detecting flood based dos attacks with snmp rmon
play

Detecting Flood-based DoS Attacks with SNMP/RMON* William - PowerPoint PPT Presentation

Mar 01, 2023 •224 likes •571 views

Detecting Flood-based DoS Attacks with SNMP/RMON* William Streilein, David Fried, Robert Cunningham MIT Lincoln Laboratory *This work is sponsored by the U.S. Air Force under Air Force Contract F19628-00-C-0002. Opinions, interpretations,

  1. Detecting Flood-based DoS Attacks with SNMP/RMON* William Streilein, David Fried, Robert Cunningham MIT Lincoln Laboratory *This work is sponsored by the U.S. Air Force under Air Force Contract F19628-00-C-0002. Opinions, interpretations, conclusions and recommendations are those of the author and are not necessarily endorsed by the United State Government. MIT Lincoln Laboratory 1 WWS 10/21/2003

  2. Outline • Motivation and Goals • Background: DoS and RMON • Data collection and analysis – Using RMON to Detect DoS • Test bed – Prototype Results • Summary MIT Lincoln Laboratory 2 WWS 10/21/2003

  3. Motivation and Goals • Motivation: – Denial of Service attacks continue to be a threat to networks and computers connected to the Internet: >4,000 attacks per week (src: CAIDA) – Commercial detection systems may not be best Proprietary, expensive Require network re-design Often use simple statistical models (i.e. threshold comparison) • Goal: – Detect flow-based DoS using SNMP/RMON Utilize existing devices w/no changes to network, non-proprietary solution RMON1 commonly implemented on network devices – Develop improved detection models Compare uni-variate statistical to machine learning approach MIT Lincoln Laboratory 3 WWS 10/21/2003

  4. Denial-of-Service Background • Denial-of-service: “the prevention of authorized access to a system resource or the delaying of system operations and functions” – CERT/CC, 2001 • Logic-based attacks exploit peculiarities or programming vulnerabilities in computer application or system software – Usually targeted at individual machines – Vulnerability in popular software can lead to widespread impact – Examples: IIS DoS, Ping-of-death • Flow-based attacks exhaust resources available for normal use – Network-based attacks which exhaust bandwidth on connected links – Examples: SMURF, Fraggle, Trinoo, Stacheldraht MIT Lincoln Laboratory 4 WWS 10/21/2003

  5. Flow-based DoS In the News • DoS a constant threat for Internet users: – 1996, March: Panix Attack TCP Stack peculiarity: SYN Flood causes service outage – 2000, February: ‘.com’ attacks Ebay, Zdnet, Amazon, etc. shutdown for hours: eCommerce is threatened – 2001, June: www.grc.com Script kiddies flood Gibson Research’s T1s with ICMP, UDP traffic and bring site down – 2002, November: UltraDNS under DoS attack Fills up two T1 pipes during peak – 2003, March: Uecomms AU link under DoS attack – 4,000 DoS attacks per week (CAIDA, 2001) • Denial-of-Service attacks are evolving – DDoS: Distributed sources, zombies – Automation (t0rnkit, ramen) – Amplification techniques in widespread use – Encrypted control channels, IRC (botnets) – New targets: Infrastructure devices (e.g. routers, hubs) MIT Lincoln Laboratory 5 WWS 10/21/2003

  6. State of the Art in DoS Detection • Passive: – Traffic analysis assistance Asta Networks, Arbor Networks – Rate threshold comparison, simple “statistical” approach Many commercial offerings – ‘Backscatter’ algorithm Detect response to spoofed packets w/ random src addrs – Ramp-up signature, spectral analysis of arrival times, x(t) Discriminate between DoS and DDoS • Active: – RMON variables IP-level RMON stats (i.e., above RMON1) were used to detect DoS – Agent detection proactively scans network for (D)DoS agents RID – Trinoo, TFN, stacheldraht Dds, gag, etc. Nessus MIT Lincoln Laboratory 6 WWS 10/21/2003

  7. RMON Management Information Base • Remote Monitoring (RMON) is a standard monitoring specification that allows agents to report network info to managers via SNMP (Simple Network Management Protocol) • RMON 2 monitors network and application layer – Monitor existing SMTP, FTP connections by address and protocol – Filter and capture specific TCP, UDP traffic for later analysis IP • RMON 1 monitors link layer ETHERNET – Count bytes, pkts, errors on segment – Set up proactive alarms to TCP/IP detect problems Stack MIT Lincoln Laboratory 7 WWS 10/21/2003

  8. Approach • Collect SNMP/RMON data from live production network • Analyze data, develop models of normal traffic • Develop detection capability for simulated DoS attack – Superimpose simulated DoS traffic on collected data • Create testbed to replicate traffic and stage DoS attack with real traffic • Develop prototype DoS detection tool and test on testbed traffic MIT Lincoln Laboratory 8 WWS 10/21/2003

  9. Outline • Motivation and Goals • Background: DoS and RMON • Data collection and analysis – Using RMON to Detect DoS • Test bed – Prototype experimental Results • Summary MIT Lincoln Laboratory 9 WWS 10/21/2003

  10. Data Collection • Goal: use existing network infrastructure to detect flow- based DoS attacks – Collect data from CISCO 2900 switch in production network – Gain familiarity with RMON1 statistics – Develop models of day-to-day traffic for purpose of recognizing anomalous behavior – Use data as guideline for prototype construction • RMON 1 Statistics automatically collected from switch – Data sent daily for analysis MIT Lincoln Laboratory 10 WWS 10/21/2003

  11. Network Diagram (Simplified) 100 Mbit/s links T1 1.54Mbit/s • Internal network behind switch, behind firewall • Switch controls traffic to/from Internet • All traffic to/from Internet limited by T1 link MIT Lincoln Laboratory 11 WWS 10/21/2003

  12. Data Analysis • Data represents snapshots of RMON 1 variables – Statistics group samples every 5 minutes from Oct, 2001 - Jan, 2002 – CISCO 2900, 24 100 Mbit/sec ports – Ports under observation: 3 (to Internet), 24 (internal) • Observations – Daily traffic pattern clearly evident data (weekends and holidays excluded) – Packet ratios reflect typical communication with web-based servers – Network utilization on key ports < 1% of 100M capacity • Analysis of 52 days of switch data suggest DoS attacks can be detected as anomalous when compared to models of typical traffic MIT Lincoln Laboratory 12 WWS 10/21/2003

  13. Measured Daily Traffic Pattern and Network Utilization Packet counts seen on Port 3 (Workday Average) T1 Utilization 1.5 Mbit/sec 100 % 1 Mbit/sec 50% 0 Mbit/sec 0 Workday Begins Workday Ends • Weekends and holidays excluded from analysis MIT Lincoln Laboratory 13 WWS 10/21/2003

  14. Measured Daily Traffic Pattern: Packet Size Ratios Port 3 – To the Internet Large packets represent data packets Small packets: connection setup • Connection setup accounts for 20% of traffic • Data packets from server account for 60% of traffic • Together they account for 80% of traffic MIT Lincoln Laboratory 14 WWS 10/21/2003

  15. Detecting DoS with RMON Variables • Octet count – Indicates network utilization – Intuition: Deviation from model of network utilization implies DoS • Packet size ratios – Small packets represent client data requests – Large packets represent server replies – Intuition: Deviation from expected ratio of large/small pkts to total is indicative of something amiss (e.g. DoS) • Error variables – Alignment error – Collisions – Fragments – Undersized packets (runts) – Intuition: Increase in error counts indicates communication problem, hence, DoS – NOTE: no traffic errors were seen by RMON in collected data MIT Lincoln Laboratory 15 WWS 10/21/2003

  16. Two Detection Models • Simple Statistical Model – Commonly used by commercial systems Univariate Gaussian assumption described by µ , σ – – Input feature: network utilization as % of available bandwidth – 288 separate models (every 5 minute period during day) Anomalous traffic is greater than 3 σ ’s from µ – • Machine learning model – Mutilayer perceptron : 8 input, 5 hidden, 2 output (normal, anomalous) – Enhanced feature vector Packet bin ratios: (e.g, # of 64 byte packets / total packets, etc.) Utilization, as % of available bandwidth Time, as fraction of full day MIT Lincoln Laboratory 16 WWS 10/21/2003

  17. Experiment #1: Detect Superimposed DoS-like Traffic 100 Mbit/s links T1 1.54Mbit/s • Impose DoS-like traffic utilization on data from Port 3 – Attack Plan: Flood Internet T1 link, degrade Internet service Add-in ½ T1 bandwidth (750kbits/sec), vary packet sizes – Detection Plan: detect anomalous behavior when RMON variable counts (utilization, pkt count, etc.) exceed expected values MIT Lincoln Laboratory 17 WWS 10/21/2003

  18. Statistical vs. Machine Learning Port 3 – To the Internet P d = 93.1 %, P fa = 6.9 % Equal Error Line P d = 98.6 %, P fa = 1.4% • Assume DoS of 50% of T1 bandwidth added randomly to each bin • MLP achieves better detection with lower false alarm rate (4 FA/day) MIT Lincoln Laboratory 18 WWS 10/21/2003

  19. Survey of Dos, DDoS Pkt Sizes DoS Pkt Size Mechanism Smurf 84 ICMP Echo Storm Fraggle 84 UDP Echo Storm Neptune 60+ TCP SYN Flood Bzs 1460 Stream zeros in packets DDoS Trinoo 1000 UDP Packet Flooding TFN 1000+ UDP Packet Flooding Stacheldraht 1000+ ICMP/UDP/TCP Flooding TFN2K 1000+ ICMP/UDP/TCP Flooding Mstream 60+ TCP Packet Flodding • D/DoS pkts appear to be either large (> 1000) or small (< 100) • Caveat: Can be changed by attacker • - Simulated for detection MIT Lincoln Laboratory 19 WWS 10/21/2003

Recommend

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral

Simple Network Management Pwnd Information Data Leakage Attacks Against SNMP Introduction Deral Heiland Matthew Kienow deral_heiland@rapid7.com mkienow@inokii.com dh@layereddefense.com @HacksForProfit @Percent_X Why ? Add value ?

940 views • 66 slides
Building Asynchronous SNMP Agents Presented by Ilya Etingof &lt;etingof@gmail.com&gt; Why SNMP

Building Asynchronous SNMP Agents Presented by Ilya Etingof &lt;etingof@gmail.com&gt; Why SNMP

Building Asynchronous SNMP Agents Presented by Ilya Etingof &lt;etingof@gmail.com&gt; Why SNMP SNMP is old, complicated and has many competitors SNMP is still ubiquitous in monitoring SNMP is well-understood by many We have

275 views • 3 slides
Detecting Sybil Attacks using Proofs of Work and Location for Vehicular AdHoc Networks (VANETS)

Detecting Sybil Attacks using Proofs of Work and Location for Vehicular AdHoc Networks (VANETS)

Master Defense Detecting Sybil Attacks using Proofs of Work and Location for Vehicular AdHoc Networks (VANETS) Presented by: Niclas Bewermeier Electrical and Computer December 14, 2018 Engineering Detecting Sybil Attacks using Proofs of

510 views • 49 slides
Detecting Power Attacks on Reconfigurable Hardware Adrien Le Masle Wayne Luk Department of

Detecting Power Attacks on Reconfigurable Hardware Adrien Le Masle Wayne Luk Department of

Detecting Power Attacks on Reconfigurable Hardware Adrien Le Masle Wayne Luk Department of Computing Imperial College London, UK 22 nd International Conference on Field Programmable Logic and Applications A. Le Masle and W. Luk Detecting

285 views • 24 slides
Machine Translation (M2M) Machine Translation (M2M) SNMP MIB to CIM MOF SNMP MIB to CIM MOF

Machine Translation (M2M) Machine Translation (M2M) SNMP MIB to CIM MOF SNMP MIB to CIM MOF

Machine Translation (M2M) Machine Translation (M2M) SNMP MIB to CIM MOF SNMP MIB to CIM MOF WIMS Working Group CIM Project 19 February 2007 PWG Maui Ira McDonald (High North) M2M Background Background M2M DMTF/PWG

437 views • 7 slides
Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic

Specification-based intrusion detection Effectively detecting intrusions using business logic specification J. Lima, N. Escravana 1 Abstract In the recent years, the advent large-scale, highly targeted cyber-attacks raised the concern on the

375 views • 35 slides
SNMP MIBs to manage G.698.2 parameters

SNMP MIBs to manage G.698.2 parameters

SNMP MIBs to manage G.698.2 parameters draft-galikunze-ccamp-g-698-2-snmp-mib-02.txt Gabriele Galimberti Cisco Systems Ruediger Kunze Deutsche Telekom Lam, Hing-Kam Alcatel-Lucent Dharini Hiremagalur Juniper

361 views • 8 slides
ICANN 50 Detecting Distributed DNS Attacks Utilizing Levenshtein String Distances

ICANN 50 Detecting Distributed DNS Attacks Utilizing Levenshtein String Distances

ICANN 50 Detecting Distributed DNS Attacks Utilizing Levenshtein String Distances Nils Clausen, M.Sc. University Lecturer n.clausen@ium.edu.na Detecting Distributed DNS Attacks Utilizing Levenshtein String

328 views • 14 slides
Detecting Zero-Day Attacks in Web Server Requests Dr. Melissa Danforth Dept. of Computer &amp;

Detecting Zero-Day Attacks in Web Server Requests Dr. Melissa Danforth Dept. of Computer &amp;

WCIS: A Prototype for Detecting Zero-Day Attacks in Web Server Requests Dr. Melissa Danforth Dept. of Computer &amp; Electrical Engineering &amp; Computer Science California State University, Bakersfield Presentation Outline Web

217 views • 20 slides
Are these Ads Safe: Detecting Hidden Attacks through Mobile App-Web Interfaces Vaibhav Rastogi 1 ,

Are these Ads Safe: Detecting Hidden Attacks through Mobile App-Web Interfaces Vaibhav Rastogi 1 ,

Are these Ads Safe: Detecting Hidden Attacks through Mobile App-Web Interfaces Vaibhav Rastogi 1 , Rui Shao 2 , Yan Chen 3 , Xiang Pan 3 , Shihong Zou 4 , and Ryan Riley 5 1 University of Wisconsin and Pennsylvania State University 2 Zhejiang

490 views • 27 slides
DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs

A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs

A robust SNMP based Infrastructure for Intrusion Detection and Response in tactical MANETs Sascha Lettgen University of Bonn, Germany Inst. of Computer Science IV Marko Jahnke, Jens Tlle, Uwe Weddige, Michael Bussmann FGAN/FKIE, Wachtberg,

641 views • 15 slides
Abusing Wi-Fi Beacons and Detecting &amp; Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and

Abusing Wi-Fi Beacons and Detecting &amp; Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and

Abusing Wi-Fi Beacons and Detecting &amp; Preventing Attacks Mathy Vanhoef, Prasant Adhikari, and Christina Ppper. With special thanks to various IEEE members. Black Hat Webcast, 17 September 2020. Background: beacons Wi-Fi networks use

799 views • 42 slides
Detecting Attacks, Part 2 CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe,

Detecting Attacks, Part 2 CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe,

Detecting Attacks, Part 2 CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ April 14, 2011 Announcements Talk of possible interest next Monday:

492 views • 23 slides
Detecting distributed attacks using distributed processing frameworks RP2 #59 Sudesh Jethoe

Detecting distributed attacks using distributed processing frameworks RP2 #59 Sudesh Jethoe

Detecting distributed attacks using distributed processing frameworks RP2 #59 Sudesh Jethoe Overview Introduction Problem Description Research Questions Method Results Conclusion Introduction

549 views • 38 slides
A Machine Learning Approach for Detecting Distributed Denial of Service Attacks Tanaphon Roempluk

A Machine Learning Approach for Detecting Distributed Denial of Service Attacks Tanaphon Roempluk

A Machine Learning Approach for Detecting Distributed Denial of Service Attacks Tanaphon Roempluk Master's degree studying Majoring in Information technology Faculty of informatics, Mahasarakham University The 4th International Conference on

207 views • 17 slides
SurFi: Detecting Surveillance Camera Looping Attacks with Wi-Fi Channel State Information Nitya

SurFi: Detecting Surveillance Camera Looping Attacks with Wi-Fi Channel State Information Nitya

SurFi: Detecting Surveillance Camera Looping Attacks with Wi-Fi Channel State Information Nitya Lakshmanan * , Inkyu Bang + , Min Suk Kang * , Jun Han * , Jong Taek Lee # * National University of Singapore, + Agency for Defense Development, #

578 views • 36 slides
Detecting Attacks, Part 1 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs:

Detecting Attacks, Part 1 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs:

Detecting Attacks, Part 1 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ April 7, 2010 The Problem

580 views • 28 slides
Towards Detecting Stealthy Attacks in Power Grid using Deep Learning Mohammad Ashrafuzzaman,

Towards Detecting Stealthy Attacks in Power Grid using Deep Learning Mohammad Ashrafuzzaman,

Towards Detecting Stealthy Attacks in Power Grid using Deep Learning Mohammad Ashrafuzzaman, Yacine Chakhchoukh and Frederick T. Sheldon Departments of Computer Science and Electrical &amp; Computer Engineering, University of Idaho, Moscow

425 views • 20 slides
Detecting Distributed Denial of Service Attacks: A Neural Network Approach Gulay Oke

Detecting Distributed Denial of Service Attacks: A Neural Network Approach Gulay Oke

Detecting Distributed Denial of Service Attacks: A Neural Network Approach Gulay Oke (g.oke@imperial.ac.uk) Intelligent Systems and Networks Group Dept. of Electrical and Electronic Engineering Imperial College London Multi-Service

681 views • 21 slides
Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks Matthew V.

Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks Matthew V.

Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks Matthew V. Mahoney Philip K. Chan Intrusion Detection Systems. Is data x hostile? Signature - models known hostile behavior: P( x |attack) Good: low

237 views • 22 slides
Detecting Attacks, Part 2 CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin

Detecting Attacks, Part 2 CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin

Detecting Attacks, Part 2 CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ April 11, 2013 Goals For Today General

658 views • 29 slides
Protean General Purpose Guard (PGPG): Detecting and Mitigating Cache-based Microarchitectural

Protean General Purpose Guard (PGPG): Detecting and Mitigating Cache-based Microarchitectural

Protean General Purpose Guard (PGPG): Detecting and Mitigating Cache-based Microarchitectural Attacks Using Protean Code Jeremy Erickson Akshitha Sriraman Sai Gouravajhala jericks@umich.edu akshitha@umich.edu sairohit@umich.edu EECS 583:

331 views • 12 slides

More recommend