Characteristics of Denial of Service attacks on Internet using AGURI Ryo Kaizaki Keio Univ. ,Japan [email protected] Goal : support of network operation against DoS attacks • There are many DoS(Denial of Service) attacks (ex)slammer worm in 25 Jan. • There are many types of attacks →AGURI : design & implementation of the traffic profiler • AGURI – single & range target – flexible detection • Observation on WIDE(AS2500) backbone • Report of DoS attacks and their characteristics CNN ,25 Jan 2003 Focus : types of DoS attacks type victims Application Logic attacks Operating System DoS attacks Flooding attacks Resources of an end node - CPU , memory, network I/F Resources of router - CPU & I/F, bandwidwh Flooding attacks Attacker Host A Server Router A Router D Host B Router C Host C Router B Flooding attacks •Attacker sends massive packets Attacker Host A Server Router A Router D Host B Router C Host C Router B Flooding attacks •Router C drops packets. Attacker Host A Server Router A Router D Host B Router C Host C Router B Drop packets Network operation against flooding attacks 1.Detection Is network in trouble? Attacker Host A Server Router A Router D Host B Router C Host C Router B Drop packets Network operation against flooding attacks 2. Detection of victims Attacker Host A Server Router A Router D Host B Router C Host C Router B Drop packets Network operation against flooding attacks 3. Attacker’s packets are the packets! Attacker Host A Server Router A Router D Host B Router C Host C Router B Drop packets Network operation against flooding attacks 4. Drop attacker’s packets drops packets Attacker Host A Server Router A Router D Host B Router C Host C Router B Drop packets Filter expression against flooding attacks • Simple flooding attacks deny ip hostA port 100 hostB port 200 tcp →we can use single expressions. • Flooding attacks to a company/campus/ISP deny ip hostA port 100 10.0.0.0/24 port 200 tcp →we can use range expressions. → best : drop only attacker’s packets. better : drop some packets including attacker’s. worst : do nothing Type of attacks (simple flooding attacks) target tuples Source IP address Destination IP address Source port number Destination port number Protocol single range random Type of attacks (port scan) target tuples Source IP address Destination IP address Source port number Destination port number Protocol single range random Type of attacks (attacks to network) target tuples Source IP address Destination IP address Source port number Destination port number Protocol single range random Type of attacks (source spoofing) target tuples Source IP address Destination IP address Source port number Destination port number Protocol single range random Types of attacks • There are many types of attacks – no characteristics in source IP address – no characteristics in destination port number – characteristics of destination IP address in range → for monitoring attacks, needs on various point of views General methods • Rule based matches – Rule based matches with pre-defined rule sets (ex) IDS • Flow based aggregation (single) (ex) Cflowd , Netboy • AS based aggregation (range) – Skitter(arts++) AGURI’s concept • Break 5-tuples to each element – Enable to detect flooding attacks using characteristics of a element. • Aggregation each element – Enable to detect flooding attacks • Simple target • Range target Design of AGURI 10.0.0.0/29 • Put address information on binary tree structure 10.0.0.0/30 10.0.0.0 .1 .2 .3 10.0.0.4/30 .4 .5 .6 .7 Design of AGURI • Patricia tree • LRU • threshold AGURI’s output •profiles •src_adr •dst_adr •src_port •dst_port [src address] 4992392382 0.0.0.0/0 87902964 60.0.0.0/6 97928228 62.52.0.0/16 51875058 64.0.0.0/8 100831910 64.0.0.0/9 74610984 128.0.0.0/2 142349668 133.0.0.0/8 69142535 150.65.136.91 54123094 : : : (100.00%) (1.76%/100.00%) (1.96%/3.00%) (1.04%/1.04%) (2.02%/3.51%) (1.49%/1.49%) (2.85%/13.33%) (1.38%/1.38%) (1.08%) Measurement on WIDE backbone • Data A : 9months • Data B : 3months • Data C : 15months Router A Switch A Data A Router C Data C Switch B Router B ISP Data B ISP US JPN Characteristic of attacks in time series (destination address) host 1 host 2 host 3 host 2 (result1) Source spoofing attacks (destination address) host 1 (result 1) Source spoofing attacks (source IP address) 128.0.0.0/2 (result 1) Source spoofing attacsk target tuples Source IP address single range random Destination IP address Source port number Destination port number Protocol → drop packet which destination ip address is victim (result 2) port scan •IPv4 •TCP •dst prot •Begin port number •++3 [ip:proto:dstport] 10933438650 (100.00%) 0/0:0:0 50394643 (0.46%/100.00%) 4:6:0/0 123970078 (1.13%/96.16%) 4:6:0/3 136730580 (1.25%/95.03%) 4:6:0/10 110321675 (1.01%/51.22%) 4:6:0/12 180612063 (1.65%/11.77%) 4:6:2 220337940 (2.02%) 4:6:5 220259760 (2.01%) 4:6:8 224630700 (2.05%) 4:6:11 220901820 (2.02%) : 2 : 4:6:104 229349040 (2.10%) 4:6:107 220964460 (2.02%) 4:6:110 221768098 (2.03%) 4:6:119 213498789 (1.95%) (result 2) port scan attack target tuples Source IP address single range Destination IP address Source port number Destination port number Protocol → drop packet port / destination in range random (result3) Slammer worm (source IP address) 128.0.0.0/3 (result 3) Slammer worm (destination IP address) 128.0.0.0/1 (result 3) Slammer worm (Destination port number) 4:17:1434 (result 3) Slammer worm target tuples Source IP address single Destination IP address Source port number Destination port number Protocol → drop any any eq 1434 udp range random conclusion • Flooding attacks : use up network resources • AGURI – Can detect attacks from single target to range target • Measurement on WIDE backbone • Detect many types of flooding attacks – Drop flooding attack’s packets at routers.
© Copyright 2024 ExpyDoc
