Topologie - PowerPoint PPT Presentation

About This Presentation

Title:

Topologie

Description:

Marcus Sch ller, Thomas Gamer, Roland Bless, and Martina Zitterbart ... Building an attack detection system. DDoS and worm propagation are major threats ... – PowerPoint PPT presentation

Number of Views:48

Avg rating:3.0/5.0

Slides: 15

Provided by: thomastf

Category:

more less

Transcript and Presenter's Notes

Title: Topologie

1
An Extension to Packet Filtering of Programmable
Networks
Marcus Schöller, Thomas Gamer, Roland Bless, and
Martina Zitterbart
Institut für TelematikUniversität Karlsruhe
(TH)Germany IWAN 2005 November 23th
2
Motivation

Building an attack detection system
DDoS and worm propagation are major threats
Victim can not take any countermeasures
Support from network operator needed
Detection as early as possible
Objectives
Be extensible to adept to new attacks
Be resource saving to fit in high-speed
environments

Application level view
Build an anomaly based attack detection system
based on packet selection
3
Motivation

Building an attack detection system
DDoS and worm propagation are major threats
Victim can not take any countermeasures
Support from network operator needed
Detection as early as possible
Attack are constantly changing
Objectives
Be extensible to adept to new attacks
Be resource saving to fit in high-speed
environments

Build an anomaly based attack detection system
based on packet selection
4
Anomaly based detection system

Statistical anomaly in an aggregate suggests an
attack
DDoS Rapid increase of packets at aggregation
point
Worm propagation Exponential increase of packets

5
Anomaly based detection system

Statistical anomaly in an aggregate suggests an
attack
Rapid increase of packets
Exponential increase of packets
Protocol anomalies within such an aggregate
Verify the suggestion
TCP connection establishment
TCP-SYN approx. TCP-SYN-ACK
TCP-SYN-Flooding
( TCP-SYN gt TCP-SYN-ACK) TCP-RST
Packet selection to find statistical anomalies
Attack hints can be detected with less resources

6
Packet Selection PSAMP WG

Packet filtering
Field match filtering
Hash based selection
Router state filtering
Packet sampling
Non-uniform probabilistic sampling
Systematic time based sampling
n-out-of-N sampling
Uniform probabilistic sampling
Systematic count based sampling

NodeOS is currently limited to this class
7
NodeOS specification

IPfix conform filtering at incoming channel
(InChan)
Packet sampling within EE
Unnecessary delay for not selected packets
Resource consuming
High delay
Not applicable for high speed routers
Two issues
Select suitable packet selection scheme
Integrate packet selection in NodeOS

8
Selecting a suitable packet selector

Building an attack detection system
Packet filtering is unsuitable
Attacker can circumvent detection by packet
crafting
Non-uniform probabilistic sampling is unsuitable
Deep packet inspection necessary
Systematic time-based sampling is unsuitable
Bad estimation during low bandwidth utilization
n-out-of-N sampling is suitable to only a limited
extend
Generation of unique random numbers necessary
Uniform probabilistic sampling is well suitable
Only random number generator required
Systematic count based sampling is very well
suited
Least resource demanding

9
Packet sampling experiment

Uniform probabilistic sampling
Sampling interval 0,5s and 5s
Accuracy depends on number of packets per
interval
Same results for systematic count based sampling
Estimation failure of uniform probabilistic
sampling

10
Extending the NodeOS specification

Packet selection in the incoming channel
Process copy of selected packets only
Preserve packet order
Reduce packet delay
Reduce memory usage
Systematic count based sampling
Lowest resource demands

11
Evaluation results
Average of overall processing time
3000
245 858 Tics
2500
2000
1500
Processing time in 1000 processor tics
1000
500
0
500
1000
1500
2000
0
Packet Index
12
Conclusion