1 / 34

Characteristics of Denial of Service attacks on Internet using AGURI

Characteristics of Denial of Service attacks on Internet using AGURI. Ryo Kaizaki Keio Univ. ,Japan kaizaki@sfc.wide.ad.jp. Goal : support of network operation against DoS attacks. There are many DoS ( Denial of Service) attacks (ex)slammer worm in 25 Jan. There are many types of attacks

uma-terrell
Download Presentation

Characteristics of Denial of Service attacks on Internet using AGURI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Characteristics of Denial of Service attacks on Internet using AGURI Ryo Kaizaki Keio Univ. ,Japan kaizaki@sfc.wide.ad.jp

  2. Goal : support of network operation against DoS attacks • There are many DoS(Denial of Service) attacks (ex)slammer worm in 25 Jan. • There are many types of attacks →AGURI : design & implementation of the traffic profiler • AGURI • single & range target • flexible detection • Observation on WIDE(AS2500) backbone • Report of DoS attacks and their characteristics

  3. CNN,25 Jan 2003

  4. Focus : types of DoSattacks

  5. Flooding attacks Attacker Host A Server Router A Router D Host B Router C Host C Router B

  6. Flooding attacks • Attacker sends massive packets Attacker Host A Server Router A Router D Host B Router C Host C Router B

  7. Flooding attacks • Router C drops packets. Attacker Host A Server Router A Router D Host B Router C Drop packets Host C Router B

  8. Network operation against flooding attacks 1.Detection Is network in trouble? Attacker Host A Server Router A Router D Host B Router C Drop packets Host C Router B

  9. Network operation against flooding attacks 2. Detection of victims Attacker Host A Server Router A Router D Host B Router C Drop packets Host C Router B

  10. Network operation against flooding attacks 3. Attacker’s packets are the packets! Attacker Host A Server Router A Router D Host B Router C Drop packets Host C Router B

  11. Network operation against flooding attacks 4. Drop attacker’s packets drops packets Attacker Host A Server Router A Router D Host B Router C Drop packets Host C Router B

  12. Filter expression against flooding attacks • Simple flooding attacks deny ip hostA port 100 hostB port 200 tcp →we can use single expressions. • Flooding attacks to a company/campus/ISP deny ip hostA port 100 10.0.0.0/24 port 200 tcp  →we can use range expressions. →best : drop only attacker’s packets. better : drop some packets including attacker’s. worst : do nothing

  13. Type of attacks(simple flooding attacks) target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol

  14. Type of attacks(port scan) target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol

  15. Type of attacks(attacks to network) target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol

  16. Type of attacks(source spoofing) target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol

  17. Types of attacks • There are many types of attacks • no characteristics in source IP address • no characteristics in destination port number • characteristics of destination IP address in range → for monitoring attacks, needs on various point of views

  18. General methods • Rule based matches • Rule based matches with pre-defined rule sets (ex) IDS • Flow based aggregation (single) (ex) Cflowd , Netboy • AS based aggregation (range) • Skitter(arts++)

  19. AGURI’s concept • Break 5-tuples to each element • Enable to detect flooding attacks using characteristics of a element. • Aggregation each element • Enable to detect flooding attacks • Simpletarget • Range target

  20. Design of AGURI 10.0.0.0/29 • Put address information on binary tree structure 10.0.0.0/30 10.0.0.4/30 10.0.0.0 .1 .2 .3 .4 .5 .6 .7

  21. Design of AGURI • Patricia tree • LRU • threshold

  22. AGURI’s output • profiles • src_adr • dst_adr • src_port • dst_port [src address] 4992392382  (100.00%) 0.0.0.0/0 87902964  (1.76%/100.00%) 60.0.0.0/6 97928228  (1.96%/3.00%) 62.52.0.0/16  51875058  (1.04%/1.04%) 64.0.0.0/8 100831910  (2.02%/3.51%) 64.0.0.0/9   74610984  (1.49%/1.49%) 128.0.0.0/2 142349668  (2.85%/13.33%) 133.0.0.0/8   69142535  (1.38%/1.38%) 150.65.136.91 54123094  (1.08%)           :            : :

  23. Measurement on WIDE backbone • Data A : 9months • Data B : 3months • Data C : 15months ISP Router A Switch A Switch B Router B Data A Data B Data C ISP Router C US JPN

  24. host 1 host 2 host 2 host 3 Characteristic of attacks in time series (destination address)

  25. (result1)Source spoofing attacks (destination address) host 1

  26. (result 1)Source spoofing attacks (source IP address) 128.0.0.0/2

  27. (result 1)Source spoofing attacsk target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol → drop packet which destination ip address is victim

  28. (result 2)port scan [ip:proto:dstport] 10933438650 (100.00%) 0/0:0:0 50394643 (0.46%/100.00%) 4:6:0/0 123970078 (1.13%/96.16%) 4:6:0/3 136730580 (1.25%/95.03%) 4:6:0/10 110321675 (1.01%/51.22%) 4:6:0/12 180612063 (1.65%/11.77%) 4:6:2 220337940 (2.02%) 4:6:5 220259760 (2.01%) 4:6:8 224630700 (2.05%) 4:6:11 220901820 (2.02%) : : 4:6:104 229349040 (2.10%) 4:6:107 220964460 (2.02%) 4:6:110 221768098 (2.03%) 4:6:119 213498789 (1.95%) • IPv4 • TCP • dst prot • Begin port number 2 • ++3

  29. (result 2)port scan attack target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol → drop packet port / destination in range

  30. (result3) Slammer worm (source IP address) 128.0.0.0/3

  31. (result 3)Slammer worm (destination IP address) 128.0.0.0/1

  32. (result 3)Slammer worm (Destination port number) 4:17:1434

  33. (result 3)Slammer worm target random range single tuples Source IP address Destination IP address Source port number Destination port number Protocol → drop any any eq 1434 udp

  34. conclusion • Flooding attacks : use up network resources • AGURI • Can detect attacks from single target to range target • Measurement on WIDE backbone • Detect many types of flooding attacks • Drop flooding attack’s packets at routers.

More Related