Dos ddos project
Download
1 / 31

Slide 1 - Technion - Electrical Engineering: Your Portal to ... - PowerPoint PPT Presentation


  • 428 Views
  • Uploaded on

DoS & DDoS Project Ori Modai Yaniv Stern Instructor: Yoram Yihyie DoS – Denial of Service Characterized by an explicit attempt by attackers to deny legitimate users the availability of a service. Sample Attacker Intermediary Victim (Taken from grc.com site (

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Slide 1 - Technion - Electrical Engineering: Your Portal to ...' - jana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Dos ddos project l.jpg

DoS & DDoS Project

Ori Modai

Yaniv Stern

Instructor: Yoram Yihyie

Technion – Computer Networks Lab - DDoS Project


Dos denial of service l.jpg
DoS – Denial of Service

Characterized by an explicit attempt by attackers to deny legitimate users the availability of a service.

Sample

Technion – Computer Networks Lab - DDoS Project


Ddos distributed denial of service l.jpg

Attacker

Intermediary

Victim

(Taken from grc.com site(

DDoS – Distributed Denial of Service

?

spoofing

Technion – Computer Networks Lab - DDoS Project


Project phases l.jpg

Background

Attack Generator

Detection

Platform

Tests in

Lab

Results

Analysis

Project Phases

Technion – Computer Networks Lab - DDoS Project


Brief history l.jpg
Brief History

  • Early 90’ – First appearance

  • 97’- 99’ – Automatic attack tools enhance attacks frequency and volume

  • Feb 00’ – Turning point

Technion – Computer Networks Lab - DDoS Project


Brief history cont l.jpg
Brief History (cont.)

2000’ – Today

  • Thousands of attacks per week

  • Growing complexity

  • Estimated lost – 66M $ (per year)

  • Vandalistic, Economically & Politically motivated attacks

DDoS attacks have evolved to be a major threat on the availability, accessibility and operations of many internet based services (Com. and Gov.)

Technion – Computer Networks Lab - DDoS Project


Attack classification l.jpg

Software vulnerability

Bandwidth

Protocol

Attack classification

Technion – Computer Networks Lab - DDoS Project


Dos ddos projects l.jpg

DoS & DDoS Projects

Attack Generator

Technion – Computer Networks Lab - DDoS Project


Attack generator l.jpg
Attack Generator

  • Centralized Trigger

  • Attack Zombies

  • Academic research capabilities (Logging)

  • Synchronization

Why Attack ?

Technion – Computer Networks Lab - DDoS Project


Tfn2k attack generator modifications made l.jpg

Logging capability

Synchronization

New attack mode

Attack parameter control

Standardization of attack traffic

TFN2K Attack Generator -modifications made:

Technion – Computer Networks Lab - DDoS Project


Dos ddos projects11 l.jpg

DoS & DDoS Projects

Detection Platform

Technion – Computer Networks Lab - DDoS Project


Detection system requirements l.jpg
Detection system Requirements

  • Installation on target server

  • Raw data accessibility

  • Statefull detection

  • Detection algorithm

  • Generic structure & scalability

  • Minimum resources consumption

Why Detection?

Technion – Computer Networks Lab - DDoS Project


Detection system architecture l.jpg
Detection system architecture

Detection

parameters

database

Collector

Threads

Analysis

Threads

Sniffer

Collector

Kernel info

Collector

Post

Collector

ICMP Flood

Analyzer

TCP SYN

Analyzer

Sniffer-daemon

(raw input probing)

Netstat-daemon

(kernel probing)

UDP Flood

Analyzer

DRDoS Attack

Analyzer

Incoming server traffic

Technion – Computer Networks Lab - DDoS Project


Collection tier l.jpg

Collector

Threads

Sniffer

Collector

Kernel info

Collector

Post

Collector

Sniffer-daemon

(raw input probing)

Netstat-daemon

(kernel probing)

Collection Tier

  • Collect Kernel status and Network Traffic

  • Perform preliminary data processing

  • High Performance

Technion – Computer Networks Lab - DDoS Project


Database tier l.jpg

Counter

Histogram

Estimator

Scalar

(Contains Post

Collector Estimation)

Average, Variance

Maximum

Average, Variance

Maximum

Database Tier

Providesaccess to raw data and statistic properties such as variance and average (short and long term).

Technion – Computer Networks Lab - DDoS Project


Analyzer tier general l.jpg
Analyzer Tier - General

Analysis

Threads

  • All Analyzers run simultaneously

  • Each analyzer works independently

  • Each analyzer examines and weights relevant parameters

  • For each parameter the analyzer checks changes in time

ICMP Flood

Analyzer

TCP SYN

Analyzer

UDP Flood

Analyzer

DRDoS Attack

Analyzer

Technion – Computer Networks Lab - DDoS Project


Detection platform gui l.jpg
Detection Platform - GUI

Technion – Computer Networks Lab - DDoS Project


Ip spoofing l.jpg

Detection

parameters

database

Collector

Threads

Analysis

Threads

Sniffer

Collector

Kernel info

Collector

Post

Collector

ICMP Flood

Analyzer

TCP SYN

Analyzer

Sniffer-daemon

(raw input probing)

Netstat-daemon

(kernel probing)

UDP Flood

Analyzer

Listen to network comm.

DRDoS Attack

Analyzer

IP Spoofing

Faking source of packets

Evaluation –

No spoofing

Technion – Computer Networks Lab - DDoS Project


Ip spoofing19 l.jpg

Detection

parameters

database

Collector

Threads

Analysis

Threads

Sniffer

Collector

Kernel info

Collector

Post

Collector

ICMP Flood

Analyzer

TCP SYN

Analyzer

Sniffer-daemon

(raw input probing)

Netstat-daemon

(kernel probing)

UDP Flood

Analyzer

spoofed comm.

DRDoS Attack

Analyzer

IP Spoofing

Evaluation –

spoofing

Technion – Computer Networks Lab - DDoS Project


Dos ddos projects20 l.jpg

DoS & DDoS Projects

Analysis Samples

Technion – Computer Networks Lab - DDoS Project


Analysis example syn attack l.jpg

A: 192.5.6.66

C: 192.5.6.27

B: 192.5.6.99

Target: 192.5.6.31

Hub 1

Hub 2

Hub 3

E: 219.17.101.5

D: 223.8.152.9

219.17.101.144

223.8.152.52

219.17.101.111

223.8.15.55

Analysis Example - SYN Attack

Data Sources:

  • Attackers’ logs

  • Detection platform analyzers

  • NetAlly© sampling

Technion – Computer Networks Lab - DDoS Project


Syn results l.jpg
SYN – Results

more

Technion – Computer Networks Lab - DDoS Project


Dos ddos projects23 l.jpg

DoS & DDoS Projects

Conclusions & Final words

Technion – Computer Networks Lab - DDoS Project


Conclusions final words l.jpg

Detection

parameters

database

Collector

Threads

Analysis

Threads

Sniffer

Collector

Kernel info

Collector

Post

Collector

ICMP Flood

Analyzer

TCP SYN

Analyzer

Sniffer-daemon

(raw input probing)

Netstat-daemon

(kernel probing)

UDP Flood

Analyzer

DRDoS Attack

Analyzer

Conclusions & final words

  • Efficient working system

    • Fast response

    • Highly credible

  • Innovations

    • Generic & Scalable approach

    • Integrating several detection methods

    • Academic research capabilities

    • Ability to distinguish between different attack types

Technion – Computer Networks Lab - DDoS Project


Conclusions final words cont l.jpg
Conclusions & final words (cont)

  • From detection to protection

The attack-detection platform can be used as a basis for future expansion and academic research in various fields related to network security

Technion – Computer Networks Lab - DDoS Project


Dos ddos projects26 l.jpg

DoS & DDoS Projects

Questions

Technion – Computer Networks Lab - DDoS Project


Innovations l.jpg
Innovations

  • Generic & Scalable approach

  • Integrating several detection methods

  • Academic research capabilities

  • Ability to distinguish between different attack types

Technion – Computer Networks Lab - DDoS Project

Back


From detection to protection l.jpg
From detection to protection

Attack Alert

  • Enabling IP hopping

  • Initiated server shutdown

    Filtering Indicators

  • Spoofed IP address prefixes

  • Port numbers

  • Protocols

    Remote router or firewall configuration

Technion – Computer Networks Lab - DDoS Project

Back


Syn syn syn fin analyzers l.jpg
SYN – SYN & SYN/FIN analyzers

Technion – Computer Networks Lab - DDoS Project

Back


Syn spoof parameter l.jpg
SYN – Spoof parameter

Technion – Computer Networks Lab - DDoS Project

Back


Syn flood l.jpg
SYN flood

Exploit the TCP-Three Way Handshake

)Taken from grc.com site(

Technion – Computer Networks Lab - DDoS Project


ad