Loss: 0% RTT : 1.23ms Loss: 8.73% RTT : 189.98ms Loss: 30.9% RTT : 190.15ms Loss: 0% RTT : 4.65ms

  14. Summary • DDoS attacks are appeared continuously • We developed DDR system using netflow data • We got some test results in test environment

  15. Future Plans • We plan to • deploy DDR system to STAR TAP , international link. • deploy DDR system to a section of KREONET • update detecting engine (DDR Agent) periodically • These days, worms which include DDoS features have been increased • We would like • to form a shared infrastructure capable of accurate backtracing • that our result of this topic contribute to Asia-Pacific Research

More Related