Characteristics of Denial of Service attacks on Internet using AGURI Ryo Kaizaki Keio Univ. ,Japan [email protected]
Jan 02, 2016
Characteristics of Denial of Service attacks on Internet
using AGURI
Ryo Kaizaki
Keio Univ. ,Japan
Goal : support of network operation against DoS attacks
• There are many DoS(Denial of Service) attacks(ex)slammer worm in 25 Jan.
• There are many types of attacks → AGURI : design & implementation of the traffic profiler
• AGURI– single & range target– flexible detection
• Observation on WIDE(AS2500) backbone• Report of DoS attacks and their characteristics
CNN ,25 Jan 2003
Focus : types of DoS attacks
DoS
attacks
Logic attacks
Application
Operating System
Flooding attacks
Resources of an end node
- CPU , memory, network I/F
Resources of router
- CPU & I/F, bandwidwh
type victims
Flooding attacks
Router A
Router B
Router C
Router D
Server Host A
Host C
Host B
Attacker
Flooding attacks
Router A
Router B
Router C
Router D
Server Host A
Host C
Host B
Attacker
•Attacker sends massive packets
Flooding attacks
Router A
Router B
Router C
Router D
Server Host A
Host C
Host B
Attacker
Drop packets
•Router C drops packets.
Network operation against flooding attacks
Router A
Router B
Router C
Router D
Server Host A
Host C
Host B
Attacker
Drop packets
1.Detection
Is network in trouble?
Network operation against flooding attacks
Router A
Router B
Router C
Router D
Server Host A
Host C
Host B
Attacker
Drop packets
2. Detection of victims
Network operation against flooding attacks
Router A
Router B
Router C
Router D
Server Host A
Host C
Host B
Attacker
Drop packets
3. Attacker’s packets
are the packets!
Network operation against flooding attacks
Router A
Router B
Router C
Router D
Server Host A
Host C
Host B
Attacker
4. Drop attacker’s packets
Drop packets
drops packets
Filter expression against flooding attacks
• Simple flooding attacks deny ip hostA port 100 hostB port 200 tcp
→we can use single expressions.
• Flooding attacks to a company/campus/ISPdeny ip hostA port 100 10.0.0.0/24 port 200 tcp
→ we can use range expressions.
→ best : drop only attacker’s packets.
better : drop some packets including attacker’s.
worst : do nothing
Type of attacks( simple flooding attacks )
tuplestarget
single range
Source IP address
Destination IP address
Source port number
Destination port number
Protocol
random
Type of attacks( port scan )
tuplestarget
single range
Source IP address
Destination IP address
Source port number
Destination port number
Protocol
random
Type of attacks( attacks to network )
tuplestarget
single range
Source IP address
Destination IP address
Source port number
Destination port number
Protocol
random
Type of attacks( source spoofing )
tuplestarget
single range
Source IP address
Destination IP address
Source port number
Destination port number
Protocol
random
Types of attacks
• There are many types of attacks– no characteristics in source IP address– no characteristics in destination port number– characteristics of destination IP address in range
→ for monitoring attacks,
needs on various point of views
General methods
• Rule based matches– Rule based matches with pre-defined rule sets
(ex) IDS
• Flow based aggregation (single)
(ex) Cflowd , Netboy
• AS based aggregation (range)– Skitter(arts++)
AGURI’s concept
• Break 5-tuples to each element– Enable to detect flooding attacks using
characteristics of a element.
• Aggregation each element– Enable to detect flooding attacks
• Simple target
• Range target
Design of AGURI
• Put address information on binary tree structure
10.0.0.0/29
10.0.0.0 .1 .2 .3 .4 .5 .6 .7
10.0.0.0/30 10.0.0.4/30
Design of AGURI
• Patricia tree
• LRU
• threshold
AGURI’s output
[src address] 4992392382 (100.00%)
0.0.0.0/0 87902964 (1.76%/100.00%)
60.0.0.0/6 97928228 (1.96%/3.00%)
62.52.0.0/16 51875058 (1.04%/1.04%)
64.0.0.0/8 100831910 (2.02%/3.51%)
64.0.0.0/9 74610984 (1.49%/1.49%)
128.0.0.0/2 142349668 (2.85%/13.33%)
133.0.0.0/8 69142535 (1.38%/1.38%)
150.65.136.91 54123094 (1.08%)
: : :
•profiles
•src_adr•dst_adr•src_port•dst_port
Measurement on WIDE backbone
• Data A : 9months
• Data B : 3months
• Data C : 15months
JPNUS
Switch B Router BRouter A ISP
Router C ISP
Data A
Data C
Data B
Switch A
Characteristic of attacks in time series
host 1
host 2 host 2host 3
(destination address)
( result 1)Source spoofing attacks
host 1
(destination address)
( result 1)Source spoofing attacks
128.0.0.0/2
(source IP address)
( result 1 )Source spoofing attacsk
→ drop packet which destination ip address is victim
tuplestarget
single range
Source IP address
Destination IP address
Source port number
Destination port number
Protocol
random
( result 2 )port scan
[ip:proto:dstport] 10933438650 (100.00%)
0/0:0:0 50394643 (0.46%/100.00%)
4:6:0/0 123970078 (1.13%/96.16%)
4:6:0/3 136730580 (1.25%/95.03%)
4:6:0/10 110321675 (1.01%/51.22%)
4:6:0/12 180612063 (1.65%/11.77%)
4:6:2 220337940 (2.02%)
4:6:5 220259760 (2.01%)
4:6:8 224630700 (2.05%)
4:6:11 220901820 (2.02%)
:
:
4:6:104 229349040 (2.10%)
4:6:107 220964460 (2.02%)
4:6:110 221768098 (2.03%)
4:6:119 213498789 (1.95%)
•IPv4•TCP•dst prot
•Begin port number 2•++3
( result 2 )port scan attack
→ drop packet port / destination in range
tuplestarget
single range
Source IP address
Destination IP address
Source port number
Destination port number
Protocol
random
( result3 ) Slammer worm
128.0.0.0/3
(source IP address)
( result 3 )Slammer worm
128.0.0.0/1
(destination IP address)
( result 3 )Slammer worm
4:17:1434
(Destination port number)
(result 3)Slammer worm
→ drop any any eq 1434 udp
tuplestarget
single range
Source IP address
Destination IP address
Source port number
Destination port number
Protocol
random
conclusion
• Flooding attacks : use up network resources
• AGURI– Can detect attacks from single target to range target
• Measurement on WIDE backbone
• Detect many types of flooding attacks– Drop flooding attack’s packets at routers.