1 / 17

Denial of Service attacks on transit networks David Harmelin DANTE

Denial of Service attacks on transit networks David Harmelin DANTE. DANTE. advanced network services for the European research community: TEN-155, GÉANT active in testing and evaluating emerging technologies http://www.dante.net/tf-ngn

vito
Download Presentation

Denial of Service attacks on transit networks David Harmelin DANTE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Denial of Service attacks on transit networksDavid Harmelin DANTE

  2. DANTE • advanced network services for the European research community: TEN-155, GÉANT • active in testing and evaluating emerging technologies http://www.dante.net/tf-ngn • DANCERT (dancert@dante.org.uk)http://www.dante.net/security

  3. Connecting 30 NRENs • Backbone and access speeds up to 622 Mbps • Research interconnections to North America (USA & Canada) and Asia-Pacific • Multiple interconnections with the commercial Internet

  4. Definition of a DoS attack DoS attack: an attack on a network or computer, the primary aim of which is to disrupt access to a given service. In this presentation, only DoS attacks involving flooding of networks are considered (networked flood-based DoS attacks).

  5. Example of a networked DoS ( http://www.dante.net/pubs/dip/42/42.html )

  6. Why care about DoS attacks? • DoS attacks add to the overall costs : • when unnoticed • one target, many outages • elements not targeted may still be victims • all users (using the starved resource) suffer . • No quick fix in sight!Need for better co-operation between ISPs.

  7. Are you affected by DoS attacks? • Everybody running/using IP networks or services is. • DoS attacks are rarely reported in the media. • Most organisations do not notice when affected. • Management may not be notified.

  8. DANTE and DoS attacks • 1999: DoS attacks noticed regularly on TEN-155. • Beginning 2000: DoS attacks against major companies in the news. • 2000: first tool based on peer-peer matrix analysis. Failed. • End 2000: second tool, based on sampled flow data. DANCERT relies on it to reduce the amount of DoS attacks.

  9. Detecting DoS attacks (1)

  10. Detecting DoS attacks (2) • Central server: every X minutes, samples every PoP WS with rate 1/Y flows, during Z seconds. • For each router, if more than N flows are received with the same destination IP, raise an alarm. • Current values in use: • Routers with regular netflow:X=15, Y=100, Z=10, N=10 • most attacks > 100 pkts/s are detected • Routers with sampled netflow (rate: 1/200 packets):X=15, Y=10, Z=60, N=10 • most attacks > 330 pkts/s are detected

  11. Results • Running the tool on 4 core routers since 12/2000. • Logging all attacks detected since 03/2001 • Trade-off between • accuracy (confirmed attacks/alarms raised=98%) • detection effectiveness (>100 pkt/s). • Average of 34 different attacks per day logged, up to 5-6 concurrent (96 polls per day). • 90% “C class” attacks - easily traceable. • 75% of attacks are 40 bytes TCP packets.

  12. Spoofed source addresses within the /24 of the source.Coded by default in some DoS tools. Results - “C class” attacks Appears as if coming from:192.168.0.1, 192.168.0.2, …. 192.68.0.254

  13. Results - Durations Most attacks last less than 15 minutes.Fast inter-domain tracing required to find the source.

  14. Results - Traffic generated Highest: 32 Mbps Highest: 27000 pkts/s Approximate values only. Low accuracy due to sampling.

  15. Known limitations of this method • Routers capabilities (netflow required) • Detecting networked flood-based DoS attacks only... • … but not ALL. • Detection helps, but further need for co-operation.

  16. Other approaches exist • No detection • Human detection • Monitoring CPU load, and traffic counters. • IETF working on itrace • Passive monitoring • Other flow monitoring approaches

  17. Who should help? How? • IP network operators: • automatic detection and logging of DoS attacks • co-operation between CERT teams • SLAs • End-sites: • prevention • trace when DoS traffic sources are reported • DANTE: • http://www.dante.net/security/dos/ • gives away the in-house software to transit providers.

More Related