D-WARD: DDoS Network Attack Recognition and Defense

Presentation Transcript

D-WARD: DDoS Network Attack Recognition and Defense PhD Qualifying Exam Jelena Mirković PhD Advisor: Peter Reiher 01/23/2002

Design and execute DDoS protection framework situated at source organize independently recognizes and quits assaulting streams does not influence genuine streams 2/39

Overview Problem Statement Related Work Desirable Characteristics D-WARD Thesis Goals Conclusion 3/39

What is a DoS Attack? 4/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

What is a DDoS Attack? 5/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

DDoS Defense Problem Large number of unwitting members No basic qualities of DDoS streams No managerial area collaboration Automated apparatuses Hidden personality of members Persistent security gaps on the Internet 6/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

DDoS Prevention Compromise aversion security patches infection location programs interruption discovery frameworks (IDS) High organization can't be implemented 7/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

DDoS Defense INTERMEDIATE NETWORK VICTIM NETWORK SOURCE NETWORK 8/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Victim Network Intrusion Detection Systems On-off control approach Router checking instruments (CISCO) + Victim can effectively recognize the assault - Victim is powerless if: attack comprises of real bundles or attack is of huge volume 9/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Intermediate Network WATCHERS Traceback Pushback Spoofing counteractive action + Routers can viably oblige/follow the assault - Possible execution debasement - Interdomain legislative issues of disengagement - Attack recognition is hard - Communication must be secured 10/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Source Network MULTOPS + Source switches can adequately compel/follow the assault + Internet assets are safeguarded - Attack identification is hard - Many arrangement focuses required for high viability 11/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Desirable Characteristics High security Reliable assault identification Independent location and reaction Low execution cost Incremental advantage with incremental sending Handle repeating assaults Traceback Cooperation REQUIRED OPTIONAL 12/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

D-WARD DDoS guard framework in Source Network Source Router distinguishes assault and reacts Monitors the two-way activity Suspect streams are rate-restricted Further perceptions prompt to reduction or increment of rate-utmost 13/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

OBSERVATION COMPONENT CLASSIFICATION TRAFFIC STATISTICS SOURCE ROUTER INTERNET STATISTICS CACHE MODEL CACHE NORMAL TRANSIENT ATTACK RATE LIMIT RULES SOURCE NETWORK THROTTLING COMPONENT System Architecture 14/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Statistics Gathering Statistics find troubles Only IP header information is utilized Statistics ordered per peer IP address Statistics reserve size is restricted and the store is cleansed occasionally: Records for typical streams erased Records for transient and assault streams reset 15/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Traffic Models TCP requires corresponding converse stream Non-TCP movement requires NO turn around stream Non-TCP servers more often than not send consistent measure of parcels/Bytes every second to a given associate 16/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Traffic Models Model of ordinary TCP movement: low proportion of number of sent/number of got bundles Model of typical non-TCP movement: mean and standard deviation of number of sent parcels/Bytes for certain goal Non-TCP models made in preparing stage 17/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Flow Classification Comparison with models of ordinary movement agreeable - inside cutoff points of the model assault - outside of model breaking points Well carried on or not ordinary - very much acted agreeable streams transient - non all around acted agreeable streams 18/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Throttling Component ATTACK: Exponential decline TRANSIENT: Slow recuperation, straight increment NORMAL: Fast recuperation, exponential increment 19/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Experiment 1 CLIENT ATTACKER ROUTER VICTIM ATTACKER 20/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

assault begins assault stops 21/39

assault begins assault stops 22/39

Experiment 2 CLIENT ATTACKER ROUTER VICTIM ATTACKER 23/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

authentic activity begins assault begins assault stops 24/39

Legitimate movement begins assault stops assault begins FTP begins 25/39

Experiment 3 CLIENT ATTACKER ROUTER VICTIM ATTACKER 26/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Legitimate movement begins FTP begins assault stops assault begins 27/39

assault begins assault stops 28/39

Experiment 4 CLIENT ATTACKER ROUTER VICTIM ATTACKER 29/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

assault begins assault stops 30/39

assault begins assault stops 31/39

Summary of Results D-WARD effectively identifies and prevents assaults Legitimate customers from different spaces advantage extraordinarily System is amicable to non-TCP activity Legitimate TCP associations from source system are backed off There is no reasonableness certification to ordinary streams 32/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Attack Detection Choice of checked parameters: unwavering quality versus execution isolating real from assault streams Creation and upgrade of models Cooperation with other Source Routers Cooperation with the casualty Recurring assaults 33/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Attack Response Effectiveness versus decency of reaction forcefulness ought to rely on upon dependability of characterization outline of criticism instrument Traceback of the assault Interaction of various DDoS resistance frameworks 34/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Security Attackers take after advancements in security Attackers could endeavor to maintain a strategic distance from identification: beating assaults producing reverse bundles bit by bit go through casualty's assets mistrain models Attackers could endeavor to abuse the framework: drop honest to goodness parcels Attackers may DDoS Source Router 35/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Partial Deployment Effectiveness relies on upon level of organization Does not ensure conveying system so inspiration is low Legal elements could help Additional impetus: insignificant changes to existing switches ease great execution 36/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Deployment on Core Routers Large scope with less arrangement focuses Router execution must not be corrupted Rate restrain has affect on expansive segment of streams  couple of false positives an absolute necessity 37/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Timeline Year1 Year2 Jan Apr Jul Oct Jan Apr Jul Oct 7 10 1 9 12 3 5 8 2 11 4 6 38/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

Conclusions DDoS assaults are a genuine risk A plan of viable location and reaction technique is an unquestionable requirement D-WARD effectively distinguishes and imperatives the assaults yet has undesired effect on true blue streams Further research expected to refine the framework and devise organization procedure 39/39 Problem Statement  Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion