Transcript Document
Detection of Denial of Service
attacks using AGURI
Ryo Kaizaki(Keio Univ.)
Kenjiro Cho(sonyCSL)
Osamu Nakamura(Keio Univ.)
Goal of our system
• Detection of flooding attacks
– AGURI
• Traffic profiler for a long term
– Deviation
• Characteristic of traffic for a long term
• Characteristic of traffic in a current
Backgrounds:
Current Internet Infrastructure
• Packet switching network
– Shares every resources
• Bandwidth of the links
• Router’s processing unit
• Can not control ill behavior flows(flooding
attacks)
Current Internet Behavior
Host A
Server
Router A
Router D
Host B
Router C
Host C
Router B
Current Internet Behavior
Host A
Server
Router A
Router D
Host B
Router C
Host C
Router B
Current Internet Behavior
Host A
Server
Router A
Router D
Host B
Router C
Host C
Router B
Current Internet Behavior
Host A
Server
Router A
Router D
Host B
Router C
Host C
Router B
Current Internet Behavior
Attacker
Host A
Server
Router A
Router D
Host B
Router C
Host C
Router B
Current Internet Behavior
•Flooding attacks
Attacker
Host A
Server
Router A
Router D
Host B
Router C
Host C
Router B
Current Internet Behavior
•Router C drops packets
Attacker
Host A
Server
Router A
Router D
Host B
Router C
Host C
Router B
Packet drop
Current Internet Behavior
•Monitor network using MRTG
•Detection of increasing traffic
•Can not detect attacker and victims
Attacker
Host A
Server
Router A
Router D
Host B
Router C
Host C
Router B
Packet drop
Solution:
Design of AGURI System
• Tool for monitoring network
– Profiling characteristic of traffic
•
•
•
•
src_ip_addr
dst_ip_addr
src_port_num
dst_port_num
– Archiving profiling data for a long term
Uniqueness Feature of AGURI
• We can see characteristic of traffic for a
long term using AGURI.
•We can see difference
•Characteristic of traffic for a long term
•Characteristic of traffic in current network flow
• We can detect flooding attacks ,calculating difference.
Evaluation of AGURI in
Internet Infrastructure
• Evaluation of Commodity Network Infrastructure
– Storage Period:
• 1 month long traffic (trans pacific link)
– Proved Network:
• WIDE Internet backbone(Japanese Experimental Network
Infrastructure)
• 4 types of time granulation
–
–
–
–
Month and current
Day and current
Hour and current
5 minutes and current
Relation Between AGURI and
Attack Detection
• “Deviation” can detect the beginning of
flooding attacks.
• When flooding attacks continues for a long
term,we need archived data in a longer term.
•
Contributions:
Impact on Network Traffic
Management
Enhance internet as a trusted infrastructure
–
1.
2.
3.
–
For stopping attacks ,we need 3 steps
Detect attacks
Trace attacker
Operation(filtering ..etc)
We achieved 1st step about flooding attacks.
•Results as a high reliability in server / router operation.
•Detection of mal-function in network services
•Higher risk to attacker
•Detection of attacker is much easier
AGURI: Next Step
• More detailed evaluation using AGURI
– Reliability in detection phase
• Detection of true ATTACKERS
• Scalability issues
– Multiple sets of AGURI in IXP will
• Improve detection accuracy
• Collaborative enhancement to via IXP attacks
• Designing:
– Contribution to IP trace back mechanism