Network Flow-Based Anomaly Detection of DDoS Attacks
Download
Report
Transcript Network Flow-Based Anomaly Detection of DDoS Attacks
Network Flow-Based Anomaly
Detection of DDoS Attacks
Vassilis Chatzigiannakis
National Technical University of Athens, Greece
[email protected]
TNC 2004
Intrusion Detection
An IDS is a system used for detecting network
attacks
They detect both successful and
unsuccessful attacks
They Detect attacks from insiders
IDS Categories:
Host /Network based
They use Misuse /Anomaly detection
Distributed Intrusion Detection Systems
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Intrusion Detection(2)
Misuse Detection
Sniffs network packets
If known a signature is matched, it detects the
attack
Resembles to an anti-virus system
Must be updated night and day
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Intrusion Detection(3)
Anomaly Detection
Checks for great variation from the normal
behaviour of an entity
An entity could be a user, a computer or network
link
Use of an expert system
The system has to be trained to become
operational
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Denial of Service Attacks
An attack to suspend the availability of a
service
Until recently the "bad guys" tried to enter our
systems. Now it’s:
"If not us, then Nobody"
DoS: single correctly made malicious packets
against the target machine
Distributed DoS: traffic flows from various
sources to exhaust network or computing
resources
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Main Characteristics of DoS
Variable targets:
Single hosts or whole domains
Computer systems or networks
Important: Active network components (e.g.
routers) also vulnerable and possible targets!
Variable uses & effects:
Hacker "turf" wars
High profile commercial targets (or just
competitors…).
Useful in cyber-warfare, terrorism etc.
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Distributed DoS
2. Commanding
1. Taking
the attack
Control
Pirated machines
Domain A
Target
domain
Attacker
"zombies"
X
Pirated machines
Domain B
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Netflow
What is a flow? Defined by seven keys:
Source IP address
Destination IP address
Source Port
Destination Port
Layer 3 Protocol Type
TOS byte (DSCP)
Input logical interface (ifIndex)
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
NetFlow Sequence Router (from Cisco.com)
1.
SrcIf
Fa1/0
Fa1/0
Fa1/0
Fa1/0
Create and update flows in NetFlow Cache
Bytes/Pkt Active
1528
1745
740
41.5
1428
1145.5
1040
24.5
Idle
4
1
3
14
SrcIf SrcIPadd
DstIf DstIPadd
Protocol TOS Flgs Pkts SrcPort SrcMsk SrcAS DstPort DstMsk DstAS NextHop Bytes/Pkt Active
Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11
80 10 11000 00A2
/24
5
00A2
/24
15
10.0.23.2 1528
1800
Idle
4
2.
3.
SrcIPadd
173.100.21.2
173.100.3.2
173.100.20.2
173.100.6.2
DstIf
Fa0/0
Fa0/0
Fa0/0
Fa0/0
DstIPadd
10.0.227.12
10.0.227.12
10.0.227.12
10.0.227.12
Protocol
11
6
11
6
TOS
80
40
80
40
Flgs
10
0
10
0
Pkts
11000
2491
10000
2210
SrcPort SrcMsk SrcAS
00A2
/24
5
15
/26
196
00A1
/24
180
19
/30
180
DstPort
00A2
15
00A1
19
DstMsk
/24
/24
/24
/24
DstAS
15
15
15
15
NextHop
10.0.23.2
10.0.23.2
10.0.23.2
10.0.23.2
• Inactive timer expired (15 sec is default)
Expiration • Active timer expired (30 min is default)
•NetFlow cache is full (oldest flows expire)
• RST or FIN TCP Flag
Aggregation?
e.g. Protocol-Port Aggregation Scheme becomes
4.
Export Version
Protocol Pkts SrcPort DstPort Bytes/Pkt
11
11000 00A2
00A2
1528
Non-Aggregated Flows – export Version 5 or 9
5.
Transport Protocol
Aggregated Flows – export Version 8 or 9
Export
Packet
Payload
(flows)
Network Flow-based
Anomaly Detection of
DDoS Attacks - TNC 2004
Our Solution:
An anomaly detection tool
OpenEye
OpenEye
DDoS Attack Detection Tool
Analyses flows that are exported from
Cisco Netflow enabled routers
Compatible with Netflow v9
Works with IPv4 and IPv6 traffic
Uses anomaly detection algorithm based
on specific metrics and thresholds
Written in Java language
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Implementation
Two main modules:
- Collector
The Collector is responsible for receiving flow data from the
Netflow enabled routers, information is analyzed and stored in a
local data structure.
- Detector
The Detector is responsible for calculating the metrics and
comparing the results to detection thresholds. It is periodically
activated, implements extensive logging of detection events and
generates e-mail notifications with security alerts to the
administrator.
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
DoS Detection Metrics (1)
Metrics for Packets/Flows based on deviation
CPi j AP i j
AP i j
k1
CP i j
CPi j
k2
j
CPij = Current Packets/Flows from interface i to j
APij = Average Packets/Flows from interface i to j
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
DoS Detection Metrics (2)
Number
of flows with very small lifetime
Number
of flows with a very small number
of packets
Percentages
of TCP/UDP traffic
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Data structures
Tables for number of packets and number of
flows for every pair of interfaces
Hash Tables with the Dst IP (key) and the
number of packets and flows (values) for
each IP for every pair of interfaces
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Attack Graphs
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Future Work
More experiments
Detection of worms
Creation and testing of new metrics
Usage of OpenEye as a part of a Distributed
Intrusion Detection System
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Acknowledgements
Panoptis
GrNet
http://www.grnet.gr
Ntua NOC
http://panoptis.sourceforge.net/
http://noc.ntua.gr
Netmode
http://netmode.ntua.gr
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Questions and Answers