1 / 10

DISTRIBUTED tcpdump CAPABILITY FOR LINUX

Research Paper. DISTRIBUTED tcpdump CAPABILITY FOR LINUX. EJAZ AHMED SYED Dr. JIM MARTIN. Internet Research Group. Department Of Computer Science – Clemson University. Project Goals. Design and implement a tool that does distributed tcpdump capability for Linux.

aretha
Télécharger la présentation

DISTRIBUTED tcpdump CAPABILITY FOR LINUX

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Research Paper DISTRIBUTED tcpdump CAPABILITY FOR LINUX EJAZ AHMED SYEDDr. JIM MARTIN Internet Research Group. Department Of Computer Science – Clemson University.

  2. Project Goals • Design and implement a tool that does distributed tcpdump capability for Linux. • Basic Operation Description: • A client sends a command to a server instructing the server to do particular tcpdump commands. At the server, there needs to be a way for the tcpdump data to be sent back to the client. • Significance: • A generic building block that can be deployed in a highly distributed manner for Distributed Denial Of Service (DDoS) and Intrusion Detection (ID). • Work is closely related to the frame work developed for intrusion detection.

  3. PROBLEM DEFINITION & SCOPE Distributed Denial of Service and Intrusion Detection System (IDS) A “denial-of-service” attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.Examples include: • attempts to “flood” a network, thereby preventing legitimate network traffic. • attempts to disrupt connections between two machines, thereby preventing access to a service. • attempts to disrupt service to a specific system or person. Note: Other types of attacks may include a denial of service as a component, but the denial of service may be part of a larger attack. ... contd

  4. PROBLEM DEFINITION & SCOPE A network-based intrusion detection system (IDS) might be able to detect an attack instance (either an attack packet or a sequence of attack packets) by automatically extracting and analyzing the attack signatures from a collection of incoming and outgoing data packets. However, because of the Source accountability problem of today’s Internet, an IDS generally cannot tell where the attack packets were originated. Recent attention : Many DDoS (Distributed Denial Of Service) attacks have affected web sites such as Yahoo! E-Bay, CNN among many others, utilizing IP source address spoofing.

  5. Nomenclature – The Plain DDoS Model DDoS Attack Infrastructure : Hackers from their own community and they share resources among themselves. When one Internet host is compromised (a resource for the hackers), the host identity and the key to access this host is announced to all the hackers. Gradually, compromised hosts are organized and connected together as a DDoS attack infrastructure. In this host infrastructure, some hosts play the role of masters, while others are slaves. Attacker:A 15-YEAR-OLD MONTREAL boy with the alleged Internet codename of Mafia boy was the attacker who launched the attacks that briefly immobilized and brought down Internet giants eBay, Amazon.com, Yahoo.com, and ETrade back in February through the plain DDoS attack infrastructure. [ www.itworld.com ]community. Must be a “Gryffindor wizard” !!

  6. The plain DDOS Model [1999-2000] Ref : On Design and Evaluation of “Intention-Driven” ICMP Traceback. UCLA

  7. Tool Functionality • How to detect the distributed attack ?? • Signatures represent the attacks in a generic way. • A signature is a distributed event pattern that represents a distributed attack. • Generate log files required for further processing. • Specify what information is needed. • Identify the attack from specific signature flow. • Trace bandwidth consumed by the following flow description xxx: the data sent back is simple byte count per second. Alert the client when data specific to flow xxx is observed : send back an alert message.Alert the client when you see this particular flow signature.

  8. IMPLEMENTATION ARCHITECTURE • Pseudo Signatures: • Generate specific command – oriented tcpdumplog files for processing.[ CMD : tcpdump_command, param_String, START, STOP, probing_frequency, file *log_file ] • CMD : any tcpdump command . File : log file generated with the resultant tcpdump data. • Generate list of offending flows • [ CMD : ID_Non_tcp_friendly_flows, START, STOP, probing_frequency, file *list_file ] • Identify specific offending flows • [ CMD : search_for_this_flow, reporting_mode, probing_frequency, file *search_stats ] • Search_for_this_flow : based on for example , { address, port, protocol } Reporting_mode : First occurrence of specific flow, Bandwidth > TCP_Friendly.

  9. CARDS Architecture Fig : The CARDS architecture Ref : Design and Implementation of A Decentralized Prototype System for Detecting Distributed Attacks. [Dr. Ning, Dr. Sushil, Dr. Sean, North Carolina State University. ]

  10. Extensions • Provide hooks for some other extended tcpdump commands. • Provide a Interactive Java GUI interface for the Client. • Think !!!! • NOTE : [ Cpsc881 Students - Fall’03 ]May Implement security feature to this application. !??!

More Related