Denial of Service attacks on transit networks David Harmelin DANTE

DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001

Denial of Service attacks on transit networks

David Harmelin DANTE


DANTE

• advanced network services for the European research community: TEN-155, GÉANT

• active in testing and evaluating emerging technologies http://www.dante.net/tf-ngn

• DANCERT ([email protected])http://www.dante.net/security


• Connecting 30 NRENs

• Backbone and access speeds up to 622 Mbps

• Research interconnections to North America (USA & Canada) and Asia-Pacific

• Multiple interconnections with the commercial Internet


Definition of a DoS attack

DoS attackDoS attack: an attack on a network or computer, the primary aim of which is to disrupt access to a given service.

In this presentation, only DoS attacks involving flooding of networks are considered (networked flood-basednetworked flood-based DoS attacks).


Example of a networked DoS

( http://www.dante.net/pubs/dip/42/42.html )


DANTE and DoS attacks

• 1999: DoS attacks noticed regularly on TEN-155.

• Beginning 2000: DoS attacks against major companies in the news.

• 2000: first tool based on peer-peer matrix analysis. Failed.

• End 2000: second tool, based on sampled flow data. DANCERT relies on it to reduce the amount of DoS attacks.


Detecting DoS attacks (1)


Detecting DoS attacks (2)

• Central server: every X minutes, samples every PoP WS with rate 1/Y flows, during Z seconds.

• For each router, if more than N flows are received with the same destination IP, raise an alarm.

• Current values in use:– Routers with regular netflow:

X=15, Y=100, Z=10, N=10

» most attacks > 100 pkts/s are detected

– Routers with sampled netflow (rate: 1/200 packets):X=15, Y=10, Z=60, N=10

» most attacks > 330 pkts/s are detected


Logging DoS attacks


“C class” attacksSpoofed source addresses within the /24 of the source.Coded by default in some DoS tools.

Appears as if coming from:192.168.0.1, 192.168.0.2, …. 192.68.0.254


Results• Running the tool on 4 core routers since 12/2000.

• Logging all attacks detected since 03/2001

• Trade-off between – accuracy (confirmed attacks/alarms raised=98%)

– detection effectiveness (>100 pkt/s).

• Average of 34 different attacks per day logged, up to 5-6 concurrent (96 polls per day).

• 90% “C class” attacks - easily traceable.

• 75% of attacks are 40 bytes TCP packets.


Results - Durations

58%

19%

11%

12%

< 15 mins

15-30 mins

30-60 mins

>60 mins

Most attacks last less than 15 minutes.Fast inter-domain tracing required to find the source.


Results - Traffic generated

25%

21%

54%

100-500 pkts/s 500-1000 pkts/s >1000 pkts/s

70%

17%

13%

< 0.3 Mbps 0.3-1 Mbps > 1 Mbps

Approximate values only. Low accuracy due to sampling.

Highest: 27000 pkts/s Highest: 32 Mbps


Results - Monthly evolution (1)

0

50

100

150

200

250

300

350

# o

f D

oS

att

acks

0

10

20

30

40

50

60

70

80

Ave

rag

e d

ura

tio

n (

min

ute

s)

# DoS attacks Average duration


Results - Monthly evolution (2)

0

200

400

600

800

1000

1200

1400

Av

era

ge

pk

ts/s

0

200

400

600

800

1000

1200

1400

Av

era

ge

Kb

ps

Average pkts/s Average Kbps


Results - All attacks (pkts/s)

Bubble size = duration

100

1000

10000

100000

2/23 3/15 4/4 4/24 5/14

pk

t/s


Results - All attacks (Kbps)

Bubble size= duration

10

100

1000

10000

100000

2/18 2/28 3/10 3/20 3/30 4/9 4/19 4/29 5/9 5/19 5/29

Kb

ps


Results - DoS timings

0

50

100

150

200

250

300

350

Tot

al n

umbe

r of

att

acks

DoS startDoS end


From alarms to DANCERT tickets

Alarm receivedby DANCERT

DoS attackpotentially disruptive?

yes

DoS attackappears in otherrecent alarms?

no

Do nothing

noyes

Identify peersoriginating the

traffic

yes

Issue DANCERTticket to peers

no

Identify sourceswithin peer

Randomlyspoofed attack?

Existing DANCERTticket with

same source?

Send reminderto peer

yes

no


Known limitations of this method

• Routers capabilities (netflow required)

• Detecting networked flood-based DoS attacks only...

• … but not ALL.

• Detection helps, but further need for co-operation.


• IP network operators: – automatic detection and logging of DoS attacks

– co-operation between CERT teams

– SLAs

• End-sites: – prevention

– trace when DoS traffic sources are reported

• DANTE: – http://www.dante.net/security/dos/

– gives away the in-house software to transit providers.

Who should help? How?

Date post:	01-Jan-2016
Category:	Documents
Upload:	quincy-greer
View:	21 times
Download:	1 times

Denial of Service attacks on transit networks David Harmelin DANTE

Documents