dos ddos project
Download
Skip this Video
Download Presentation
DoS & DDoS Project

Loading in 2 Seconds...

play fullscreen
1 / 31

DoS & DDoS Project - PowerPoint PPT Presentation


  • 429 Views
  • Uploaded on

DoS & DDoS Project Ori Modai Yaniv Stern Instructor: Yoram Yihyie DoS – Denial of Service Characterized by an explicit attempt by attackers to deny legitimate users the availability of a service. Sample Attacker Intermediary Victim (Taken from grc.com site (

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'DoS & DDoS Project' - jana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
dos ddos project

DoS & DDoS Project

Ori Modai

Yaniv Stern

Instructor: Yoram Yihyie

Technion – Computer Networks Lab - DDoS Project

dos denial of service
DoS – Denial of Service

Characterized by an explicit attempt by attackers to deny legitimate users the availability of a service.

Sample

Technion – Computer Networks Lab - DDoS Project

ddos distributed denial of service
Attacker

Intermediary

Victim

(Taken from grc.com site(

DDoS – Distributed Denial of Service

?

spoofing

Technion – Computer Networks Lab - DDoS Project

project phases
Background

Attack Generator

Detection

Platform

Tests in

Lab

Results

Analysis

Project Phases

Technion – Computer Networks Lab - DDoS Project

brief history
Brief History
  • Early 90’ – First appearance
  • 97’- 99’ – Automatic attack tools enhance attacks frequency and volume
  • Feb 00’ – Turning point

Technion – Computer Networks Lab - DDoS Project

brief history cont
Brief History (cont.)

2000’ – Today

  • Thousands of attacks per week
  • Growing complexity
  • Estimated lost – 66M $ (per year)
  • Vandalistic, Economically & Politically motivated attacks

DDoS attacks have evolved to be a major threat on the availability, accessibility and operations of many internet based services (Com. and Gov.)

Technion – Computer Networks Lab - DDoS Project

attack classification
Software vulnerability

Bandwidth

Protocol

Attack classification

Technion – Computer Networks Lab - DDoS Project

dos ddos projects

DoS & DDoS Projects

Attack Generator

Technion – Computer Networks Lab - DDoS Project

attack generator
Attack Generator
  • Centralized Trigger
  • Attack Zombies
  • Academic research capabilities (Logging)
  • Synchronization

Why Attack ?

Technion – Computer Networks Lab - DDoS Project

tfn2k attack generator modifications made
Logging capability

Synchronization

New attack mode

Attack parameter control

Standardization of attack traffic

TFN2K Attack Generator -modifications made:

Technion – Computer Networks Lab - DDoS Project

dos ddos projects11

DoS & DDoS Projects

Detection Platform

Technion – Computer Networks Lab - DDoS Project

detection system requirements
Detection system Requirements
  • Installation on target server
  • Raw data accessibility
  • Statefull detection
  • Detection algorithm
  • Generic structure & scalability
  • Minimum resources consumption

Why Detection?

Technion – Computer Networks Lab - DDoS Project

detection system architecture
Detection system architecture

Detection

parameters

database

Collector

Threads

Analysis

Threads

Sniffer

Collector

Kernel info

Collector

Post

Collector

ICMP Flood

Analyzer

TCP SYN

Analyzer

Sniffer-daemon

(raw input probing)

Netstat-daemon

(kernel probing)

UDP Flood

Analyzer

DRDoS Attack

Analyzer

Incoming server traffic

Technion – Computer Networks Lab - DDoS Project

collection tier
Collector

Threads

Sniffer

Collector

Kernel info

Collector

Post

Collector

Sniffer-daemon

(raw input probing)

Netstat-daemon

(kernel probing)

Collection Tier
  • Collect Kernel status and Network Traffic
  • Perform preliminary data processing
  • High Performance

Technion – Computer Networks Lab - DDoS Project

database tier
Counter

Histogram

Estimator

Scalar

(Contains Post

Collector Estimation)

Average, Variance

Maximum

Average, Variance

Maximum

Database Tier

Providesaccess to raw data and statistic properties such as variance and average (short and long term).

Technion – Computer Networks Lab - DDoS Project

analyzer tier general
Analyzer Tier - General

Analysis

Threads

  • All Analyzers run simultaneously
  • Each analyzer works independently
  • Each analyzer examines and weights relevant parameters
  • For each parameter the analyzer checks changes in time

ICMP Flood

Analyzer

TCP SYN

Analyzer

UDP Flood

Analyzer

DRDoS Attack

Analyzer

Technion – Computer Networks Lab - DDoS Project

detection platform gui
Detection Platform - GUI

Technion – Computer Networks Lab - DDoS Project

ip spoofing
Detection

parameters

database

Collector

Threads

Analysis

Threads

Sniffer

Collector

Kernel info

Collector

Post

Collector

ICMP Flood

Analyzer

TCP SYN

Analyzer

Sniffer-daemon

(raw input probing)

Netstat-daemon

(kernel probing)

UDP Flood

Analyzer

Listen to network comm.

DRDoS Attack

Analyzer

IP Spoofing

Faking source of packets

Evaluation –

No spoofing

Technion – Computer Networks Lab - DDoS Project

ip spoofing19
Detection

parameters

database

Collector

Threads

Analysis

Threads

Sniffer

Collector

Kernel info

Collector

Post

Collector

ICMP Flood

Analyzer

TCP SYN

Analyzer

Sniffer-daemon

(raw input probing)

Netstat-daemon

(kernel probing)

UDP Flood

Analyzer

spoofed comm.

DRDoS Attack

Analyzer

IP Spoofing

Evaluation –

spoofing

Technion – Computer Networks Lab - DDoS Project

dos ddos projects20

DoS & DDoS Projects

Analysis Samples

Technion – Computer Networks Lab - DDoS Project

analysis example syn attack
A: 192.5.6.66

C: 192.5.6.27

B: 192.5.6.99

Target: 192.5.6.31

Hub 1

Hub 2

Hub 3

E: 219.17.101.5

D: 223.8.152.9

219.17.101.144

223.8.152.52

219.17.101.111

223.8.15.55

Analysis Example - SYN Attack

Data Sources:

  • Attackers’ logs
  • Detection platform analyzers
  • NetAlly© sampling

Technion – Computer Networks Lab - DDoS Project

syn results
SYN – Results

more

Technion – Computer Networks Lab - DDoS Project

dos ddos projects23

DoS & DDoS Projects

Conclusions & Final words

Technion – Computer Networks Lab - DDoS Project

conclusions final words
Detection

parameters

database

Collector

Threads

Analysis

Threads

Sniffer

Collector

Kernel info

Collector

Post

Collector

ICMP Flood

Analyzer

TCP SYN

Analyzer

Sniffer-daemon

(raw input probing)

Netstat-daemon

(kernel probing)

UDP Flood

Analyzer

DRDoS Attack

Analyzer

Conclusions & final words
  • Efficient working system
    • Fast response
    • Highly credible
  • Innovations
    • Generic & Scalable approach
    • Integrating several detection methods
    • Academic research capabilities
    • Ability to distinguish between different attack types

Technion – Computer Networks Lab - DDoS Project

conclusions final words cont
Conclusions & final words (cont)
  • From detection to protection

The attack-detection platform can be used as a basis for future expansion and academic research in various fields related to network security

Technion – Computer Networks Lab - DDoS Project

dos ddos projects26

DoS & DDoS Projects

Questions

Technion – Computer Networks Lab - DDoS Project

innovations
Innovations
  • Generic & Scalable approach
  • Integrating several detection methods
  • Academic research capabilities
  • Ability to distinguish between different attack types

Technion – Computer Networks Lab - DDoS Project

Back

from detection to protection
From detection to protection

Attack Alert

  • Enabling IP hopping
  • Initiated server shutdown

Filtering Indicators

  • Spoofed IP address prefixes
  • Port numbers
  • Protocols

Remote router or firewall configuration

Technion – Computer Networks Lab - DDoS Project

Back

syn syn syn fin analyzers
SYN – SYN & SYN/FIN analyzers

Technion – Computer Networks Lab - DDoS Project

Back

syn spoof parameter
SYN – Spoof parameter

Technion – Computer Networks Lab - DDoS Project

Back

syn flood
SYN flood

Exploit the TCP-Three Way Handshake

)Taken from grc.com site(

Technion – Computer Networks Lab - DDoS Project

ad