1 / 21

Denial of Service attacks on transit networks David Harmelin DANTE

Denial of Service attacks on transit networks David Harmelin DANTE. DANTE. advanced network services for the European research community: TEN-155, GÉANT active in testing and evaluating emerging technologies http://www.dante.net/tf-ngn

quincy-greer
Download Presentation

Denial of Service attacks on transit networks David Harmelin DANTE

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Denial of Service attacks on transit networksDavid Harmelin DANTE

  2. DANTE • advanced network services for the European research community: TEN-155, GÉANT • active in testing and evaluating emerging technologies http://www.dante.net/tf-ngn • DANCERT (dancert@dante.org.uk)http://www.dante.net/security

  3. Connecting 30 NRENs • Backbone and access speeds up to 622 Mbps • Research interconnections to North America (USA & Canada) and Asia-Pacific • Multiple interconnections with the commercial Internet

  4. Definition of a DoS attack DoS attack: an attack on a network or computer, the primary aim of which is to disrupt access to a given service. In this presentation, only DoS attacks involving flooding of networks are considered (networked flood-based DoS attacks).

  5. Example of a networked DoS ( http://www.dante.net/pubs/dip/42/42.html )

  6. DANTE and DoS attacks • 1999: DoS attacks noticed regularly on TEN-155. • Beginning 2000: DoS attacks against major companies in the news. • 2000: first tool based on peer-peer matrix analysis. Failed. • End 2000: second tool, based on sampled flow data. DANCERT relies on it to reduce the amount of DoS attacks.

  7. Detecting DoS attacks (1)

  8. Detecting DoS attacks (2) • Central server: every X minutes, samples every PoP WS with rate 1/Y flows, during Z seconds. • For each router, if more than N flows are received with the same destination IP, raise an alarm. • Current values in use: • Routers with regular netflow:X=15, Y=100, Z=10, N=10 • most attacks > 100 pkts/s are detected • Routers with sampled netflow (rate: 1/200 packets):X=15, Y=10, Z=60, N=10 • most attacks > 330 pkts/s are detected

  9. Logging DoS attacks

  10. “C class” attacks Spoofed source addresses within the /24 of the source.Coded by default in some DoS tools. Appears as if coming from:192.168.0.1, 192.168.0.2, …. 192.68.0.254

  11. Results • Running the tool on 4 core routers since 12/2000. • Logging all attacks detected since 03/2001 • Trade-off between • accuracy (confirmed attacks/alarms raised=98%) • detection effectiveness (>100 pkt/s). • Average of 34 different attacks per day logged, up to 5-6 concurrent (96 polls per day). • 90% “C class” attacks - easily traceable. • 75% of attacks are 40 bytes TCP packets.

  12. Results - Durations Most attacks last less than 15 minutes.Fast inter-domain tracing required to find the source.

  13. Results - Traffic generated Highest: 32 Mbps Highest: 27000 pkts/s Approximate values only. Low accuracy due to sampling.

  14. Results - Monthly evolution (1)

  15. Results - Monthly evolution (2)

  16. Results - All attacks (pkts/s) Bubble size = duration

  17. Results - All attacks (Kbps) Bubble size= duration

  18. Results - DoS timings

  19. From alarms to DANCERT tickets DoS attack potentially disruptive? Randomlyspoofed attack? Alarm receivedby DANCERT yes Identify peersoriginating thetraffic yes no no yes DoS attack appears in otherrecent alarms? Identify sourceswithin peer Existing DANCERTticket withsame source? no no Do nothing yes Send reminder to peer Issue DANCERT ticket to peers

  20. Known limitations of this method • Routers capabilities (netflow required) • Detecting networked flood-based DoS attacks only... • … but not ALL. • Detection helps, but further need for co-operation.

  21. Who should help? How? • IP network operators: • automatic detection and logging of DoS attacks • co-operation between CERT teams • SLAs • End-sites: • prevention • trace when DoS traffic sources are reported • DANTE: • http://www.dante.net/security/dos/ • gives away the in-house software to transit providers.

More Related