1 / 22

The Effects of Filtering Malicious Traffic under DoS Attacks

The Effects of Filtering Malicious Traffic under DoS Attacks. Chinawat Wongvivitkul Sudsanguan Ngamsuriyaroj Department of Computer Science, Faculty of Science Mahidol University, Thailand. Agenda. Introduction & Motivation Proposed Work Implementation Experiments & Results

najila
Télécharger la présentation

The Effects of Filtering Malicious Traffic under DoS Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The Effects of Filtering Malicious Traffic under DoS Attacks Chinawat Wongvivitkul Sudsanguan Ngamsuriyaroj Department of Computer Science, Faculty of Science Mahidol University, Thailand APAN 2007 - August 27, 2007

  2. Agenda • Introduction & Motivation • Proposed Work • Implementation • Experiments & Results • Conclusions and Future Work APAN 2007 - August 27, 2007

  3. Introduction • DoS attacks have been well known for generating huge amount of adverse traffic to a target server and make the server unavailable for services. • Open Source IDS Software: Snort and Bro • IDS • Signature detection: based on predefined rules • Anomaly detection: learn first and then classify statistical patterns of incoming traffic APAN 2007 - August 27, 2007

  4. Motivation • Most studies used simulation tools, and only a few address the issues of server survivability under DoS attacks • Questions • How to determine whether the incoming traffic is malicious in real time • How to create an anomaly detector using a simple statistics • How much traffic should be filtered out when the server is under attacks to make the server survives • No work does packet filtering interactively during the attack APAN 2007 - August 27, 2007

  5. Packet Control Traffic shaping Detection Analysis Packet Information Proposed Work • We propose a model to measure the effectiveness of filtering malicious traffic on the web server when under DoS attacks Input Traffic Normal output traffic Reduced output traffic Drop malicious traffic Dropped suspicious traffic Detection Analysis Traffic Control APAN 2007 - August 27, 2007

  6. Proposed Work • Have two phases • Detection Analysis • collect statistics of incoming traffic and classifies the status of the traffic. • Traffic Control • redirect traffic according to its status, and also filter traffic if the traffic is malicious APAN 2007 - August 27, 2007

  7. Packet Recording In_Packet Stat_Info Packet Analysis Detection Analysis • In_Packet keeps information of individual packets • Stat_Info keeps statistics of packets in In_Packet and classify the traffic according to its arrival rate Detection Analysis Sent to traffic control Input Traffic record record read read APAN 2007 - August 27, 2007

  8. Normal Traffic Suspicious Traffic Malicious Traffic Traffic shaping Stat_Info Traffic Control Traffic Control Packet Control Normal Output Traffic Packets from Detection Analysis Reduced output traffic Drop packets Read Drop packets APAN 2007 - August 27, 2007

  9. Traffic Control • Normal Traffic • sent to the target server with unlimited bandwidth. • Suspicious Traffic • sent to traffic shaping module so that their bandwidth is reduced before arriving at the target server. • Malicious Traffic • is dropped before having a chance to attack the target server APAN 2007 - August 27, 2007

  10. Attacker Modified Snort In-line Web Server Legitimate USER Implementation • Focus on HTTP traffic only • Modify Snort in-line for traffic classification, traffic redirection, and traffic dropping APAN 2007 - August 27, 2007

  11. Modified Snort In-Line • Packet capture/decode engine • Do statistical analysis of each traffic stream • Detection engine • Compute the arrival rate at every 30 packets of one traffic stream • Classify traffic into normal, suspicious and malicious according to its arrival rate • Control engine • Add an extra module to redirect traffic to different paths according to its status. • Output engine • Perform traffic shaping by dropping suspicious and malicious traffic APAN 2007 - August 27, 2007

  12. Modified Snort In-Line • Packet capture/decode engine • add Input_traffic function in “detect.c” file of Snort In-line. • Detection engine • add the P_analysis function in “snort.c” file • Control engine • add p_control function in “snort.c” file. • Output engine • dropping the number of suspicious packets according to it arrival rate Example rule for dropping suspicious and malicious traffic • drop tcp any any -> any 20000 (msg:"D=Http IDS Malicious access tcp deny";) • drop tcp any any -> any 40000 (msg:"D=Http IDS Suspicious access tcp deny";) APAN 2007 - August 27, 2007

  13. Iptables (Send input traffic to Queuing) Snort-In-line Detection Engine Control Engine Output Engine Input Traffic Packets capture/decode Engine Alerts/Logs Output Traffic Traffic Flows in Snort In-Line APAN 2007 - August 27, 2007

  14. System Configuration for Experiments • Attacker sends malicious traffic to the web server for 5 minutes • No background traffic generated • User makes a request to the server every 3 seconds until there is a timeout since the server was down APAN 2007 - August 27, 2007

  15. Experiment 1Server Timeout without Traffic Control APAN 2007 - August 27, 2007

  16. Experiment 2Server Timeout with Traffic Control One attacker and filtering rate is fixed at 1/1000 APAN 2007 - August 27, 2007

  17. Experiment 3Server Timeout with Traffic Control One attacker and varying filtering rates of 1/100, 1/250, 1/500, 1/750, and 1/1000 APAN 2007 - August 27, 2007

  18. Experiment 4Server Timeout with Traffic Control Three attackers and varying filtering rates of 1/100, 1/250, 1/500, 1/750, and 1/1000 APAN 2007 - August 27, 2007

  19. Conclusions • We show the effects of filtering malicious traffic to the survivability of the server under DoS attacks • We show that a simple and fast anomaly detection is possible by using the traffic arrival rate • Future work: make Snort adaptive and can respond to different arrival rates with adaptive filtering rate APAN 2007 - August 27, 2007

  20. References • Atighetchi M., el.al., Adaptive Cyberdefense for Survival and Intrusion Tolerance, IEEE Internet Computing, Nov-Dec 2004 • Deri L., Carbone R., and Suin S., Monitoring Networks Using ntop. Proceeding of the 2001 IEEE/IFIP International Symposium on Integrated Network Management, May 2001. • Houle K.J. and Weaver G.M., Trends in Denial of Services Attack Technology. CERT Coordination Center, Camegie Mellon University, October 2001. • Hwang K, Chen Y, and Liu H. Defending Distributed Systems Against Malicious Intrusions and Network Anomalies. Proceedings of 19th IEEE International Parallel and Distributed Processing Symposium, April 2005. • Kashiwa D, Chen E.Y. and Fuji H. Active Shaping: A Countermeasure Against DDoS Attacks. Proceedings of 2nd European Conference on Universal Multiservice Networks; April 2002. • Keromytis A., et.al., A Holistic Approach to Service Survivability, Proceedings of the ACM Workshop on Survivable and Self-Regenerative Systems, October 2003. • Lan K., Hussain A. and Dutta D., Effect of Malicious Traffic on the Network, Proceedings of Passive and Active Measurement Workshop, April 2003. • Lau F, Rubin S.H., Smith M.H. and Trajkovic L., Distributed Denial of Service Attacks. Proceedings of IEEE International Conference on Systems, Man, and Cybernetics, October 2000. APAN 2007 - August 27, 2007

  21. References • Lee W., Stolfo S.J., and Mok K., Mining in a Data-Flow Environment: Experience in Network Intrusion Detection, Proceedings of the 5th ACM SIGKDD, August 1999. • Lee W. and Stolfo S.J., A Framework for Constructing Features and Models for Intrusion Detection Systems, ACM Transactions in Information and System Security, 3(4), November 2000. • Long M., Wu C-H, and Hung J.Y., Denial of Service Attacks on Network-Based Control Systems: Impact and Mitigation, IEEE Transactions on Industrial Informatics, 1 (2), May 2005. • Mahoney M.V., Network Traffic Anomaly Detection Based on Packet Bytes. Proceedings of ACM Symposium on Applied Computing, March 2003. • Paxson V, Bro: A System for Detecting Network Intruders in Real-Time. Proceedings of the 7th USENIX Security Symposium; January 1998. • Roesch M, Snort–Lightweight Intrusion Detection for Networks. Proceedings of 13th LISA: Systems Administration Conference; November 1999. • Staniford S., Hoagland J.A. and McAlerney J.M., Practical Automated Detection of Stealthy Portscans. Journal of Computer Security, 1(1-2), 2002. • Sterne D., et. al., Autonomic Response to Distributed Denial of Service Attacks. Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, October 2001. • Taylor C. and Alves-Foss J. NATE: Network Analysis of Anomalous Traffic Events – A Low-Cost Approach. Proceedings of the ACM workshop on New Security Paradigms, September 2001. • Xu J. and Lee W., Sustaining availability of Web Services under Distributed Denial of Service Attacks, IEEE Transactions on Computers, 52(2), February 2003. APAN 2007 - August 27, 2007

  22. Thank You Q & A APAN 2007 - August 27, 2007

More Related