Date post: | 01-Jan-2016 |
Category: |
Documents |
Upload: | quincy-greer |
View: | 21 times |
Download: | 1 times |
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Denial of Service attacks on transit networks
David Harmelin DANTE
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
DANTE
• advanced network services for the European research community: TEN-155, GÉANT
• active in testing and evaluating emerging technologies http://www.dante.net/tf-ngn
• DANCERT ([email protected])http://www.dante.net/security
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
• Connecting 30 NRENs
• Backbone and access speeds up to 622 Mbps
• Research interconnections to North America (USA & Canada) and Asia-Pacific
• Multiple interconnections with the commercial Internet
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Definition of a DoS attack
DoS attackDoS attack: an attack on a network or computer, the primary aim of which is to disrupt access to a given service.
In this presentation, only DoS attacks involving flooding of networks are considered (networked flood-basednetworked flood-based DoS attacks).
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Example of a networked DoS
( http://www.dante.net/pubs/dip/42/42.html )
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
DANTE and DoS attacks
• 1999: DoS attacks noticed regularly on TEN-155.
• Beginning 2000: DoS attacks against major companies in the news.
• 2000: first tool based on peer-peer matrix analysis. Failed.
• End 2000: second tool, based on sampled flow data. DANCERT relies on it to reduce the amount of DoS attacks.
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Detecting DoS attacks (1)
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Detecting DoS attacks (2)
• Central server: every X minutes, samples every PoP WS with rate 1/Y flows, during Z seconds.
• For each router, if more than N flows are received with the same destination IP, raise an alarm.
• Current values in use:– Routers with regular netflow:
X=15, Y=100, Z=10, N=10
» most attacks > 100 pkts/s are detected
– Routers with sampled netflow (rate: 1/200 packets):X=15, Y=10, Z=60, N=10
» most attacks > 330 pkts/s are detected
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Logging DoS attacks
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
“C class” attacksSpoofed source addresses within the /24 of the source.Coded by default in some DoS tools.
Appears as if coming from:192.168.0.1, 192.168.0.2, …. 192.68.0.254
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Results• Running the tool on 4 core routers since 12/2000.
• Logging all attacks detected since 03/2001
• Trade-off between – accuracy (confirmed attacks/alarms raised=98%)
– detection effectiveness (>100 pkt/s).
• Average of 34 different attacks per day logged, up to 5-6 concurrent (96 polls per day).
• 90% “C class” attacks - easily traceable.
• 75% of attacks are 40 bytes TCP packets.
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Results - Durations
58%
19%
11%
12%
< 15 mins
15-30 mins
30-60 mins
>60 mins
Most attacks last less than 15 minutes.Fast inter-domain tracing required to find the source.
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Results - Traffic generated
25%
21%
54%
100-500 pkts/s 500-1000 pkts/s >1000 pkts/s
70%
17%
13%
< 0.3 Mbps 0.3-1 Mbps > 1 Mbps
Approximate values only. Low accuracy due to sampling.
Highest: 27000 pkts/s Highest: 32 Mbps
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Results - Monthly evolution (1)
0
50
100
150
200
250
300
350
# o
f D
oS
att
acks
0
10
20
30
40
50
60
70
80
Ave
rag
e d
ura
tio
n (
min
ute
s)
# DoS attacks Average duration
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Results - Monthly evolution (2)
0
200
400
600
800
1000
1200
1400
Av
era
ge
pk
ts/s
0
200
400
600
800
1000
1200
1400
Av
era
ge
Kb
ps
Average pkts/s Average Kbps
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Results - All attacks (pkts/s)
Bubble size = duration
100
1000
10000
100000
2/23 3/15 4/4 4/24 5/14
pk
t/s
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Results - All attacks (Kbps)
Bubble size= duration
10
100
1000
10000
100000
2/18 2/28 3/10 3/20 3/30 4/9 4/19 4/29 5/9 5/19 5/29
Kb
ps
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Results - DoS timings
0
50
100
150
200
250
300
350
Tot
al n
umbe
r of
att
acks
DoS startDoS end
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
From alarms to DANCERT tickets
Alarm receivedby DANCERT
DoS attackpotentially disruptive?
yes
DoS attackappears in otherrecent alarms?
no
Do nothing
noyes
Identify peersoriginating the
traffic
yes
Issue DANCERTticket to peers
no
Identify sourceswithin peer
Randomlyspoofed attack?
Existing DANCERTticket with
same source?
Send reminderto peer
yes
no
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
Known limitations of this method
• Routers capabilities (netflow required)
• Detecting networked flood-based DoS attacks only...
• … but not ALL.
• Detection helps, but further need for co-operation.
DoS attacks on transit network - David Harmelin ( [email protected] )FIRST conference - 06/20/2001
• IP network operators: – automatic detection and logging of DoS attacks
– co-operation between CERT teams
– SLAs
• End-sites: – prevention
– trace when DoS traffic sources are reported
• DANTE: – http://www.dante.net/security/dos/
– gives away the in-house software to transit providers.
Who should help? How?