High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

1High Performance Research Network. Development Lab. / Supercomputing Center

Design of the Detection and Response System against DDoS attacks

Yoonjoo KwonYoonjoo [email protected]@kisti.re.kr

High Performance Research Network Dept.High Performance Research Network Dept.

Supercomputing CenterSupercomputing CenterKISTIKISTI


Table of contents

MotivationsMotivations

DDoS Activities (In KREONET)DDoS Activities (In KREONET)

DDR SystemDDR System

Test ResultsTest Results

SummarySummary

Future PlansFuture Plans


Motivations

DDoS attacks are being appeared continuously DDoS attacks are being appeared continuously DDoS attackDDoS attack

Consumes host resourcesConsumes host resources• Memory• Processor cycles

Consumes network resourcesConsumes network resources• Bandwidth• Router resources (it’s a host too!)

Attack tools are more sophisticatedAttack tools are more sophisticated as time passeas time passed.d.

In terms of ISP, we need to respond to DDoS attaIn terms of ISP, we need to respond to DDoS attack for protecting network users and network resouck for protecting network users and network resourcesrces


High

Low

1980 1985 1990 1995 2001

password guessing

password cracking

exploiting known vulnerabilities

disabling audits

back doors

hijacking sessions

sniffers

packet spoofing

GUIautomated probes/scans

denial of service

www attacks

Tools

Attackers

IntruderKnowledge

AttackSophistication

“stealth” / advanced scanning techniques

burglaries

network mgmt. diagnostics

distributedattack tools

binary encryption

Source: CERT/CC

Attack tools over time


10Gbps

10 Gbps

40Gbps

DaejeonSuperSIReN

Seoul

DDoS Activities (In KREONET) status status

We have monitored amount of network traffic in KREONET using flowscan and flowscan+.We have monitored amount of network traffic in KREONET using flowscan and flowscan+. DDoS attacks are detected continuously.DDoS attacks are detected continuously. After Jan. 25, 2003, various worms which After Jan. 25, 2003, various worms which include DDoS features include DDoS features has shown up frequentlyhas shown up frequently So far, the reaction was done by manual configurations.So far, the reaction was done by manual configurations. So we thought the automatic DDoS Detection and Response system should be needed.So we thought the automatic DDoS Detection and Response system should be needed.

udpflooding

tcpflooding


Our System

DDR system : DDoS Detection and Response system DDR system : DDoS Detection and Response system DDR system uses netflow dataDDR system uses netflow data Functions areFunctions are

to detect DDoS attacksto detect DDoS attacks to traceback DDoS agentsto traceback DDoS agents to control DDoS trafficto control DDoS traffic

Overview of DDR systemOverview of DDR system

DDoSAgent

DDoSAgent

DDRAgent

DDRAgent

Victim

DDIP DDRServer

Rate Limit

Rate Limit

Victim IPAttack Direction

Target Protocol


Components of DDR system

DDR AgentDDR Agent Analyze netflow dataAnalyze netflow data Checks DDoS attackChecks DDoS attack Sends information of DSends information of D

DoS attack to DDR ServDoS attack to DDR Serverer

Attack Info. ReceiverAttack Info. Receiver

DDoS Agent TracerDDoS Agent Tracer

Router Command ApplierRouter Command Applier

Traceback Module

Edge Router Netflow CollectorEdge Router Netflow Collector

Finishing Checkup Module

DDR Server

Edge Router Traffic CheckerEdge Router Traffic Checker

Router command RemoverRouter command Remover

Edge RoutersSending Netflows

Removing router commands(ratelimit)

Applying router commands (ratelimit)

DBDB

DBNetflow CollectorNetflow Collector

DDoS detectorDDoS detector

ReactorReactor

Detection Module

Inner Command SenderInner Command Sender

Communication Module

Router Command ApplierRouter Command Applier

Inner Command SenderInner Command Sender

Control Module

DDR Agent

backbone Router

DDIP


Whether are network connections to a destination or from a source over 85% of current flows or not?

Whether are network connections to a destination or from a source over 85% of current flows or not?

DDoS Detection Algorithm of DDR Agent

Two level tests for DDoS DetectionTwo level tests for DDoS Detection Level 1 Test : whether current flow is abnormal or notLevel 1 Test : whether current flow is abnormal or not Level 2 Test : whether the flow trend is DDoS Attack or notLevel 2 Test : whether the flow trend is DDoS Attack or not

time

# o

f flow

per p

roto

col

time

# o

f flow

per p

roto

col

time

# o

f inbound fl

ow

# o

f outb

ound fl

ow

abnormal traffic modelsabnormal traffic models

final standard of judge on DDoS attackfinal standard of judge on DDoS attack


Traceback : Finding DDoS agents

Start at the router which detected DDoS attStart at the router which detected DDoS attackack

For the router identify the interfaces on whicFor the router identify the interfaces on which the attack flow came in.h the attack flow came in.

For each input interface, identify the remote For each input interface, identify the remote router. (Need to know the topology)router. (Need to know the topology)

For each remote router, repeat until DDR SFor each remote router, repeat until DDR Server meets the edge router.erver meets the edge router.

Apply ratelimit command to edge-routersApply ratelimit command to edge-routers


Daejeon

SeoulVV


Traceback : After finding DDoS agents

We know where the traffic came fromWe know where the traffic came from

We can filter the traffic at the ingress if we We can filter the traffic at the ingress if we

need.need.

We can identify the peer network and We can identify the peer network and

contact themcontact them


Test Environment Cross Traffic : UDP 19.0Mbps(iperf) DDoS Attack Tool : flitz Number of DDoS agents : 3 RTT/Loss Test between ‘Site P’ and ‘Site Q’ Router : Cisco 7200 series, IOS 12.3

DDoSAgent

DDoSAgent

DDRAgent

DDRAgent

Victim(203.230.7.205)

DDIP DDRServer

Rate Limit

Site P Site Q

ISP A ISP B

RTT/Loss Test

25Mbps1Gbps


Normal

Loss

DDoS Attack

DDOS Attack

LossLoss

Starting DDR System

Test Results(skping)

Loss:0%

RTT :1.23ms

Loss:30.9%

RTT :190.15ms

Loss:8.73%

RTT :189.98ms

Loss:0%

RTT :4.65ms


Summary

DDoS attacks are appeared continuoDDoS attacks are appeared continuouslyusly

We developed DDR system using netfWe developed DDR system using netflow datalow data

We got some test results in test envirWe got some test results in test environmentonment


Future Plans

We plan toWe plan to deploy DDR system to STAR TAP , international link.deploy DDR system to STAR TAP , international link. deploy DDR system to a section of KREONETdeploy DDR system to a section of KREONET update detecting engine (DDR Agent) periodicallyupdate detecting engine (DDR Agent) periodically

• These days, worms which include DDoS features have been increased

We would like We would like to form a shared infrastructure capable of accurate backto form a shared infrastructure capable of accurate back

tracingtracing that our result of this topic contribute to Asia-Pacific Rethat our result of this topic contribute to Asia-Pacific Re

searchsearch

High Performance Research Network. Development Lab. / Supercomputing Center 1 Design of the Detection and Response System against DDoS attacks Yoonjoo.

Documents

ddos attack ddos attack

ddos attack slide

information of ddos

ddos features

ddos detection level

motivations ddos attacks

attack flow

automatic ddos detection