Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Technische Universität München Visualization of Amplification Attacks in Amplifier Networks Zwischenvortrag Michael Köpferl 08.06.2015
Agenda Motivation Research Questions Approach Challenges Schedule and final steps Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 2
Addressed problem and its motivation Amplification Attack Spoofed source IP (Victim’s IP) Server with amplifying service Impact to amplifier network and Victim Amplifier network: • Block from Victim’s network • Traffic => costs • Legal problems Victim: Denial of Service Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 3
Research questions (1/5) How to effectively visualize amplification attacks such that a network operator can easily detect them? Time Series Graph Visualize delta (average and current traffic) Send notification by e-mail Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 4
Research questions (2/5) How to recognize, which internal and external systems and networks are affected ? group detected attacks Top-X list network map Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 5
Research questions (3/5) How to react accordingly by shutting down or limiting access to systems or services? Evaluate visualization / react to warning … and … Block / rate limit access Shutdown specific systems Fix bugs Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 6
Research questions (4/5) How can an attack be investigate d later in detail to learn from it? Prelude IDS as data storage Visualization and raw data Evaluate grouped data Evaluate IP header and packet content Specific timeframes Search history Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 7
Research questions (5/5) Does the visualization help to identify false positives or false negatives ? Idea for false negatives: Lower amplification factors Lower minimum traffic Idea for false positives: Delta visualization evaluate visualization manually apply additional knowledge Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 8
Approach (Software) Prewikka • Web interface to access the Prelude DB • => amplification graphs Prelude (SIEM) • Stores data in MySQL DB • => store additional data • => support anonymization • Alerts the network operator Suricata (IDS) • Detects amplification attacks • Alerts Prelude via IDMEF interface • Logs additional data to file • detection rule Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 9
Approach (Development Setup) Test / Development Setup Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 10
Approach (Visualization) Visualization D3.js (Data Driven Documents) Data export from Prelude DB into CSV useful SELECTs and aggregation necessary DB connector script to be used by D3.js SQL -> CSV Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 11
Visualization Demo Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 12
Visualization Demo Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 13
Challenges Additional challenges that appeared during the work Stability of Suricata while logging to Prelude hardware problem with the iLab room => VM setup Storing of Domain Names concept developed, will be added to Prelude DB Anonymization Question concept developed, will be implemented in a cron job to be called regularly that anonymizes old data Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 14
Schedule Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015 15
Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Technische Universität München FIN Visualization of Amplification Attacks in Amplifier Networks - Zwischenvortrag - Questions? Michael Köpferl - 08.06.2015
Recommend
More recommend
![Defining Visualization Definition: Visualization Process [Munzner, 2014] "The use of](https://c.sambuz.com/887876/defining-visualization-s.jpg)
