340 likes | 487 Views
Characteristics of Denial of Service attacks on Internet using AGURI. Ryo Kaizaki Keio Univ. ,Japan kaizaki@sfc.wide.ad.jp. Goal : support of network operation against DoS attacks. There are many DoS ( Denial of Service) attacks (ex)slammer worm in 25 Jan. There are many types of attacks
E N D
Characteristics of Denial of Service attacks on Internet using AGURI Ryo Kaizaki Keio Univ. ,Japan kaizaki@sfc.wide.ad.jp
Goal : support of network operation against DoS attacks • There are many DoS(Denial of Service) attacks (ex)slammer worm in 25 Jan. • There are many types of attacks →AGURI : design & implementation of the traffic profiler • AGURI • single & range target • flexible detection • Observation on WIDE(AS2500) backbone • Report of DoS attacks and their characteristics
Flooding attacks Attacker Host A Server Router A Router D Host B Router C Host C Router B
Flooding attacks • Attacker sends massive packets Attacker Host A Server Router A Router D Host B Router C Host C Router B
Flooding attacks • Router C drops packets. Attacker Host A Server Router A Router D Host B Router C Drop packets Host C Router B
Network operation against flooding attacks 1.Detection Is network in trouble? Attacker Host A Server Router A Router D Host B Router C Drop packets Host C Router B
Network operation against flooding attacks 2. Detection of victims Attacker Host A Server Router A Router D Host B Router C Drop packets Host C Router B
Network operation against flooding attacks 3. Attacker’s packets are the packets! Attacker Host A Server Router A Router D Host B Router C Drop packets Host C Router B
Network operation against flooding attacks 4. Drop attacker’s packets drops packets Attacker Host A Server Router A Router D Host B Router C Drop packets Host C Router B
Filter expression against flooding attacks • Simple flooding attacks deny ip hostA port 100 hostB port 200 tcp →we can use single expressions. • Flooding attacks to a company/campus/ISP deny ip hostA port 100 10.0.0.0/24 port 200 tcp →we can use range expressions. →best : drop only attacker’s packets. better : drop some packets including attacker’s. worst : do nothing
Type of attacks(simple flooding attacks) target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol
Type of attacks(port scan) target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol
Type of attacks(attacks to network) target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol
Type of attacks(source spoofing) target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol
Types of attacks • There are many types of attacks • no characteristics in source IP address • no characteristics in destination port number • characteristics of destination IP address in range → for monitoring attacks, needs on various point of views
General methods • Rule based matches • Rule based matches with pre-defined rule sets (ex) IDS • Flow based aggregation (single) (ex) Cflowd , Netboy • AS based aggregation (range) • Skitter(arts++)
AGURI’s concept • Break 5-tuples to each element • Enable to detect flooding attacks using characteristics of a element. • Aggregation each element • Enable to detect flooding attacks • Simpletarget • Range target
Design of AGURI 10.0.0.0/29 • Put address information on binary tree structure 10.0.0.0/30 10.0.0.4/30 10.0.0.0 .1 .2 .3 .4 .5 .6 .7
Design of AGURI • Patricia tree • LRU • threshold
AGURI’s output • profiles • src_adr • dst_adr • src_port • dst_port [src address] 4992392382 (100.00%) 0.0.0.0/0 87902964 (1.76%/100.00%) 60.0.0.0/6 97928228 (1.96%/3.00%) 62.52.0.0/16 51875058 (1.04%/1.04%) 64.0.0.0/8 100831910 (2.02%/3.51%) 64.0.0.0/9 74610984 (1.49%/1.49%) 128.0.0.0/2 142349668 (2.85%/13.33%) 133.0.0.0/8 69142535 (1.38%/1.38%) 150.65.136.91 54123094 (1.08%) : : :
Measurement on WIDE backbone • Data A : 9months • Data B : 3months • Data C : 15months ISP Router A Switch A Switch B Router B Data A Data B Data C ISP Router C US JPN
host 1 host 2 host 2 host 3 Characteristic of attacks in time series (destination address)
(result1)Source spoofing attacks (destination address) host 1
(result 1)Source spoofing attacks (source IP address) 128.0.0.0/2
(result 1)Source spoofing attacsk target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol → drop packet which destination ip address is victim
(result 2)port scan [ip:proto:dstport] 10933438650 (100.00%) 0/0:0:0 50394643 (0.46%/100.00%) 4:6:0/0 123970078 (1.13%/96.16%) 4:6:0/3 136730580 (1.25%/95.03%) 4:6:0/10 110321675 (1.01%/51.22%) 4:6:0/12 180612063 (1.65%/11.77%) 4:6:2 220337940 (2.02%) 4:6:5 220259760 (2.01%) 4:6:8 224630700 (2.05%) 4:6:11 220901820 (2.02%) : : 4:6:104 229349040 (2.10%) 4:6:107 220964460 (2.02%) 4:6:110 221768098 (2.03%) 4:6:119 213498789 (1.95%) • IPv4 • TCP • dst prot • Begin port number 2 • ++3
(result 2)port scan attack target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol → drop packet port / destination in range
(result3) Slammer worm (source IP address) 128.0.0.0/3
(result 3)Slammer worm (destination IP address) 128.0.0.0/1
(result 3)Slammer worm (Destination port number) 4:17:1434
(result 3)Slammer worm target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol → drop any any eq 1434 udp
conclusion • Flooding attacks : use up network resources • AGURI • Can detect attacks from single target to range target • Measurement on WIDE backbone • Detect many types of flooding attacks • Drop flooding attack’s packets at routers.