Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece [email protected] TNC

Network Flow-Based Anomaly Detection of DDoS Attacks

Vassilis Chatzigiannakis

National Technical University of Athens, Greece

[email protected]

TNC 2004TNC 2004

Network Flow-based Anomaly Detection of DDoS Attacks - TNC

2004

Intrusion Detection

An IDS is a system used for detecting network attacks

They detect both successful and unsuccessful attacks

They Detect attacks from insidersIDS Categories:

Host /Network based They use Misuse /Anomaly detection Distributed Intrusion Detection Systems


2004

Intrusion Detection(2)

Misuse Detection Sniffs network packets If known a signature is matched, it detects the

attack Resembles to an anti-virus system Must be updated night and day


2004

Intrusion Detection(3)

Anomaly Detection Checks for great variation from the normal

behaviour of an entity An entity could be a user, a computer or network

link Use of an expert system The system has to be trained to become

operational


2004

Denial of Service AttacksDenial of Service Attacks An attack to suspend the availability of a

service Until recently the "bad guys" tried to enter our

systems. Now it’s: ""If not us, then NobodyIf not us, then Nobody""

DoS: single correctly made malicious packets against the target machine

Distributed DoS: traffic flows from various sources to exhaust network or computing resources


2004

Main Characteristics of DoSMain Characteristics of DoS Variable targets:

Single hosts or whole domains Computer systems or networks ImportantImportant: Active network components (e.g.

routers) also vulnerable and possible targets! Variable uses & effects:

Hacker "turf" wars High profile commercial targets (or just

competitors…). Useful in cyber-warfare, terrorism etc.


2004

1. Taking Control

2. Commandingthe attack

Distributed DoSDistributed DoS

Target

domain

"zombies"

Pirated machines

Domain A

Pirated machines

Domain B

Attacker

X


2004

NetflowNetflow

What is a flow? Defined by seven keys: Source IP address Destination IP address Source Port Destination Port Layer 3 Protocol Type TOS byte (DSCP) Input logical interface (ifIndex)


2004

NetFlow Sequence Router (from Cisco.com)

1. Create and update flows in NetFlow Cache

• Inactive timer expired (15 sec is default)• Active timer expired (30 min is default)•NetFlow cache is full (oldest flows expire)• RST or FIN TCP Flag

ExportPacket

Payload(flows)

2. Expiration

3. Aggregation?

Protocol Pkts SrcPort DstPort Bytes/Pkt

11 11000 00A2 00A2 1528

SrcIf SrcIPadd DstIf DstIPadd Protocol TOS Flgs Pkts SrcPort SrcMsk SrcAS DstPort DstMsk DstAS NextHop Bytes/Pkt Active Idle

Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1800 4

e.g. Protocol-Port Aggregation Scheme becomes

4. Export Version

SrcIf SrcIPadd DstIf DstIPadd Protocol TOS Flgs Pkts SrcPort SrcMsk SrcAS DstPort DstMsk DstAS NextHop Bytes/Pkt Active Idle

Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11 80 10 11000 00A2 /24 5 00A2 /24 15 10.0.23.2 1528 1745 4

Fa1/0 173.100.3.2 Fa0/0 10.0.227.12 6 40 0 2491 15 /26 196 15 /24 15 10.0.23.2 740 41.5 1

Fa1/0 173.100.20.2 Fa0/0 10.0.227.12 11 80 10 10000 00A1 /24 180 00A1 /24 15 10.0.23.2 1428 1145.5 3

Fa1/0 173.100.6.2 Fa0/0 10.0.227.12 6 40 0 2210 19 /30 180 19 /24 15 10.0.23.2 1040 24.5 14

YesNo

Aggregated Flows – export Version 8 or 9Non-Aggregated Flows – export Version 5 or 9

5. Transport Protocol

Our Solution:Our Solution:An anomaly detection tool An anomaly detection tool

OpenEyeOpenEye


2004

OpenEye

DDoS Attack Detection Tool Analyses flows that are exported from

Cisco Netflow enabled routers Compatible with Netflow v9 Works with IPv4 and IPv6 traffic Uses anomaly detection algorithm based

on specific metrics and thresholds Written in Java language


2004

Implementation

Two main modules:- CollectorThe Collector is responsible for receiving flow data from the Netflow enabled routers, information is analyzed and stored in a local data structure.

- DetectorThe Detector is responsible for calculating the metrics and comparing the results to detection thresholds. It is periodically activated, implements extensive logging of detection events and generates e-mail notifications with security alerts to the administrator.


2004

DoS Detection Metrics (1)

Metrics for Packets/Flows based on deviation

CPij = Current Packets/Flows from interface i to j

APij = Average Packets/Flows from interface i to j

CPij AP ij

AP ij

k1

CP ij

j

CPij

k2


2004

DoS Detection Metrics (2)

Number of flows with very small lifetime

Number of flows with a very small number of packets

Percentages of TCP/UDP traffic


2004

Data structures

Tables for number of packets and number of flows for every pair of interfaces

Hash Tables with the Dst IP (key) and the number of packets and flows (values) for each IP for every pair of interfaces


2004

Attack Graphs


2004

Future WorkFuture Work More experiments Detection of worms Creation and testing of new metrics Usage of OpenEye as a part of a Distributed

Intrusion Detection System


2004

Acknowledgements

Panoptis http://panoptis.sourceforge.net/

GrNet http://www.grnet.gr

Ntua NOC http://noc.ntua.gr

Netmode http://netmode.ntua.gr

Questions and AnswersQuestions and Answers

Documents

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece [email protected] TNC