1 / 31

DoS & DDoS Project

DoS & DDoS Project Ori Modai Yaniv Stern Instructor: Yoram Yihyie DoS – Denial of Service Characterized by an explicit attempt by attackers to deny legitimate users the availability of a service. Sample Attacker Intermediary Victim (Taken from grc.com site (

jana
Download Presentation

DoS & DDoS Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DoS & DDoS Project Ori Modai Yaniv Stern Instructor: Yoram Yihyie Technion – Computer Networks Lab - DDoS Project

  2. DoS – Denial of Service Characterized by an explicit attempt by attackers to deny legitimate users the availability of a service. Sample Technion – Computer Networks Lab - DDoS Project

  3. Attacker Intermediary Victim (Taken from grc.com site( DDoS – Distributed Denial of Service ? spoofing Technion – Computer Networks Lab - DDoS Project

  4. Background Attack Generator Detection Platform Tests in Lab Results Analysis Project Phases Technion – Computer Networks Lab - DDoS Project

  5. Brief History • Early 90’ – First appearance • 97’- 99’ – Automatic attack tools enhance attacks frequency and volume • Feb 00’ – Turning point Technion – Computer Networks Lab - DDoS Project

  6. Brief History (cont.) 2000’ – Today • Thousands of attacks per week • Growing complexity • Estimated lost – 66M $ (per year) • Vandalistic, Economically & Politically motivated attacks DDoS attacks have evolved to be a major threat on the availability, accessibility and operations of many internet based services (Com. and Gov.) Technion – Computer Networks Lab - DDoS Project

  7. Software vulnerability Bandwidth Protocol Attack classification Technion – Computer Networks Lab - DDoS Project

  8. DoS & DDoS Projects Attack Generator Technion – Computer Networks Lab - DDoS Project

  9. Attack Generator • Centralized Trigger • Attack Zombies • Academic research capabilities (Logging) • Synchronization Why Attack ? Technion – Computer Networks Lab - DDoS Project

  10. Logging capability Synchronization New attack mode Attack parameter control Standardization of attack traffic TFN2K Attack Generator -modifications made: Technion – Computer Networks Lab - DDoS Project

  11. DoS & DDoS Projects Detection Platform Technion – Computer Networks Lab - DDoS Project

  12. Detection system Requirements • Installation on target server • Raw data accessibility • Statefull detection • Detection algorithm • Generic structure & scalability • Minimum resources consumption Why Detection? Technion – Computer Networks Lab - DDoS Project

  13. Detection system architecture Detection parameters database Collector Threads Analysis Threads Sniffer Collector Kernel info Collector Post Collector ICMP Flood Analyzer TCP SYN Analyzer Sniffer-daemon (raw input probing) Netstat-daemon (kernel probing) UDP Flood Analyzer DRDoS Attack Analyzer Incoming server traffic Technion – Computer Networks Lab - DDoS Project

  14. Collector Threads Sniffer Collector Kernel info Collector Post Collector Sniffer-daemon (raw input probing) Netstat-daemon (kernel probing) Collection Tier • Collect Kernel status and Network Traffic • Perform preliminary data processing • High Performance Technion – Computer Networks Lab - DDoS Project

  15. Counter Histogram Estimator Scalar (Contains Post Collector Estimation) Average, Variance Maximum Average, Variance Maximum Database Tier Providesaccess to raw data and statistic properties such as variance and average (short and long term). Technion – Computer Networks Lab - DDoS Project

  16. Analyzer Tier - General Analysis Threads • All Analyzers run simultaneously • Each analyzer works independently • Each analyzer examines and weights relevant parameters • For each parameter the analyzer checks changes in time ICMP Flood Analyzer TCP SYN Analyzer UDP Flood Analyzer DRDoS Attack Analyzer Technion – Computer Networks Lab - DDoS Project

  17. Detection Platform - GUI Technion – Computer Networks Lab - DDoS Project

  18. Detection parameters database Collector Threads Analysis Threads Sniffer Collector Kernel info Collector Post Collector ICMP Flood Analyzer TCP SYN Analyzer Sniffer-daemon (raw input probing) Netstat-daemon (kernel probing) UDP Flood Analyzer Listen to network comm. DRDoS Attack Analyzer IP Spoofing Faking source of packets Evaluation – No spoofing Technion – Computer Networks Lab - DDoS Project

  19. Detection parameters database Collector Threads Analysis Threads Sniffer Collector Kernel info Collector Post Collector ICMP Flood Analyzer TCP SYN Analyzer Sniffer-daemon (raw input probing) Netstat-daemon (kernel probing) UDP Flood Analyzer spoofed comm. DRDoS Attack Analyzer IP Spoofing Evaluation – spoofing Technion – Computer Networks Lab - DDoS Project

  20. DoS & DDoS Projects Analysis Samples Technion – Computer Networks Lab - DDoS Project

  21. A: 192.5.6.66 C: 192.5.6.27 B: 192.5.6.99 Target: 192.5.6.31 Hub 1 Hub 2 Hub 3 E: 219.17.101.5 D: 223.8.152.9 219.17.101.144 223.8.152.52 219.17.101.111 223.8.15.55 Analysis Example - SYN Attack Data Sources: • Attackers’ logs • Detection platform analyzers • NetAlly© sampling Technion – Computer Networks Lab - DDoS Project

  22. SYN – Results more Technion – Computer Networks Lab - DDoS Project

  23. DoS & DDoS Projects Conclusions & Final words Technion – Computer Networks Lab - DDoS Project

  24. Detection parameters database Collector Threads Analysis Threads Sniffer Collector Kernel info Collector Post Collector ICMP Flood Analyzer TCP SYN Analyzer Sniffer-daemon (raw input probing) Netstat-daemon (kernel probing) UDP Flood Analyzer DRDoS Attack Analyzer Conclusions & final words • Efficient working system • Fast response • Highly credible • Innovations • Generic & Scalable approach • Integrating several detection methods • Academic research capabilities • Ability to distinguish between different attack types Technion – Computer Networks Lab - DDoS Project

  25. Conclusions & final words (cont) • From detection to protection The attack-detection platform can be used as a basis for future expansion and academic research in various fields related to network security Technion – Computer Networks Lab - DDoS Project

  26. DoS & DDoS Projects Questions Technion – Computer Networks Lab - DDoS Project

  27. Innovations • Generic & Scalable approach • Integrating several detection methods • Academic research capabilities • Ability to distinguish between different attack types Technion – Computer Networks Lab - DDoS Project Back

  28. From detection to protection Attack Alert • Enabling IP hopping • Initiated server shutdown Filtering Indicators • Spoofed IP address prefixes • Port numbers • Protocols Remote router or firewall configuration Technion – Computer Networks Lab - DDoS Project Back

  29. SYN – SYN & SYN/FIN analyzers Technion – Computer Networks Lab - DDoS Project Back

  30. SYN – Spoof parameter Technion – Computer Networks Lab - DDoS Project Back

  31. SYN flood Exploit the TCP-Three Way Handshake )Taken from grc.com site( Technion – Computer Networks Lab - DDoS Project

More Related