evaluation of amplification attacks in large scale
play

Evaluation of Amplification attacks in large-scale networks to - PowerPoint PPT Presentation

Aug 01, 2023 •27 likes •517 views

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluation of Amplification attacks in large-scale networks to improve detection performance Michael Kpferl Interdisciplinary Project Final

  1. Chair of Network Architectures and Services Department of Informatics Technical University of Munich Evaluation of Amplification attacks in large-scale networks to improve detection performance Michael Köpferl Interdisciplinary Project Final Talk Advisors: Oliver Gasser, Stefan Metzger January 10, 2018 Chair of Network Architectures and Services Department of Informatics Technical University of Munich

  2. Outline • Motivation • Requirements and Constraints • Architecture and Implementation • Evaluation • Conclusion M. Köpferl — Amplification Attacks 2

  3. Motivation What is an Amplification attack? Figure 1: Devices and data flows during an Amplification attack M. Köpferl — Amplification Attacks 3

  4. Motivation What are the benefits of detecting Amplification attacks? • Ingress Filtering (BCP38) not implemented everywhere • Detect (and suppress) Amplification at amplifier • Detection also possible at the victim, but connection could be saturated • Suppress early in the path at Amplifier M. Köpferl — Amplification Attacks 4

  5. Motivation Goals of this project • Extensible analysis and measurement framework for Amplification attack detection in large-scale networks • Improve insight into Amplification attacks by • conducting active measurements to victims to verify detected attacks, • discovering data to correlate events: Internet addressing information • Organizational information • • Geographical location M. Köpferl — Amplification Attacks 5

  6. Introduction Research Questions • Analyze support for Amplification attack detection in currently deployed LRZ systems: • Do the currently deployed systems allow for reliable attack detection? • Can we retrieve detailed results for evaluation and detection improvement? • How can we analyze amplification attacks in a privacy-preserving way? • Analysis detection metrics: • Which detection features improve detection performance? • Do we find clusters of similar attacks in our measurement results? M. Köpferl — Amplification Attacks 6

  7. Introduction Amplification attack detection algorithm State of research before this project • Amplification attack detection algorithm (Böttger et al.[1, 2]) • Pairflow definition • Limited set of queries resulting into limited set of answers • Checking packet content similarities • Other classification ideas dropped, as not suitable for detection But: could be usable for additional insight and evaluation of true-positive attacks • Implementation of real-time detection in Suricata (IDP Khakimullin[3]) • Correlation and visualization of measurement data (BA Köpferl[4]) M. Köpferl — Amplification Attacks 7

  8. Requirements and Constraints MWN ("Munich Scientific Network") • Heterogeneous network • Different types of systems Network services • Hardware and operating systems • Embedded / specialized systems • Installation of agent software not feasible ⇒ • Individual system administration responsibilities Central enforcement difficult ⇒ • Central Internet connection for the whole network • Managed by LRZ for the MWN in our case • Monitored for security events • Monitoring tools used include QRadar and Suricata M. Köpferl — Amplification Attacks 8

  9. Requirements and Constraints Analysis of Amplification attack detection support in QRadar • Overview • Closed source, developed by IBM • Log and packet collector modules • SIEM system (including IDS/IPS modules) • Evaluation for our use case × No support for pairflow structure (Superflows do not allow our type of aggregation) × No integrated packet similarity calculation ◦ Bad performance of data export disallows post-processing approaches � Alarm generation and correlation would be possible × Conduction of active scans not possible ◦ Connected to LRZ databases, brings own mapping databases M. Köpferl — Amplification Attacks 9

  10. Requirements and Constraints Analysis of Amplification attack detection support in QRadar • Overview • Closed source, developed by IBM • Log and packet collector modules • SIEM system (including IDS/IPS modules) • Evaluation for our use case × No support for pairflow structure (Superflows do not allow our type of aggregation) × No integrated packet similarity calculation ◦ Bad performance of data export disallows post-processing approaches � Alarm generation and correlation would be possible × Conduction of active scans not possible ◦ Connected to LRZ databases, brings own mapping databases ⇒ Cannot implement Amplification attack detection M. Köpferl — Amplification Attacks 9

  11. Requirements and Constraints Analysis of correlation and alarm generation support in Suricata • Overview • Open source, extensible by modules • Existing Amplification attack detection module and pairflow definition • IDS/IPS functionality, reporting to SIEM system possible • Evaluation for our use case � Pairflow structure and detection algorithm implemented already � System performance was sufficient in past evaluations × No automatic alarm generation or correlation supported × No active scans or correlation lookups through connected databases M. Köpferl — Amplification Attacks 10

  12. Requirements and Constraints Analysis of correlation and alarm generation support in Suricata • Overview • Open source, extensible by modules • Existing Amplification attack detection module and pairflow definition • IDS/IPS functionality, reporting to SIEM system possible • Evaluation for our use case � Pairflow structure and detection algorithm implemented already � System performance was sufficient in past evaluations × No automatic alarm generation or correlation supported × No active scans or correlation lookups through connected databases ⇒ Implementation of missing features possible M. Köpferl — Amplification Attacks 10

  13. Architecture and Implementation Position of the Suricata host in the MWN Figure 2: Position of the Suricata host in the MWN M. Köpferl — Amplification Attacks 11

  14. Architecture and Implementation Additional requirements for our project Figure 3: Additional requirements for our project M. Köpferl — Amplification Attacks 12

  15. Architecture and Implementation LRZ constraints Figure 4: LRZ constraints M. Köpferl — Amplification Attacks 13

  16. Architecture and Implementation System components and possible data exchange paths Figure 5: System components and possible data exchange paths M. Köpferl — Amplification Attacks 14

  17. Architecture and Implementation Proposed system design and scan process (1) Figure 6: Proposed system design and scan process (1) M. Köpferl — Amplification Attacks 15

  18. Architecture and Implementation Proposed system design and scan process (2) Figure 7: Proposed system design and scan process (2) M. Köpferl — Amplification Attacks 16

  19. Architecture and Implementation Proposed system design and scan process (3) Figure 8: Proposed system design and scan process (3) M. Köpferl — Amplification Attacks 17

  20. Architecture and Implementation Proposed system design and scan process (4) Figure 9: Proposed system design and scan process (4) M. Köpferl — Amplification Attacks 18

  21. Architecture and Implementation Proposed system design and scan process (5) Figure 10: Proposed system design and scan process (5) M. Köpferl — Amplification Attacks 19

  22. Architecture and Implementation Manual Evaluation Figure 11: Manual Evaluation M. Köpferl — Amplification Attacks 20

  23. Architecture and Implementation Implemented components and functionality based on Suricata • Active measurements implemented • Measure RTT to evaluate impact (network congestion) of Amplification attack • Determine hop count to victim to validate TTL of incoming packets • Database lookups implemented allowing for correlation evaluation • Autonomous System number (Organization) • Domain Name: reverse DNS entry • Geographical location: country, region, city and GPS coordinates • Migrated Amplification detection code to version Suricata 3.2.3 for single threaded operation to overcome log rotation issues • Data privacy / anonymization issues solved • Map host part of IP address to anonymous identifiers • Keep anonymous identifiers in a mapping table for future reference M. Köpferl — Amplification Attacks 21

  24. Architecture and Implementation Comparison of QRadar and Suricata-based implementation -based implementation × � Detection of Amplification attacks � Automatic alarm generation ◦ × � Active measurements to verify results � � Possibility of extended event correlation × Summary ◦ M. Köpferl — Amplification Attacks 22

  25. Evaluation of detection performance Evaluation dataset • Two consecutive measurement runs, 8 hours in total • Suricata crashed after some time, but we couldn’t analyze • Very high packet drop rate in Suricata (96%) • Only a single worker thread instead of 26 M. Köpferl — Amplification Attacks 23

  26. Evaluation of detection performance Evaluation dataset • Two consecutive measurement runs, 8 hours in total • Suricata crashed after some time, but we couldn’t analyze • Very high packet drop rate in Suricata (96%) • Only a single worker thread instead of 26 • Affected Services/Hosts • 1 protocol (NTP , port 123 UDP) • 1 internal server • 15 alerts (malicious events) • 12 external client IP addresses M. Köpferl — Amplification Attacks 23

Recommend

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk

CoDef: Collaborative Defense against Large-Scale Link-Flooding Attacks Soo Bum Lee * , Min Suk Kang , Virgil D. Gligor CyLab, Carnegie Mellon University * Qualcomm Dec. 12, 2013 Large Scale Link-Flooding Attacks Massive DDoS attacks against

487 views • 27 slides
Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31.

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31.

Lehrstuhl fr Systemsicherheit Amplification DDoS Attacks Marc Khrer SPRING 9 Bochum, 31. Juli 2014 Outline Background UDP-based Amplification TCP-based Amplification Comparison UDP- / TCP-based Amplification 2 AMPLIFICATION

731 views • 27 slides
Combating DNS amplification attacks using Cookies Supervisor: Roland van Rijswijk SURFnet By:

Combating DNS amplification attacks using Cookies Supervisor: Roland van Rijswijk SURFnet By:

Combating DNS amplification attacks using Cookies Supervisor: Roland van Rijswijk SURFnet By: Sean Rijs Agenda I am going to do my presentation DNS amplification attacks 2 1 Stub resolver Recursive server Authoritative server

1.42k views • 21 slides
E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale

E Evolution of NTCIR: l Infrastructure of Large-Scale Infrastructure of Large Scale Information Access Technologies Evaluation and Testing Evaluation and Testing Noriko Kando Noriko Kando National Institute of Informatics, Japan

632 views • 61 slides
Large scale graph processing systems: survey and an experimental evaluation Cluster Computing

Large scale graph processing systems: survey and an experimental evaluation Cluster Computing

Large scale graph processing systems: survey and an experimental evaluation Cluster Computing 2015 Omar Batarfi , Radwa El Shawi, Ayman G. Fayoumi , Reza Nouri, Seyed-Mehdi-Reza Beheshti, Ahmed Barnawi, Sherif Sakr Graph scale Scale:

363 views • 10 slides
Visualization of Amplification Attacks in Amplifier Networks Zwischenvortrag Michael Kpferl

Visualization of Amplification Attacks in Amplifier Networks Zwischenvortrag Michael Kpferl

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Visualization of Amplification Attacks in Amplifier Networks Zwischenvortrag Michael Kpferl 08.06.2015 Agenda Motivation

296 views • 16 slides
Large Scale Simulation of Tor: Stream Mix Networks Low latency Networks Network Correlation

Large Scale Simulation of Tor: Stream Mix Networks Low latency Networks Network Correlation

Large Scale Simulation of Tor: Stream Correlation Attacks Gavin O Gorman Anonymous Networks Large Scale Simulation of Tor: Stream Mix Networks Low latency Networks Network Correlation Attacks Simulation Results Attacks Gavin O

328 views • 20 slides
How Good are Humans at Solving d r CAPTCHAs? A Large Scale Evaluation o f n a Elie

How Good are Humans at Solving d r CAPTCHAs? A Large Scale Evaluation o f n a Elie

b a L y t i r u c e S r e t u p m o C How Good are Humans at Solving d r CAPTCHAs? A Large Scale Evaluation o f n a Elie Bursztein, Steven Bethard, Celine Fabry, John t S Mitchell, Dan Jurafsky, http://ly.tl/p11 E.

1.2k views • 105 slides
FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large

FINANCING LARGE SCALE SOLAR Large Scale Solar Conference - Sydney Gloria Chan Director, Large Scale Solar Lead April 2017 CONTENTS 1. Introduction to CEFC 2. Investment trends 3. The future of large scale solar 4. Pathway to sustainable

664 views • 21 slides
Large Scale Attacks on the Internet Lessons learned from the LOBSTER project Evangelos Markatos

Large Scale Attacks on the Internet Lessons learned from the LOBSTER project Evangelos Markatos

The LOBSTER project An IST Project http://www.ist-lobster.org/ Large Scale Attacks on the Internet Lessons learned from the LOBSTER project Evangelos Markatos Institute of Computer Science (ICS) Foundation for Research and Technology

335 views • 22 slides
1000 days of UDP amplification DDoS attacks Daniel R. Thomas , Richard Clayton, Alastair R.

1000 days of UDP amplification DDoS attacks Daniel R. Thomas , Richard Clayton, Alastair R.

1000 days of UDP amplification DDoS attacks Daniel R. Thomas , Richard Clayton, Alastair R. Beresford Firstname.Lastname@cl.cam.ac.uk Daniel: 5017 A1EC 0B29 08E3 CF64 7CCD 5514 35D5 D749 33D9 Richard: 899A 94CE BFCE CCE2 5744 5ACE 3BBC CF52

434 views • 18 slides
Empirical evaluation of NMT and PBSMT quality for large-scale translation production. Dimitar

Empirical evaluation of NMT and PBSMT quality for large-scale translation production. Dimitar

Empirical evaluation of NMT and PBSMT quality for large-scale translation production. Dimitar Shterionov, Pat Nagle, Laura Casanellas, Riccardo Superbo, Tony O'Dowd EAMT 2017, 29, May, 2017, Prague, the Czech Republic MT-centric translation

886 views • 23 slides
First Large Scale Platelet Function Evaluation in a Major Clinical Trial: The TRILOGY ACS

First Large Scale Platelet Function Evaluation in a Major Clinical Trial: The TRILOGY ACS

First Large Scale Platelet Function Evaluation in a Major Clinical Trial: The TRILOGY ACS Platelet Function Substudy Gurbel PA, Erlinge D, Ohman EM, Jakubowski JA, Goodman SG, Huber K, Chan MY, A E li D Oh EM J k b ki JA G A G d SG H b

511 views • 20 slides
Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008

Large-Scale Survey Interviewing Following Large Scale Survey Interviewing Following the 2008 WenChuan Earthquake Zhang Huafeng and Jon Pedersen International Blaise Users Conference (IBUC) Baltimore, USA , 1 Introduction Two household

711 views • 22 slides
INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO

INCORPORATING LARGE-SCALE CITIZEN INCORPORATING LARGE-SCALE CITIZEN DELIBERATION INTO ENVIRONMENTAL CONFLICT RESOLUTION America Speaks presentation to the 2008 ECR Conference Table Introductions Please form groups of 4-5 and give: Your name

848 views • 41 slides
Experimental Performability Evaluation of Middleware for Large-Scale Distributed Systems L.

Experimental Performability Evaluation of Middleware for Large-Scale Distributed Systems L.

Experimental Performability Evaluation of Middleware for Large-Scale Distributed Systems L. Soares J. Pereira losoares@di.uminho.pt jop@di.uminho.pt Distributed Systems Group Informatics Department University of Minho PORTUGAL L. Soares

461 views • 17 slides
Evaluation of a Failure Prediction Model for Large Scale Cloud Applications Mohammad S. Jassas

Evaluation of a Failure Prediction Model for Large Scale Cloud Applications Mohammad S. Jassas

Evaluation of a Failure Prediction Model for Large Scale Cloud Applications Mohammad S. Jassas and Qusay H. Mahmoud Presentation at Canadian AI 2020 Introduction Cloud services Complexity for cloud architectures. Cloud applications

227 views • 12 slides
Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is

Large-scale production of graphene: Introduction Large-scale production of graphene: what is graphene? Graphene is a truly 2D system made of Carbon atoms arranged in an honeycomb hexagonal lattice Zero-gap semiconductor with a low-energy linear

268 views • 6 slides
Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut

Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut

Large-scale Evaluation of Distributed Attack Detection Thomas Gamer, Christoph P. Mayer Institut fr Telematik, Universitt Karlsruhe (TH), Germany Why Attack Detection still is important Distributed Denial-of-Service problem persists Attack

366 views • 19 slides
Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA

Ethics in Techniques for large-scale data Graham J.L. Kemp TECHNIQUES FOR LARGE-SCALE DATA Masters level course: Chalmers MPALG and MPSOF programmes (DAT345) GU Applied Data Science programme (DIT871) Learning outcomes include:

305 views • 18 slides
ParaStack : Efficient Hang Detection for MPI Programs at Large Scale Hongbo Li Zizhong Chen

ParaStack : Efficient Hang Detection for MPI Programs at Large Scale Hongbo Li Zizhong Chen

ParaStack : Efficient Hang Detection for MPI Programs at Large Scale Hongbo Li Zizhong Chen & Rajiv Gupta Question Solution Evaluation 2 Question Solution Evaluation Program Hang Resource Wastage Current Solution 3 Execution in

841 views • 33 slides
SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang

SPIFFY: Inducing Cost-Detectability Tradeoffs for Persistent Link-Flooding Attacks Min Suk Kang Virgil D. Gligor Vyas Sekar ECE Department and CyLab, Carnegie Mellon University Feb 22, 2016 Large-scale link-flooding attacks Massive DDoS

511 views • 20 slides
An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of

An Email Contact Protocol Experiment in a Large-Scale Survey of U.S. in a Large Scale Survey of U.S. Government Employees DC-AAPOR Summer Conference Preview/Review Bureau of Labor Statistics Conference Center Washington DC Washington, DC

1.17k views • 25 slides
Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E.

Efficient Large-Scale Graph Processing on Hybrid CPU and GPU Systems A. Gharaibeh, E. Santos-Neto, L. Costa, M. Ripeanu. IEEE TPC, 2014 Sami (sa894) - R244: Large-scale data processing and optimization Efficient Large-Scale Graph Processing on

381 views • 25 slides

More recommend