Transcript Presentation

DDoS Detection and Response System
NetWRAP : Running on KREONET
Yoonjoo Kwon
[email protected]
High Performance Research Network Dept.
Supercomputing Center
KISTI
High Performance Research Network Dept. / Supercomputing Center
1
Table of contents
 Backgrounds
 Motivations
 Contribution and Results
 Summaries and Future Plans
High Performance Research Network Dept. / Supercomputing Center
2
Backgrounds
DDoS attacks are being appeared
continuously
 February, 2000
• Yahoo, Amazon
 January, 2003
• Korea
High Performance Research Network Dept. / Supercomputing Center
3
Backgrounds
 Attack tools over time
binary encryption
“stealth” / advanced
scanning techniques
Tools
High
denial of service
packet spoofing
sniffers
Intruder
Knowledge
GUI
distributed
attack tools
www attacks
automated probes/scans
back doors
network mgmt. diagnostics
disabling audits
hijacking
burglaries sessions
Attack
Sophistication
exploiting known vulnerabilities
password cracking
Attackers
password guessing
Low
1980
1985
1990
1995
2001
High Performance Research Network Dept. / Supercomputing Center
Source: CERT/CC
4
Backgrounds
legitimate
user
target
Control Message
 The DDoS attack
Attack Flow
 Consumes host resources ( Memory & Processor Cycles )
 Consumes network resources ( Bandwidth & Router resources )
High Performance Research Network Dept. / Supercomputing Center
5
Motivation
 DDoS attacks have been detected frequently
 Manual reaction is too slow
 Automatic DDoS detection and response system
should be needed
udp
flooding
Seoul
10Gbps
SuperSIReN
tcp
flooding
Daejeon
10 Gbps
40Gbps
ICMP Worm
High Performance Research Network Dept. / Supercomputing Center
6
Our Detection System
 netflow data (version 5)
 detection approaches
 Signature-based
• Misuse
• TCP traffic
• Ex) It would be very unusual for a host to receive 10,000
connection attempts per second
– If TCP Sync flow > 10000 and all flows go to a destination then alert
 Anomaly-based
• What is typical?
• Non-TCP traffic
• Mean and standard deviation of numbers of flow
High Performance Research Network Dept. / Supercomputing Center
7
Our Response System
Response system traces back the
nearest routers from DDoS agent in
domain
 Response system have a network topology
 All routers have to export the netflow data
 Response system applies ratelimit
command to the nearest routers
High Performance Research Network Dept. / Supercomputing Center
8
Our Response System
DDIP
Response
system
x
An
Administrative
domain
Detection
system
x
x x
High Performance Research Network Dept. / Supercomputing Center
9
Overview of NetWRAP
 NetWRAP : NetWork Resource Abuse Preventive
 NetWRAP system uses netflow data
 Functions are
 to detect DDoS attacks
 to traceback DDoS agents
 to control DDoS traffic
NetWRAP
Server
Attack Direction
Victim IP
Target Protocol
Rate Limit
NetWRAP
Agent
DDoS
Agent
Rate Limit
DDoS
Agent
Victim
High Performance Research Network Dept. / Supercomputing Center
10
Test Results





Router : Cisco 7200 series, IOS 12.3
Number of DDoS agents : 3
DDoS Attack Tool : flitz
Cross Traffic : UDP 19.0Mbps(iperf)
RTT/Loss Test between ‘Site P’ and ‘Site Q’
ISP A
ISP B
NetWRAP
Server
Rate Limit
NetWRAP
Agent
RTT/Loss Test
Victim(203.230.7.205)
25Mbps
1Gbps
DDoS
Agent
Site P
DDoS
Agent
Site Q
High Performance Research Network Dept. / Supercomputing Center
11
Test Results(skping)
Normal
DDoS Attack
Loss:
0%
Loss:
8.73%
RTT :
1.23ms
RTT :
189.98ms
Loss
DDOS Attack
Starting NetWRAP
Loss:
30.9%
Loss:
0%
RTT :
190.15ms
RTT :
4.65ms
Loss
Loss
High Performance Research Network Dept. / Supercomputing Center
12
Results
Applying NetWRAP to STAR TAP link
• Defending against Nachi Worm
Section of applying NetWRAP to STAR TAP
Non-Applying
• Defending against TCP Sync Flooding
Section of applying NetWRAP to STAR TAP
TCP Sync
High Performance Research Network Dept. / Supercomputing Center
13
Summaries
 DDoS attacks are appeared continuously
 We developed NetWRAP system using
netflow data
 We got successful test results
 We deployed NetWRAP system to STAR
TAP, international link
High Performance Research Network Dept. / Supercomputing Center
14
Future Plans
 We plan to
 update detecting engine (NetWRAP Agent) until June,
2004
• Packet count
High Performance Research Network Dept. / Supercomputing Center
15
Welcome to join us
 We would like
 to form a shared infrastructure capable of
defending network against DDoS attack
• we are going to update our system until June
• after June, we want to cooperate with other
ISPs
• if anyone in NOC members are interested in our
system, contact me
– [email protected]
High Performance Research Network Dept. / Supercomputing Center
16