1 High Performance Research Network. Development Lab. / Supercomputing Center Design of the Detection and Res ponse System against DDoS attac ks Yoonjoo Kwon Yoonjoo Kwon [email protected][email protected]High Performance Research Network Dept. High Performance Research Network Dept. Supercomputing Center Supercomputing Center KISTI KISTI
15
Embed
High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1High Performance Research Network. Development Lab. / Supercomputing Center
Design of the Detection and Response System against DDoS attacks
Attack tools are more sophisticatedAttack tools are more sophisticated as time passeas time passed.d.
In terms of ISP, we need to respond to DDoS attaIn terms of ISP, we need to respond to DDoS attack for protecting network users and network resouck for protecting network users and network resourcesrces
4High Performance Research Network. Development Lab. / Supercomputing Center
High
Low
1980 1985 1990 1995 2001
password guessing
password cracking
exploiting known vulnerabilities
disabling audits
back doors
hijacking sessions
sniffers
packet spoofing
GUIautomated probes/scans
denial of service
www attacks
Tools
Attackers
IntruderKnowledge
AttackSophistication
“stealth” / advanced scanning techniques
burglaries
network mgmt. diagnostics
distributedattack tools
binary encryption
Source: CERT/CC
Attack tools over time
5High Performance Research Network. Development Lab. / Supercomputing Center
10Gbps
10 Gbps
40Gbps
DaejeonSuperSIReN
Seoul
DDoS Activities (In KREONET) status status
We have monitored amount of network traffic in KREONET using flowscan and flowscan+.We have monitored amount of network traffic in KREONET using flowscan and flowscan+. DDoS attacks are detected continuously.DDoS attacks are detected continuously. After Jan. 25, 2003, various worms which After Jan. 25, 2003, various worms which include DDoS features include DDoS features has shown up frequentlyhas shown up frequently So far, the reaction was done by manual configurations.So far, the reaction was done by manual configurations. So we thought the automatic DDoS Detection and Response system should be needed.So we thought the automatic DDoS Detection and Response system should be needed.
udpflooding
tcpflooding
6High Performance Research Network. Development Lab. / Supercomputing Center
Our System
DDR system : DDoS Detection and Response system DDR system : DDoS Detection and Response system DDR system uses netflow dataDDR system uses netflow data Functions areFunctions are
to detect DDoS attacksto detect DDoS attacks to traceback DDoS agentsto traceback DDoS agents to control DDoS trafficto control DDoS traffic
Overview of DDR systemOverview of DDR system
DDoSAgent
DDoSAgent
DDRAgent
DDRAgent
Victim
DDIP DDRServer
Rate Limit
Rate Limit
Victim IPAttack Direction
Target Protocol
7High Performance Research Network. Development Lab. / Supercomputing Center
Components of DDR system
DDR AgentDDR Agent Analyze netflow dataAnalyze netflow data Checks DDoS attackChecks DDoS attack Sends information of DSends information of D
8High Performance Research Network. Development Lab. / Supercomputing Center
Whether are network connections to a destination or from a source over 85% of current flows or not?
Whether are network connections to a destination or from a source over 85% of current flows or not?
DDoS Detection Algorithm of DDR Agent
Two level tests for DDoS DetectionTwo level tests for DDoS Detection Level 1 Test : whether current flow is abnormal or notLevel 1 Test : whether current flow is abnormal or not Level 2 Test : whether the flow trend is DDoS Attack or notLevel 2 Test : whether the flow trend is DDoS Attack or not
time
# o
f flow
per p
roto
col
time
# o
f flow
per p
roto
col
time
# o
f inbound fl
ow
# o
f outb
ound fl
ow
abnormal traffic modelsabnormal traffic models
final standard of judge on DDoS attackfinal standard of judge on DDoS attack
9High Performance Research Network. Development Lab. / Supercomputing Center
Traceback : Finding DDoS agents
Start at the router which detected DDoS attStart at the router which detected DDoS attackack
For the router identify the interfaces on whicFor the router identify the interfaces on which the attack flow came in.h the attack flow came in.
For each input interface, identify the remote For each input interface, identify the remote router. (Need to know the topology)router. (Need to know the topology)
For each remote router, repeat until DDR SFor each remote router, repeat until DDR Server meets the edge router.erver meets the edge router.
Apply ratelimit command to edge-routersApply ratelimit command to edge-routers
10High Performance Research Network. Development Lab. / Supercomputing Center
Daejeon
SeoulVV
11High Performance Research Network. Development Lab. / Supercomputing Center
Traceback : After finding DDoS agents
We know where the traffic came fromWe know where the traffic came from
We can filter the traffic at the ingress if we We can filter the traffic at the ingress if we
need.need.
We can identify the peer network and We can identify the peer network and
contact themcontact them
12High Performance Research Network. Development Lab. / Supercomputing Center
Test Environment Cross Traffic : UDP 19.0Mbps(iperf) DDoS Attack Tool : flitz Number of DDoS agents : 3 RTT/Loss Test between ‘Site P’ and ‘Site Q’ Router : Cisco 7200 series, IOS 12.3
DDoSAgent
DDoSAgent
DDRAgent
DDRAgent
Victim(203.230.7.205)
DDIP DDRServer
Rate Limit
Site P Site Q
ISP A ISP B
RTT/Loss Test
25Mbps1Gbps
13High Performance Research Network. Development Lab. / Supercomputing Center
Normal
Loss
DDoS Attack
DDOS Attack
LossLoss
Starting DDR System
Test Results(skping)
Loss:0%
RTT :1.23ms
Loss:30.9%
RTT :190.15ms
Loss:8.73%
RTT :189.98ms
Loss:0%
RTT :4.65ms
14High Performance Research Network. Development Lab. / Supercomputing Center
Summary
DDoS attacks are appeared continuoDDoS attacks are appeared continuouslyusly
We developed DDR system using netfWe developed DDR system using netflow datalow data
We got some test results in test envirWe got some test results in test environmentonment
15High Performance Research Network. Development Lab. / Supercomputing Center
Future Plans
We plan toWe plan to deploy DDR system to STAR TAP , international link.deploy DDR system to STAR TAP , international link. deploy DDR system to a section of KREONETdeploy DDR system to a section of KREONET update detecting engine (DDR Agent) periodicallyupdate detecting engine (DDR Agent) periodically
• These days, worms which include DDoS features have been increased
We would like We would like to form a shared infrastructure capable of accurate backto form a shared infrastructure capable of accurate back
tracingtracing that our result of this topic contribute to Asia-Pacific Rethat our result of this topic contribute to Asia-Pacific Re