Transcript Document
Detection of Denial of Service attacks using AGURI Ryo Kaizaki(Keio Univ.) Kenjiro Cho(sonyCSL) Osamu Nakamura(Keio Univ.) Goal of our system • Detection of flooding attacks – AGURI • Traffic profiler for a long term – Deviation • Characteristic of traffic for a long term • Characteristic of traffic in a current Backgrounds: Current Internet Infrastructure • Packet switching network – Shares every resources • Bandwidth of the links • Router’s processing unit • Can not control ill behavior flows(flooding attacks) Current Internet Behavior Host A Server Router A Router D Host B Router C Host C Router B Current Internet Behavior Host A Server Router A Router D Host B Router C Host C Router B Current Internet Behavior Host A Server Router A Router D Host B Router C Host C Router B Current Internet Behavior Host A Server Router A Router D Host B Router C Host C Router B Current Internet Behavior Attacker Host A Server Router A Router D Host B Router C Host C Router B Current Internet Behavior •Flooding attacks Attacker Host A Server Router A Router D Host B Router C Host C Router B Current Internet Behavior •Router C drops packets Attacker Host A Server Router A Router D Host B Router C Host C Router B Packet drop Current Internet Behavior •Monitor network using MRTG •Detection of increasing traffic •Can not detect attacker and victims Attacker Host A Server Router A Router D Host B Router C Host C Router B Packet drop Solution: Design of AGURI System • Tool for monitoring network – Profiling characteristic of traffic • • • • src_ip_addr dst_ip_addr src_port_num dst_port_num – Archiving profiling data for a long term Uniqueness Feature of AGURI • We can see characteristic of traffic for a long term using AGURI. •We can see difference •Characteristic of traffic for a long term •Characteristic of traffic in current network flow • We can detect flooding attacks ,calculating difference. Evaluation of AGURI in Internet Infrastructure • Evaluation of Commodity Network Infrastructure – Storage Period: • 1 month long traffic (trans pacific link) – Proved Network: • WIDE Internet backbone(Japanese Experimental Network Infrastructure) • 4 types of time granulation – – – – Month and current Day and current Hour and current 5 minutes and current Relation Between AGURI and Attack Detection • “Deviation” can detect the beginning of flooding attacks. • When flooding attacks continues for a long term,we need archived data in a longer term. • Contributions: Impact on Network Traffic Management Enhance internet as a trusted infrastructure – 1. 2. 3. – For stopping attacks ,we need 3 steps Detect attacks Trace attacker Operation(filtering ..etc) We achieved 1st step about flooding attacks. •Results as a high reliability in server / router operation. •Detection of mal-function in network services •Higher risk to attacker •Detection of attacker is much easier AGURI: Next Step • More detailed evaluation using AGURI – Reliability in detection phase • Detection of true ATTACKERS • Scalability issues – Multiple sets of AGURI in IXP will • Improve detection accuracy • Collaborative enhancement to via IXP attacks • Designing: – Contribution to IP trace back mechanism