Transcript project overview - Clemson University

Research Paper
DISTRIBUTED tcpdump CAPABILITY FOR LINUX
EJAZ AHMED SYED
Dr. JIM MARTIN
Internet Research Group. Department Of Computer Science – Clemson University.
Project Goals
Design and implement a tool that does distributed tcpdump
capability for Linux.
Basic Operation Description:
A client sends a command to a server instructing the server to
do particular tcpdump commands. At the server, there needs to
be a way for the tcpdump data to be sent back to the client.
Significance:
•A
generic building block that can be deployed in a highly
distributed manner for Distributed Denial Of Service (DDoS)
and Intrusion Detection (ID).
• Work is closely related to the frame work developed for
intrusion detection.
PROBLEM DEFINITION & SCOPE
Distributed Denial of Service and Intrusion Detection System (IDS)
A “denial-of-service” attack is characterized by an explicit attempt by
attackers to prevent legitimate users of a service from using that service.
Examples include:



attempts to “flood” a network, thereby preventing legitimate network
traffic.
attempts to disrupt connections between two machines, thereby
preventing access to a service.
attempts to disrupt service to a specific system or person.
Note: Other types of attacks may include a denial of service as a component,
but the denial of service may be part of a larger attack.
... contd
PROBLEM DEFINITION & SCOPE
A network-based intrusion detection system (IDS) might be able to
detect an attack instance (either an attack packet or a sequence of
attack packets) by automatically extracting and analyzing the
attack signatures from a collection of incoming and outgoing data
packets. However, because of the Source accountability problem of
today’s Internet, an IDS generally cannot tell where the attack
packets were originated.
Recent attention : Many DDoS (Distributed Denial Of Service)
attacks have affected web sites such as Yahoo! E-Bay, CNN among
many others, utilizing IP source address spoofing.
Nomenclature – The Plain DDoS Model
DDoS Attack Infrastructure : Hackers from their own community and they
share resources among themselves. When one Internet host is compromised
(a resource for the hackers), the host identity and the key to access this host
is announced to all the hackers. Gradually, compromised hosts are organized
and connected together as a DDoS attack infrastructure. In this host
infrastructure, some hosts play the role of masters, while others are slaves.
Attacker: A 15-YEAR-OLD MONTREAL boy with the alleged Internet
codename of Mafia boy was the attacker who launched the attacks that
briefly immobilized and brought down Internet giants eBay, Amazon.com,
Yahoo.com, and ETrade back in February through the plain DDoS attack
infrastructure. [ www.itworld.com ] community.
Must be a “Gryffindor wizard” !!
The plain DDOS Model [1999-2000]
Ref : On Design and Evaluation of “Intention-Driven” ICMP Traceback. UCLA
Tool Functionality
How to detect the distributed attack ??
Signatures represent the attacks in a generic way.
A signature is a distributed event pattern that represents a distributed attack.
•
Generate log files required for further processing.
•
Specify what information is needed.
•
Identify the attack from specific signature flow.
Trace bandwidth consumed by the following flow description xxx: the data
sent back is simple byte count per second.
Alert the client when data specific to flow xxx is observed : send back an
alert message.
Alert the client when you see this particular flow signature.
IMPLEMENTATION ARCHITECTURE
Pseudo Signatures:
•Generate specific command – oriented tcpdump log files for processing.
[ CMD : tcpdump_command, param_String, START, STOP, probing_frequency, file *log_file ]
CMD : any tcpdump command .
File : log file generated with the resultant tcpdump data.
•Generate list of offending flows
[ CMD : ID_Non_tcp_friendly_flows, START, STOP, probing_frequency, file *list_file ]
• Identify specific offending flows
[ CMD : search_for_this_flow, reporting_mode, probing_frequency, file *search_stats ]
Search_for_this_flow : based on for example , { address, port, protocol }
Reporting_mode : First occurrence of specific flow, Bandwidth > TCP_Friendly.
CARDS Architecture
Fig : The CARDS architecture
Ref : Design and Implementation of A Decentralized Prototype System for Detecting
Distributed Attacks. [Dr. Ning, Dr. Sushil, Dr. Sean, North Carolina State University. ]
Extensions
• Provide hooks for some other extended tcpdump commands.
• Provide a Interactive Java GUI interface for the Client.
• Think !!!!
NOTE : [ Cpsc881 Students - Fall’03 ]
May Implement security feature to this application. !??!