Characteristics of Denial of Service attacks on Internet using AGURI

Characteristics of Denial of Service attacks on Internet

using AGURI

Ryo Kaizaki

Keio Univ. ,Japan

[email protected]

Goal : support of network operation against DoS attacks

• There are many DoS(Denial of Service) attacks(ex)slammer worm in 25 Jan.

• There are many types of attacks　→ AGURI : design & implementation of the traffic profiler

• AGURI– single & range target– flexible detection

• Observation on WIDE(AS2500) backbone• Report of DoS attacks and their characteristics

CNN ,25 Jan 2003

Focus : types of DoS attacks

　 DoS

attacks

Logic attacks

Application

Operating System

Flooding attacks

Resources of an end node

- CPU , memory, network I/F

Resources of router

- CPU & I/F, bandwidwh

　　 type 　　　　 victims

Flooding attacks

Router A

Router B

Router C

Router D

Server Host A

Host C

Host B

Attacker

Flooding attacks

Router A

Router B

Router C

Router D

Server Host A

Host C

Host B

Attacker

•Attacker sends massive packets

Flooding attacks

Router A

Router B

Router C

Router D

Server Host A

Host C

Host B

Attacker

Drop packets

•Router C drops packets.

Network operation against flooding attacks

Router A

Router B

Router C

Router D

Server Host A

Host C

Host B

Attacker

Drop packets

1.Detection

Is network in trouble?


Router A

Router B

Router C

Router D

Server Host A

Host C

Host B

Attacker

Drop packets

2. Detection of victims


Router A

Router B

Router C

Router D

Server Host A

Host C

Host B

Attacker

Drop packets

3. Attacker’s packets

are the packets!


Router A

Router B

Router C

Router D

Server Host A

Host C

Host B

Attacker

4. Drop attacker’s packets

Drop packets

drops packets

Filter expression against flooding attacks

• Simple flooding attacks deny ip hostA port 100 hostB port 200 tcp

→we can use single expressions.

• Flooding attacks to a company/campus/ISPdeny ip hostA port 100 10.0.0.0/24 port 200 tcp

　 → we can use range expressions.

→ best : drop only attacker’s packets.

better : drop some packets including attacker’s.

worst : do nothing

Type of attacks（ simple flooding attacks ）

tuplestarget

single range

Source IP address

Destination IP address

Source port number

Destination port number

Protocol

random

Type of attacks（ port scan ）

tuplestarget

single range

Source IP address


Source port number


Protocol

random

Type of attacks（ attacks to network ）

tuplestarget

single range

Source IP address


Source port number


Protocol

random

Type of attacks（ source spoofing ）

tuplestarget

single range

Source IP address


Source port number


Protocol

random

Types of attacks

• There are many types of attacks– no characteristics in source IP address– no characteristics in destination port number– characteristics of destination IP address in range

→ 　 for monitoring attacks,

needs on various point of views

General methods

• Rule based matches– Rule based matches with pre-defined rule sets

(ex) IDS

• Flow based aggregation (single)

(ex) Cflowd , Netboy

• AS based aggregation (range)– Skitter(arts++)

AGURI’s concept

• Break 5-tuples to each element– Enable to detect flooding attacks using

characteristics of a element.

• Aggregation each element– Enable to detect flooding attacks

• Simple target

• Range target

Design of AGURI

• Put address information on binary tree structure

10.0.0.0/29

10.0.0.0 .1 .2 .3 .4 .5 .6 .7

10.0.0.0/30 10.0.0.4/30

Design of AGURI

• Patricia tree

• LRU

• threshold

AGURI’s output

[src address] 4992392382 　　 (100.00%)

0.0.0.0/0 87902964 　 (1.76%/100.00%)

60.0.0.0/6 97928228 　 (1.96%/3.00%)

62.52.0.0/16 　　　　 51875058 　 (1.04%/1.04%)

64.0.0.0/8 100831910 　　 (2.02%/3.51%)

64.0.0.0/9 　　　　　　　 74610984 　 (1.49%/1.49%)

128.0.0.0/2 142349668 　　 (2.85%/13.33%)

133.0.0.0/8 　　　　　 69142535 　　 (1.38%/1.38%)

150.65.136.91 54123094 　 (1.08%)

　　　　　　　　　　　　：　　　　　　　　　　　　： :

•profiles

•src_adr•dst_adr•src_port•dst_port

Measurement on WIDE backbone

• Data A 　： 9months

• Data B 　： 3months

• Data C : 15months

JPNUS

Switch B Router BRouter A ISP

Router C ISP

Data A

Data C

Data B

Switch A

Characteristic of attacks in time series

host 1

host 2 host 2host 3

(destination address)

（ result １）Source spoofing attacks

host 1

(destination address)

（ result １）Source spoofing attacks

128.0.0.0/2

(source IP address)

（ result 1 ）Source spoofing attacsk

→ 　 drop packet which destination ip address is victim

tuplestarget

single range

Source IP address


Source port number


Protocol

random

（ result 2 ）port scan

[ip:proto:dstport] 10933438650 (100.00%)

0/0:0:0 50394643 (0.46%/100.00%)

4:6:0/0 123970078 (1.13%/96.16%)

4:6:0/3 136730580 (1.25%/95.03%)

4:6:0/10 110321675 (1.01%/51.22%)

4:6:0/12 180612063 (1.65%/11.77%)

4:6:2 220337940 (2.02%)

4:6:5 220259760 (2.01%)

4:6:8 224630700 (2.05%)

4:6:11 220901820 (2.02%)

:

:

4:6:104 229349040 (2.10%)

4:6:107 220964460 (2.02%)

4:6:110 221768098 (2.03%)

4:6:119 213498789 (1.95%)

•IPv4•TCP•dst prot

•Begin port number 2•++3

（ result 2 ）port scan attack

→ 　 drop packet port / destination in range

tuplestarget

single range

Source IP address


Source port number


Protocol

random

（ result3 ）　 Slammer worm

128.0.0.0/3

(source IP address)

（ result 3 ）Slammer worm

128.0.0.0/1

(destination IP address)

（ result 3 ）Slammer worm

4:17:1434

(Destination port number)

(result 3)Slammer worm

→ 　 drop any any eq 1434 udp

tuplestarget

single range

Source IP address


Source port number


Protocol

random

conclusion

• Flooding attacks : use up network resources

• AGURI– Can detect attacks from single target to range target

• Measurement on WIDE backbone

• Detect many types of flooding attacks– Drop flooding attack’s packets at routers.

Documents

Characteristics of Denial of Service attacks on Internet using AGURI