The effects of filtering malicious traffic under dos attacks
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

The Effects of Filtering Malicious Traffic under DoS Attacks PowerPoint PPT Presentation


  • 63 Views
  • Uploaded on
  • Presentation posted in: General

The Effects of Filtering Malicious Traffic under DoS Attacks. Chinawat Wongvivitkul Sudsanguan Ngamsuriyaroj Department of Computer Science, Faculty of Science Mahidol University, Thailand. Agenda. Introduction & Motivation Proposed Work Implementation Experiments & Results

Download Presentation

The Effects of Filtering Malicious Traffic under DoS Attacks

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The effects of filtering malicious traffic under dos attacks

The Effects of Filtering Malicious Traffic under DoS Attacks

Chinawat Wongvivitkul

Sudsanguan Ngamsuriyaroj

Department of Computer Science, Faculty of Science

Mahidol University, Thailand

APAN 2007 - August 27, 2007


Agenda

Agenda

  • Introduction & Motivation

  • Proposed Work

  • Implementation

  • Experiments & Results

  • Conclusions and Future Work

APAN 2007 - August 27, 2007


Introduction

Introduction

  • DoS attacks have been well known for generating huge amount of adverse traffic to a target server and make the server unavailable for services.

  • Open Source IDS Software: Snort and Bro

  • IDS

    • Signature detection: based on predefined rules

    • Anomaly detection: learn first and then classify statistical patterns of incoming traffic

APAN 2007 - August 27, 2007


Motivation

Motivation

  • Most studies used simulation tools, and only a few address the issues of server survivability under DoS attacks

  • Questions

    • How to determine whether the incoming traffic is malicious in real time

    • How to create an anomaly detector using a simple statistics

    • How much traffic should be filtered out when the server is under attacks to make the server survives

  • No work does packet filtering interactively during the attack

APAN 2007 - August 27, 2007


Proposed work

Packet

Control

Traffic

shaping

Detection

Analysis

Packet

Information

Proposed Work

  • We propose a model to measure the effectiveness of filtering malicious traffic on the web server when under DoS attacks

Input Traffic

Normal

output traffic

Reduced

output traffic

Drop malicious traffic

Dropped suspicious traffic

Detection Analysis

Traffic Control

APAN 2007 - August 27, 2007


Proposed work1

Proposed Work

  • Have two phases

    • Detection Analysis

      • collect statistics of incoming traffic and classifies the status of the traffic.

    • Traffic Control

      • redirect traffic according to its status, and also filter traffic if the traffic is malicious

APAN 2007 - August 27, 2007


Detection analysis

Packet Recording

In_Packet

Stat_Info

Packet Analysis

Detection Analysis

  • In_Packet keeps information of individual packets

  • Stat_Info keeps statistics of packets in In_Packet

    and classify the traffic according to its arrival rate

Detection Analysis

Sent to traffic control

Input Traffic

record

record

read

read

APAN 2007 - August 27, 2007


Traffic control

Normal Traffic

Suspicious Traffic

Malicious Traffic

Traffic

shaping

Stat_Info

Traffic Control

Traffic Control

Packet Control

Normal Output

Traffic

Packets from

Detection Analysis

Reduced

output traffic

Drop packets

Read

Drop packets

APAN 2007 - August 27, 2007


Traffic control1

Traffic Control

  • Normal Traffic

    • sent to the target server with unlimited bandwidth.

  • Suspicious Traffic

    • sent to traffic shaping module so that their bandwidth is reduced before arriving at the target server.

  • Malicious Traffic

    • is dropped before having a chance to attack the target server

APAN 2007 - August 27, 2007


Implementation

Attacker

Modified Snort In-line

Web Server

Legitimate USER

Implementation

  • Focus on HTTP traffic only

  • Modify Snort in-line for traffic classification, traffic redirection, and traffic dropping

APAN 2007 - August 27, 2007


Modified snort in line

Modified Snort In-Line

  • Packet capture/decode engine

    • Do statistical analysis of each traffic stream

  • Detection engine

    • Compute the arrival rate at every 30 packets of one traffic stream

    • Classify traffic into normal, suspicious and malicious according to its arrival rate

  • Control engine

    • Add an extra module to redirect traffic to different paths according to its status.

  • Output engine

    • Perform traffic shaping by dropping suspicious and malicious traffic

APAN 2007 - August 27, 2007


Modified snort in line1

Modified Snort In-Line

  • Packet capture/decode engine

    • add Input_traffic function in “detect.c” file of Snort In-line.

  • Detection engine

    • add the P_analysis function in “snort.c” file

  • Control engine

    • add p_control function in “snort.c” file.

  • Output engine

    • dropping the number of suspicious packets according to it arrival rate

      Example rule for dropping suspicious and malicious traffic

  • drop tcp any any -> any 20000 (msg:"D=Http IDS Malicious access tcp deny";)

  • drop tcp any any -> any 40000 (msg:"D=Http IDS Suspicious access tcp deny";)

APAN 2007 - August 27, 2007


Traffic flows in snort in line

Iptables

(Send input traffic to Queuing)

Snort-In-line

Detection Engine

Control Engine

Output Engine

Input Traffic

Packets capture/decode Engine

Alerts/Logs

Output Traffic

Traffic Flows in Snort In-Line

APAN 2007 - August 27, 2007


System configuration for experiments

System Configuration for Experiments

  • Attacker sends malicious traffic to the web server for 5 minutes

  • No background traffic generated

  • User makes a request to the server every 3 seconds until there is a timeout since the server was down

APAN 2007 - August 27, 2007


Experiment 1 server timeout without traffic control

Experiment 1Server Timeout without Traffic Control

APAN 2007 - August 27, 2007


Experiment 2 server timeout with traffic control

Experiment 2Server Timeout with Traffic Control

One attacker and filtering rate is fixed at 1/1000

APAN 2007 - August 27, 2007


Experiment 3 server timeout with traffic control

Experiment 3Server Timeout with Traffic Control

One attacker and varying filtering rates of 1/100, 1/250, 1/500, 1/750, and 1/1000

APAN 2007 - August 27, 2007


Experiment 4 server timeout with traffic control

Experiment 4Server Timeout with Traffic Control

Three attackers and varying filtering rates of 1/100, 1/250, 1/500, 1/750, and 1/1000

APAN 2007 - August 27, 2007


Conclusions

Conclusions

  • We show the effects of filtering malicious traffic to the survivability of the server under DoS attacks

  • We show that a simple and fast anomaly detection is possible by using the traffic arrival rate

  • Future work: make Snort adaptive and can respond to different arrival rates with adaptive filtering rate

APAN 2007 - August 27, 2007


References

References

  • Atighetchi M., el.al., Adaptive Cyberdefense for Survival and Intrusion Tolerance, IEEE Internet Computing, Nov-Dec 2004

  • Deri L., Carbone R., and Suin S., Monitoring Networks Using ntop. Proceeding of the 2001 IEEE/IFIP International Symposium on Integrated Network Management, May 2001.

  • Houle K.J. and Weaver G.M., Trends in Denial of Services Attack Technology. CERT Coordination Center, Camegie Mellon University, October 2001.

  • Hwang K, Chen Y, and Liu H. Defending Distributed Systems Against Malicious Intrusions and Network Anomalies. Proceedings of 19th IEEE International Parallel and Distributed Processing Symposium, April 2005.

  • Kashiwa D, Chen E.Y. and Fuji H. Active Shaping: A Countermeasure Against DDoS Attacks. Proceedings of 2nd European Conference on Universal Multiservice Networks; April 2002.

  • Keromytis A., et.al., A Holistic Approach to Service Survivability, Proceedings of the ACM Workshop on Survivable and Self-Regenerative Systems, October 2003.

  • Lan K., Hussain A. and Dutta D., Effect of Malicious Traffic on the Network, Proceedings of Passive and Active Measurement Workshop, April 2003.

  • Lau F, Rubin S.H., Smith M.H. and Trajkovic L., Distributed Denial of Service Attacks. Proceedings of IEEE International Conference on Systems, Man, and Cybernetics, October 2000.

APAN 2007 - August 27, 2007


References1

References

  • Lee W., Stolfo S.J., and Mok K., Mining in a Data-Flow Environment: Experience in Network Intrusion Detection, Proceedings of the 5th ACM SIGKDD, August 1999.

  • Lee W. and Stolfo S.J., A Framework for Constructing Features and Models for Intrusion Detection Systems, ACM Transactions in Information and System Security, 3(4), November 2000.

  • Long M., Wu C-H, and Hung J.Y., Denial of Service Attacks on Network-Based Control Systems: Impact and Mitigation, IEEE Transactions on Industrial Informatics, 1 (2), May 2005.

  • Mahoney M.V., Network Traffic Anomaly Detection Based on Packet Bytes. Proceedings of ACM Symposium on Applied Computing, March 2003.

  • Paxson V, Bro: A System for Detecting Network Intruders in Real-Time. Proceedings of the 7th USENIX Security Symposium; January 1998.

  • Roesch M, Snort–Lightweight Intrusion Detection for Networks. Proceedings of 13th LISA: Systems Administration Conference; November 1999.

  • Staniford S., Hoagland J.A. and McAlerney J.M., Practical Automated Detection of Stealthy Portscans. Journal of Computer Security, 1(1-2), 2002.

  • Sterne D., et. al., Autonomic Response to Distributed Denial of Service Attacks. Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, October 2001.

  • Taylor C. and Alves-Foss J. NATE: Network Analysis of Anomalous Traffic Events – A Low-Cost Approach. Proceedings of the ACM workshop on New Security Paradigms, September 2001.

  • Xu J. and Lee W., Sustaining availability of Web Services under Distributed Denial of Service Attacks, IEEE Transactions on Computers, 52(2), February 2003.

APAN 2007 - August 27, 2007


The effects of filtering malicious traffic under dos attacks

Thank You

Q & A

APAN 2007 - August 27, 2007


  • Login