Network Flow-Based Anomaly Detection of DDoS Attacks

Download Report

Transcript Network Flow-Based Anomaly Detection of DDoS Attacks 

Network Flow-Based Anomaly
Detection of DDoS Attacks
Vassilis Chatzigiannakis
National Technical University of Athens, Greece
[email protected]
TNC 2004
Intrusion Detection
An IDS is a system used for detecting network
attacks
 They detect both successful and
unsuccessful attacks
 They Detect attacks from insiders
IDS Categories:



Host /Network based
They use Misuse /Anomaly detection
Distributed Intrusion Detection Systems
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Intrusion Detection(2)
Misuse Detection




Sniffs network packets
If known a signature is matched, it detects the
attack
Resembles to an anti-virus system
Must be updated night and day
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Intrusion Detection(3)
Anomaly Detection




Checks for great variation from the normal
behaviour of an entity
An entity could be a user, a computer or network
link
Use of an expert system
The system has to be trained to become
operational
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Denial of Service Attacks




An attack to suspend the availability of a
service
Until recently the "bad guys" tried to enter our
systems. Now it’s:
"If not us, then Nobody"
DoS: single correctly made malicious packets
against the target machine
Distributed DoS: traffic flows from various
sources to exhaust network or computing
resources
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Main Characteristics of DoS


Variable targets:
 Single hosts or whole domains
 Computer systems or networks
 Important: Active network components (e.g.
routers) also vulnerable and possible targets!
Variable uses & effects:
 Hacker "turf" wars
 High profile commercial targets (or just
competitors…).
 Useful in cyber-warfare, terrorism etc.
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Distributed DoS
2. Commanding
1. Taking
the attack
Control
Pirated machines
Domain A
Target
domain
Attacker
"zombies"
X
Pirated machines
Domain B
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Netflow
What is a flow? Defined by seven keys:
 Source IP address
 Destination IP address
 Source Port
 Destination Port
 Layer 3 Protocol Type
 TOS byte (DSCP)
 Input logical interface (ifIndex)
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
NetFlow Sequence Router (from Cisco.com)
1.
SrcIf
Fa1/0
Fa1/0
Fa1/0
Fa1/0
Create and update flows in NetFlow Cache
Bytes/Pkt Active
1528
1745
740
41.5
1428
1145.5
1040
24.5
Idle
4
1
3
14
SrcIf SrcIPadd
DstIf DstIPadd
Protocol TOS Flgs Pkts SrcPort SrcMsk SrcAS DstPort DstMsk DstAS NextHop Bytes/Pkt Active
Fa1/0 173.100.21.2 Fa0/0 10.0.227.12 11
80 10 11000 00A2
/24
5
00A2
/24
15
10.0.23.2 1528
1800
Idle
4
2.
3.
SrcIPadd
173.100.21.2
173.100.3.2
173.100.20.2
173.100.6.2
DstIf
Fa0/0
Fa0/0
Fa0/0
Fa0/0
DstIPadd
10.0.227.12
10.0.227.12
10.0.227.12
10.0.227.12
Protocol
11
6
11
6
TOS
80
40
80
40
Flgs
10
0
10
0
Pkts
11000
2491
10000
2210
SrcPort SrcMsk SrcAS
00A2
/24
5
15
/26
196
00A1
/24
180
19
/30
180
DstPort
00A2
15
00A1
19
DstMsk
/24
/24
/24
/24
DstAS
15
15
15
15
NextHop
10.0.23.2
10.0.23.2
10.0.23.2
10.0.23.2
• Inactive timer expired (15 sec is default)
Expiration • Active timer expired (30 min is default)
•NetFlow cache is full (oldest flows expire)
• RST or FIN TCP Flag
Aggregation?
e.g. Protocol-Port Aggregation Scheme becomes
4.
Export Version
Protocol Pkts SrcPort DstPort Bytes/Pkt
11
11000 00A2
00A2
1528
Non-Aggregated Flows – export Version 5 or 9
5.
Transport Protocol
Aggregated Flows – export Version 8 or 9
Export
Packet
Payload
(flows)
Network Flow-based
Anomaly Detection of
DDoS Attacks - TNC 2004
Our Solution:
An anomaly detection tool
OpenEye
OpenEye






DDoS Attack Detection Tool
Analyses flows that are exported from
Cisco Netflow enabled routers
Compatible with Netflow v9
Works with IPv4 and IPv6 traffic
Uses anomaly detection algorithm based
on specific metrics and thresholds
Written in Java language
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Implementation

Two main modules:
- Collector
The Collector is responsible for receiving flow data from the
Netflow enabled routers, information is analyzed and stored in a
local data structure.
- Detector
The Detector is responsible for calculating the metrics and
comparing the results to detection thresholds. It is periodically
activated, implements extensive logging of detection events and
generates e-mail notifications with security alerts to the
administrator.
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
DoS Detection Metrics (1)
Metrics for Packets/Flows based on deviation
CPi j AP i j
AP i j
k1
CP i j
CPi j
k2
j
CPij = Current Packets/Flows from interface i to j
APij = Average Packets/Flows from interface i to j
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
DoS Detection Metrics (2)
Number
of flows with very small lifetime
Number
of flows with a very small number
of packets
Percentages
of TCP/UDP traffic
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Data structures


Tables for number of packets and number of
flows for every pair of interfaces
Hash Tables with the Dst IP (key) and the
number of packets and flows (values) for
each IP for every pair of interfaces
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Attack Graphs
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Future Work




More experiments
Detection of worms
Creation and testing of new metrics
Usage of OpenEye as a part of a Distributed
Intrusion Detection System
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Acknowledgements

Panoptis


GrNet


http://www.grnet.gr
Ntua NOC


http://panoptis.sourceforge.net/
http://noc.ntua.gr
Netmode

http://netmode.ntua.gr
Network Flow-based Anomaly Detection of
DDoS Attacks - TNC 2004
Questions and Answers