Transcript Beyond the perimeter: the need for early detection of Denial of

Beyond the perimeter: the need
for early detection of Denial of
Service Attacks
John Haggerty,Qi Shi,Madjid Merabti
Presented by
Abhijit Pandey
Outline

Introduction

The Perimeter Model and DOS

DOS A Case Study

Early Detection of Dos Attacks Beyond the
Perimeter

Conclusion and Future Work
Introduction

Dos attacks prevent a user from performing
his/her computing functions

They overwhelm the victim host to the point
of unresponsiveness.

Current countermeasures
Firewalls, Intrusion Detection Systems
New approach for DOS prevention

IDS Firewalls part of victim system, they can
only respond to an attack and cannot prevent
them from happening. Thus when attacks are
detected services are shut down

The communication medium beyond the
perimeter is used to identify the attack
signatures
Two main classifications of Attack

Resource Starvation
Ex TCP syn flodding uses up victims
resources with half open requests, so no new
requests are processed

Bandwidth Consumption
Ex ICMP flodding or UDP flodding which
consumes bandwidth.
The perimeter model and DOS


Firewalls
They implement Access control and audit
functions at the interface. They are conduit
that network traffic passes through both into
and out of network perimeter.
The security policies are enforced by means
of packet filters using IP addresses ,ports,
flags, interfaces etc
The perimeter model and DOS
Intrusion Detection Systems
They detect violations of the security policies
within the trusted domain and thus identifies
the host misusing the system without
authorization and takes action against such
attacks
Failure of Perimeter Model

If the firewall is unable to respond, the attack
may degrade or halt the services of the
perimeter model.

For IDS, the aim of attack is not to fill the
bandwidth and deny legitimate users but to
log all suspicious packets. Thus a lot of
spurious packets fill up the log event and fill
all hard disk
DOS a case study

An Intrusion Detection system was used to analyze
events of interest.

A positive is when the recorded attack equates to an
actual EOI(Events of Interest) whereas the false
positive is when the event is recorded as an attack
but is not.409 positive attacks were recorded and
1084 false positives

The 409 positives were generated by a worm
attempting to infect other servers by sending a
crafted HTTP get request
Result of case study

The infected hosts inside the network tried to
connect to the internet and thus all traffic was
routed to the firewall.

The firewall’s hard-disk was filled with
spurious information, neither the external
users could come in nor the internals go out.

The firewall crashed.
Detection of DOS beyond the perimeter

Requirements
A mechanism to be devised that detects and
responds to the attack prior to its reaching
the perimeter.
Abnormal vs normal traffic not defined.
Thus effective detection beyond the
perimeter in the communication medium
difficult.
X total no of packets directed at h.
Y time period packets directed to h
S packets that match a particular signature.
Signatures

The signatures in Early detection are different from
perimeter model

Attack pattern A high rate of data transfer over a
period of time to consume available bandwidth.

Signature to distinguish TCP Syn flood as different
from flash crowds in which some connections do get
established. Thus traffic is gradual increase and
gradual decrease for flash crowds.
Future Work

The more quantitative relationship between different
dos attack signatures is required.

Attack detection must identify positives and false
positives to be effective and affect the legitimate
user.

Central control and administration of defense
mechanism as well as signature updates and policy
management required.
Conclusion

Current defense – perimeter security model
consisting of firewalls and IDS which are located on
the target system.

The case study showed when devices are located
on the target system , it is not an effective defense.

Detecting DOS beyond the perimeter is effective but
needs future work.