Upload
norman-anthony
View
212
Download
0
Embed Size (px)
Citation preview
Network Flow-Based Anomaly Detection of DDoS Attacks
Vassilis Chatzigiannakis
National Technical University of Athens, Greece
TNC 2004TNC 2004
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
Intrusion Detection
An IDS is a system used for detecting network attacks
They detect both successful and unsuccessful attacks
They Detect attacks from insidersIDS Categories:
Host /Network based They use Misuse /Anomaly detection Distributed Intrusion Detection Systems
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
Intrusion Detection(2)
Misuse Detection Sniffs network packets If known a signature is matched, it detects the
attack Resembles to an anti-virus system Must be updated night and day
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
Intrusion Detection(3)
Anomaly Detection Checks for great variation from the normal
behaviour of an entity An entity could be a user, a computer or network
link Use of an expert system The system has to be trained to become
operational
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
Denial of Service AttacksDenial of Service Attacks An attack to suspend the availability of a
service Until recently the "bad guys" tried to enter our
systems. Now it’s: ""If not us, then NobodyIf not us, then Nobody""
DoS: single correctly made malicious packets against the target machine
Distributed DoS: traffic flows from various sources to exhaust network or computing resources
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
Main Characteristics of DoSMain Characteristics of DoS Variable targets:
Single hosts or whole domains Computer systems or networks ImportantImportant: Active network components (e.g.
routers) also vulnerable and possible targets! Variable uses & effects:
Hacker "turf" wars High profile commercial targets (or just
competitors…). Useful in cyber-warfare, terrorism etc.
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
1. Taking Control
2. Commandingthe attack
Distributed DoSDistributed DoS
Target
domain
"zombies"
Pirated machines
Domain A
Pirated machines
Domain B
Attacker
X
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
NetflowNetflow
What is a flow? Defined by seven keys: Source IP address Destination IP address Source Port Destination Port Layer 3 Protocol Type TOS byte (DSCP) Input logical interface (ifIndex)
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
NetFlow Sequence Router (from Cisco.com)
1. Create and update flows in NetFlow Cache
• Inactive timer expired (15 sec is default)• Active timer expired (30 min is default)•NetFlow cache is full (oldest flows expire)• RST or FIN TCP Flag
ExportPacket
Payload(flows)
2. Expiration
3. Aggregation?
Protocol Pkts SrcPort DstPort Bytes/Pkt
11 11000 00A2 00A2 1528
SrcIf SrcIPadd DstIf DstIPadd Protocol TOS Flgs Pkts SrcPort SrcMsk SrcAS DstPort DstMsk DstAS NextHop Bytes/Pkt Active Idle
Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800 4
e.g. Protocol-Port Aggregation Scheme becomes
4. Export Version
SrcIf SrcIPadd DstIf DstIPadd Protocol TOS Flgs Pkts SrcPort SrcMsk SrcAS DstPort DstMsk DstAS NextHop Bytes/Pkt Active Idle
Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1745 4
Fa1/0 173.100.3.2 Fa0/0 10.0.227.12 6 40 0 2491 15 /26 196 15 /24 15 10.0.23.2 740 41.5 1
Fa1/0 173.100.20.2 Fa0/0 10.0.227.12 11 80 10 10000 00A1 /24 180 00A1 /24 15 10.0.23.2 1428 1145.5 3
Fa1/0 173.100.6.2 Fa0/0 10.0.227.12 6 40 0 2210 19 /30 180 19 /24 15 10.0.23.2 1040 24.5 14
YesNo
Aggregated Flows – export Version 8 or 9Non-Aggregated Flows – export Version 5 or 9
5. Transport Protocol
Our Solution:Our Solution:An anomaly detection tool An anomaly detection tool
OpenEyeOpenEye
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
OpenEye
DDoS Attack Detection Tool Analyses flows that are exported from
Cisco Netflow enabled routers Compatible with Netflow v9 Works with IPv4 and IPv6 traffic Uses anomaly detection algorithm based
on specific metrics and thresholds Written in Java language
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
Implementation
Two main modules:- CollectorThe Collector is responsible for receiving flow data from the Netflow enabled routers, information is analyzed and stored in a local data structure.
- DetectorThe Detector is responsible for calculating the metrics and comparing the results to detection thresholds. It is periodically activated, implements extensive logging of detection events and generates e-mail notifications with security alerts to the administrator.
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
DoS Detection Metrics (1)
Metrics for Packets/Flows based on deviation
CPij = Current Packets/Flows from interface i to j
APij = Average Packets/Flows from interface i to j
CPij AP ij
AP ij
k1
CP ij
j
CPij
k2
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
DoS Detection Metrics (2)
Number of flows with very small lifetime
Number of flows with a very small number of packets
Percentages of TCP/UDP traffic
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
Data structures
Tables for number of packets and number of flows for every pair of interfaces
Hash Tables with the Dst IP (key) and the number of packets and flows (values) for each IP for every pair of interfaces
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
Attack Graphs
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
Future WorkFuture Work More experiments Detection of worms Creation and testing of new metrics Usage of OpenEye as a part of a Distributed
Intrusion Detection System
Network Flow-based Anomaly Detection of DDoS Attacks - TNC
2004
Acknowledgements
Panoptis http://panoptis.sourceforge.net/
GrNet http://www.grnet.gr
Ntua NOC http://noc.ntua.gr
Netmode http://netmode.ntua.gr
Questions and AnswersQuestions and Answers