d ward ddos network attack recognition and defense l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
D-WARD: DDoS Network Attack Recognition and Defense PowerPoint Presentation
Download Presentation
D-WARD: DDoS Network Attack Recognition and Defense

Loading in 2 Seconds...

play fullscreen
1 / 39

D-WARD: DDoS Network Attack Recognition and Defense - PowerPoint PPT Presentation


  • 253 Views
  • Uploaded on

D-WARD: DDoS Network Attack Recognition and Defense. PhD Qualifying Exam Jelena Mirković PhD Advisor: Peter Reiher 01/23/2002. Design and implement DDoS defense system located at source network autonomously detects and stops attacking flows does not affect legitimate flows. 2 /39.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'D-WARD: DDoS Network Attack Recognition and Defense' - niveditha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
d ward ddos network attack recognition and defense

D-WARD:DDoS Network Attack Recognition and Defense

PhD Qualifying Exam

Jelena Mirković

PhD Advisor: Peter Reiher

01/23/2002

slide2
Design and implement DDoS defense system
  • located at source network
  • autonomously detects and stops attacking flows
  • does not affect legitimate flows

2/39

overview
Overview
  • Problem Statement
  • Related Work
  • Desirable Characteristics
  • D-WARD
  • Thesis Goals
  • Conclusion

3/39

slide4

What is a DoS Attack?

4/39

Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

slide5

What is a DDoS Attack?

5/39

Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

slide6

DDoS Defense Problem

  • Large number of unwitting participants
  • No common characteristics of DDoS streams
  • No administrative domain cooperation
  • Automated tools
  • Hidden identity of participants
  • Persistent security holes on the Internet

6/39

Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

slide7

DDoS Prevention

  • Compromise prevention
    • security patches
    • virus detection programs
    • intrusion detection systems (IDS)

High deployment cannot be enforced

7/39

Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

slide8

DDoS Defense

INTERMEDIATE NETWORK

VICTIM NETWORK

SOURCE NETWORK

8/39

Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

slide9

Victim Network

  • Intrusion Detection Systems
  • On-off control approach
  • Router monitoring tools (CISCO)

+ Victim can successfully detect the attack

- Victim is helpless if:

attack consists of legitimate packets or

attack is of large volume

9/39

Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

slide10

Intermediate Network

  • WATCHERS
  • Traceback
  • Pushback
  • Spoofing prevention

+ Routers can effectively constrain/trace the attack

- Possible performance degradation

- Interdomain politics of isolation

- Attack detection is hard

- Communication has to be secured

10/39

Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

slide11

Source Network

  • MULTOPS

+ Source routers can effectively constrain/trace the attack

+ Internet resources are preserved

- Attack detection is hard

- Many deployment points needed for high efficacy

11/39

Problem Statement Related Work Desirable Characteristics  D-WARD  Thesis Goals  Conclusion

slide12

Desirable Characteristics

  • High security
  • Reliable attack detection
  • Independent detection and response
  • Low performance cost
  • Incremental benefit with incremental deployment
  • Handle recurring attacks
  • Traceback
  • Cooperation

REQUIRED

OPTIONAL

12/39

Problem Statement Related Work  Desirable Characteristics D-WARD  Thesis Goals  Conclusion

slide13

D-WARD

  • DDoS defense system in Source Network
  • Source Router detects attack and responds
  • Monitors the two-way traffic
  • Suspect flows are rate-limited
  • Further observations lead to decrease or increase of rate-limit

13/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide14

OBSERVATION

COMPONENT

CLASSIFICATION

TRAFFIC

STATISTICS

SOURCE

ROUTER

INTERNET

STATISTICS CACHE

MODEL CACHE

NORMAL

TRANSIENT

ATTACK

RATE LIMIT

RULES

SOURCE NETWORK

THROTTLING

COMPONENT

System Architecture

14/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide15

Statistics Gathering

  • Statistics help discover difficulties
  • Only IP header data is used
  • Statistics classified per peer IP address
  • Statistics cache size is limited and the cache is purged periodically:
    • Records for normal flows deleted
    • Records for transient and attack flows reset

15/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide16

Traffic Models

  • TCP requires proportional reverse flow
  • Non-TCP traffic requires NO reverse flow
  • Non-TCP servers usually send constant amount of packets/Bytes per second to a given peer

16/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide17

Traffic Models

  • Model of normal TCP traffic:
    • low ratio of number of sent/number of received packets
  • Model of normal non-TCP traffic:
    • mean and standard deviation of number of sent packets/Bytes for certain destination
  • Non-TCP models created in training phase

17/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide18

Flow Classification

  • Comparison with models of normal traffic
    • compliant - within limits of the model
    • attack - outside of model limits
  • Well behaved or not
    • normal - well-behaved compliant flows
    • transient - non well-behaved compliant flows

18/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide19

Throttling Component

  • ATTACK: Exponential decrease
  • TRANSIENT: Slow recovery, linear increase
  • NORMAL: Fast recovery, exponential increase

19/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide20

Experiment 1

CLIENT

ATTACKER

ROUTER

VICTIM

ATTACKER

20/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide21

attack starts

attack stops

21/39

slide22

attack starts

attack stops

22/39

slide23

Experiment 2

CLIENT

ATTACKER

ROUTER

VICTIM

ATTACKER

23/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide24

legitimate traffic starts

attack starts

attack stops

24/39

slide25

Legitimate traffic starts

attack stops

attack starts

FTP starts

25/39

slide26

Experiment 3

CLIENT

ATTACKER

ROUTER

VICTIM

ATTACKER

26/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide27

Legitimate traffic starts

FTP starts

attack stops

attack starts

27/39

slide28

attack starts

attack stops

28/39

slide29

Experiment 4

CLIENT

ATTACKER

ROUTER

VICTIM

ATTACKER

29/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide30

attack starts

attack stops

30/39

slide31

attack starts

attack stops

31/39

slide32

Summary of Results

  • D-WARD successfully detects and stops attacks
  • Legitimate clients from other domains benefit greatly
  • System is friendly to non-TCP traffic
  • Legitimate TCP connections from source network are slowed down
  • There is no fairness guarantee to normal flows

32/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide33

Attack Detection

  • Choice of monitored parameters:
    • reliability vs performance
    • separating legitimate from attack flows
  • Creation and update of models
  • Cooperation with other Source Routers
  • Cooperation with the victim
  • Recurring attacks

33/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide34

Attack Response

  • Effectiveness vs fairness of response
    • aggressiveness should depend on reliability of classification
    • design of feedback mechanism
  • Traceback of the attack
  • Interaction of multiple DDoS defense systems

34/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide35

Security

  • Attackers follow developments in security
  • Attackers could attempt to avoid detection:
    • pulsing attacks
    • generating reverse packets
    • gradually use up victim’s resources
    • mistrain models
  • Attackers could attempt to misuse the system:
    • drop legitimate packets
  • Attackers might DDoS Source Router

35/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide36

Partial Deployment

  • Effectiveness depends on degree of deployment
  • Does not protect deploying network so motivation is low
  • Legal factors could help
  • Additional incentive:
    • minimal changes to existing routers
    • low cost
    • good performance

36/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

slide37

Deployment on Core Routers

  • Large coverage with less deployment points
  • Router performance must not be degraded
  • Rate limit has impact on large portion of flows  few false positives a must

37/39

Problem Statement Related Work  Desirable Characteristics  D-WARD Thesis Goals  Conclusion

timeline
Timeline

Year1 Year2

Jan Apr Jul Oct Jan Apr Jul Oct

7

10

1

9

12

3

5

8

2

11

4

6

38/39

Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals Conclusion

slide39

Conclusions

  • DDoS attacks are a serious threat
  • A design of effective detection and response strategy is a must
  • D-WARD successfully detects and constraints the attacks but has undesired impact on legitimate flows
  • Further research needed to refine the system and devise deployment strategy

39/39

Problem Statement Related Work  Desirable Characteristics  D-WARD  Thesis Goals  Conclusion