150 likes | 155 Vues
Explore the design, implementation, and test results of a Detection and Response System against DDoS attacks in KREONET by Yoonjoo Kwon from KISTI. Learn about motivations, DDoS activities, system components, test environment, results, and future plans.
E N D
Design of the Detection and Response System against DDoS attacks Yoonjoo Kwon yulli@kisti.re.kr High Performance Research Network Dept. Supercomputing Center KISTI
Table of contents • Motivations • DDoS Activities (In KREONET) • DDR System • Test Results • Summary • Future Plans
Motivations • DDoS attacks are being appeared continuously • DDoS attack • Consumes host resources • Memory • Processor cycles • Consumes network resources • Bandwidth • Router resources (it’s a host too!) • Attack tools are more sophisticatedas time passed. • In terms of ISP, we need to respond to DDoS attack for protecting network users and network resources
Attack tools over time binary encryption Tools “stealth” / advanced scanning techniques High denial of service packet spoofing distributed attack tools sniffers Intruder Knowledge www attacks automated probes/scans GUI back doors network mgmt. diagnostics disabling audits hijacking sessions burglaries Attack Sophistication exploiting known vulnerabilities password cracking Attackers password guessing Low 2001 1980 1985 1990 1995 Source: CERT/CC
udp flooding tcp flooding DDoS Activities (In KREONET) Seoul • status • We have monitored amount of network traffic in KREONET using flowscan and flowscan+. • DDoS attacks are detected continuously. • After Jan. 25, 2003, various worms which include DDoS features has shown up frequently • So far, the reaction was done by manual configurations. • So we thought the automatic DDoS Detection and Response system should be needed. 10Gbps Daejeon SuperSIReN 10 Gbps 40Gbps
DDR Agent Victim Our System • DDR system : DDoS Detection and Response system • DDR system uses netflow data • Functions are • to detect DDoS attacks • to traceback DDoS agents • to control DDoS traffic • Overview of DDR system Attack Direction Victim IP Target Protocol DDR Server DDIP Rate Limit Rate Limit DDoS Agent DDoS Agent
Components of DDR system Edge Routers Sending Netflows Applying router commands (ratelimit) • DDR Agent • Analyze netflow data • Checks DDoS attack • Sends information of DDoS attack to DDR Server Removing router commands(ratelimit) DDR Server DB Router command Remover Router Command Applier Edge Router Traffic Checker DDoS Agent Tracer Edge Router Netflow Collector Attack Info. Receiver Traceback Module Finishing Checkup Module DDIP DDR Agent Control Module Communication Module Inner Command Sender Inner Command Sender Router Command Applier backbone Router Reactor DB DDoS detector Netflow Collector Detection Module
# of flow per protocol # of flow per protocol time time DDoS Detection Algorithm of DDR Agent • Two level tests for DDoS Detection • Level 1 Test : whether current flow is abnormal or not • Level 2 Test : whether the flow trend is DDoS Attack or not abnormal traffic models # of inbound flow time # of outbound flow final standard of judge on DDoS attack Whether are network connections to a destination or from a source over 85% of current flows or not?
Traceback : Finding DDoS agents • Start at the router which detected DDoS attack • For the router identify the interfaces on which the attack flow came in. • For each input interface, identify the remote router. (Need to know the topology) • For each remote router, repeat until DDR Server meets the edge router. • Apply ratelimit command to edge-routers
V Seoul Daejeon
Traceback : After finding DDoS agents • We know where the traffic came from • We can filter the traffic at the ingress if we need. • We can identify the peer network and contact them
Test Environment • Cross Traffic : UDP 19.0Mbps(iperf) • DDoS Attack Tool : flitz • Number of DDoS agents : 3 • RTT/Loss Test between ‘Site P’ and ‘Site Q’ • Router : Cisco 7200 series, IOS 12.3 ISP B ISP A DDR Server DDIP DDR Agent Rate Limit RTT/Loss Test 25Mbps 1Gbps Victim(203.230.7.205) DDoS Agent DDoS Agent Site P Site Q
Normal DDoS Attack Loss DDOS Attack Starting DDR System Loss Loss Test Results(skping) Loss: 0% RTT : 1.23ms Loss: 8.73% RTT : 189.98ms Loss: 30.9% RTT : 190.15ms Loss: 0% RTT : 4.65ms
Summary • DDoS attacks are appeared continuously • We developed DDR system using netflow data • We got some test results in test environment
Future Plans • We plan to • deploy DDR system to STAR TAP , international link. • deploy DDR system to a section of KREONET • update detecting engine (DDR Agent) periodically • These days, worms which include DDoS features have been increased • We would like • to form a shared infrastructure capable of accurate backtracing • that our result of this topic contribute to Asia-Pacific Research