Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 11
Detecting Distributed DenialDetecting Distributed Denial--ofof--Service Attacks Service Attacks by analyzing TCP SYN packets statisticallyby analyzing TCP SYN packets statistically
Yuichi Yuichi OhsitaOhsitaOsaka UniversityOsaka University
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 22
ContentsContents
What is What is DDoSDDoSHow to analyze packetHow to analyze packetTraffic modelingTraffic modelingMethod to detect SYN Flood attacksMethod to detect SYN Flood attacksEvaluationEvaluationSummarySummary
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 33
What is What is DDoSDDoS??
An attacker hacks remote hosts and An attacker hacks remote hosts and installs attack tools installs attack tools The hosts attack the same serverThe hosts attack the same server
attacker
Hacked hosts
server
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 44
What is What is DDoSDDoS??
The number of attacks is increasingThe number of attacks is increasingThe number of attack nodes is very large The number of attack nodes is very large and attack nodes are highly distributed and attack nodes are highly distributed The most are SYN Flood AttacksThe most are SYN Flood Attacks
Because SYN flood can put servers into Because SYN flood can put servers into denialdenial--ofof--service state easilyservice state easilyMore than 90% of More than 90% of DoSDoS Attacks Attacks [1][1]
[1] D. Moore, G.M. Voelker, and S. Savage, “Inferring internet Denial-of-Service activity,” Proceedings of the 2001 USENIX Security Symposium, pp.9–22, August 2001.
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 55
What is SYN Flood?What is SYN Flood?
Server
Client PC
SYN
SYN/ACK
ACK
Normal 3Normal 3--way handshakeway handshakeThe in-progress connection requests are held in the backlog-queue
The queue length is limited
backlog-queue
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 66
What is SYN Flood?What is SYN Flood?
Server
Attacker
SYN packet with spoofed source address
SYN/ACK
Mechanism of SYN FloodMechanism of SYN Flood
No ACK packets are replied.The connection requests remainin the backlog-queue till timeout
backlog-queueMany SYN with spoofed source address
The backlog queue is filled by malicious requests. Legitimate new connection requests are rejected.
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 77
Detection of SYN Flood Detection of SYN Flood
ProblemProblemThe server cannot distinguish whether the receiving The server cannot distinguish whether the receiving SYN packet is legitimate or maliciousSYN packet is legitimate or malicious
Existing methodsExisting methodsDetection by the mismatch of biDetection by the mismatch of bi--directional packetsdirectional packetsDetection by the mismatch between SYN and FIN Detection by the mismatch between SYN and FIN
Remaining IssuesRemaining IssuesExisting methods require long time to detect attacksExisting methods require long time to detect attacksExisting methods may mistake highExisting methods may mistake high--rate normal traffic rate normal traffic as attacksas attacks
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 88
The goal of our study The goal of our study
ObjectiveObjectiveDetecting attacks more accurately and faster Detecting attacks more accurately and faster
By using the statistical difference between normal and By using the statistical difference between normal and malicious trafficmalicious traffic
What we have doneWhat we have doneMonitoring packetsMonitoring packetsClassification packetsClassification packetsAnalyzing packets and modeling normal trafficAnalyzing packets and modeling normal trafficMaking new mechanism to detect attacks using the Making new mechanism to detect attacks using the modelmodel
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 99
How to monitor the trafficHow to monitor the traffic
We monitored packets at the gateway of We monitored packets at the gateway of Osaka UniversityOsaka UniversityWe analyzed the monitored packets.We analyzed the monitored packets.
Osaka Univ.Campus network The Internet
1000Base-SX
OpticalSplitter
RXRX
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 1010
The captured trafficThe captured traffic
5days traffic from March 20, 2003 17:555days traffic from March 20, 2003 17:55The number of TCP packets :1.9 billionThe number of TCP packets :1.9 billionThe number of SYN packets : 21 millionThe number of SYN packets : 21 million
Arrival rate of TCP packets (packets/sec)
50000 100000 150000 200000 250000 300000 Time (sec)
5000
0
10000Outgoing packets
Incoming packets
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 1111
Classification of flowsClassification of flowsWe classified monitored packets into flowWe classified monitored packets into flow
Flow : a series of packets which have the same (Flow : a series of packets which have the same (srcsrcIP, IP, srcsrc port, port, destdest IP, IP, destdest port) fieldport) field
We classified the flows into groupsWe classified the flows into groupsNormal traffic (Normal traffic (85.185.1% of monitored traffic)% of monitored traffic)
The flows which complete 3The flows which complete 3--way handshake way handshake Incomplete traffic (Incomplete traffic (14.914.9% of monitored)% of monitored)
The flows which do not complete 3The flows which do not complete 3--way handshake way handshake
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 1212
Arrival rates of SYN packetsArrival rates of SYN packetsPoints where arrival rate rises sharply are due to incomplete Points where arrival rate rises sharply are due to incomplete traffictrafficArrival rate of the normal traffic changes over timeArrival rate of the normal traffic changes over time
Arrival rates(packet/sec)
time(sec)20000 40000 60000 800000
80
40
120
180
0 0 20000 40000 60000 80000
All traffic
Time-dependent variation(5/20)
Normal traffic
Time-dependent variation(5/20)
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 1313
Arrival rates of SYN packetsArrival rates of SYN packets
Arrival rate(packet/sec)
time(sec20000 40000 60000 800000
80
40
120
180
0 0 20000 40000 60000 80000
Points where arrival rate rises sharply are due to incomplete Points where arrival rate rises sharply are due to incomplete traffictrafficArrival rate of the normal traffic changes over timeArrival rate of the normal traffic changes over time
All traffic
Time-dependent variation(5/20,2004)
incomplete traffic
Time-dependent variation(5/20,2004)
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 1414
Model of SYN arrival rate Model of SYN arrival rate
Arrival rate of normal traffic changes Arrival rate of normal traffic changes moderately moderately We fit the arrival rate to a normal distributionWe fit the arrival rate to a normal distribution
The normal distribution with the mean and the The normal distribution with the mean and the variance isvariance is
The arrival rate are positive value, and we only The arrival rate are positive value, and we only use the nonnegative part of the use the nonnegative part of the F(xF(x) )
dyyxFx
]2
)(exp[21)( 2
2
σς
πσ−−
= ∫∞−
)0(1)0()()(
FFxFxG
−−
=
ςσ
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 1515
Distributions of SYN arrival ratesDistributions of SYN arrival rates
May 203 am
May 209 am
0
0.2
0.4
0.6
0.8
1.0
0 2 4 6 8 10
May 207 pm
The arrival rates of normal traffic can be modeled by normal distribution
Cumulative distribution
SYN arrival rate(packets/sec)
SYN Arrival rates of Normal traffic
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 1616
Distributions of SYN arrival ratesDistributions of SYN arrival rates
Normal distributionMonitored traffic
0
0.2
0.4
0.6
0.8
1.0Cumulative distribution
0 10 20 30 40 50 60 SYN arrival rate(packets/sec)
Because of many high-rate SYN packets caused by attack traffic, the distribution of SYN rates is far from a normal distribution
SYN arrival rates when attack starts
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 1717
How to detect attacksHow to detect attacks
Attacks can be identified by observing the Attacks can be identified by observing the difference between SYN arrival rates and a difference between SYN arrival rates and a normal distributionnormal distribution
By calculating the average By calculating the average of squared differenceof squared difference
SYN arrival rate(packets/sec)
normalsample
0
0.2
0.4
0.6
0.8
1.0Cumulative distribution
0 10 20 30 40 50
difference
nnirG
D
n
ii∑
=
−= 0
2))((
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 1818
Average of squared differenceAverage of squared differenceThe averages of squared difference for the normal traffic The averages of squared difference for the normal traffic are small regardless of time.are small regardless of time.The averages of squared difference for all traffic rise The averages of squared difference for all traffic rise rapidly at several points.rapidly at several points.
All traffic
Average of squared difference
0
200
400
600
800Normal traffic
0 20000 40000 60000 800000 20000 40000 60000 80000
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 1919
How to evaluate our methodHow to evaluate our method
We wrote a program for our detecting methodWe wrote a program for our detecting methodTwo sample data for the traceTwo sample data for the trace--driven simulationdriven simulation
Monitored trafficMonitored trafficTo confirm our method can detect monitored attacksTo confirm our method can detect monitored attacks
Traffic injected attack trafficTraffic injected attack trafficTo know how small attacks can be detectedTo know how small attacks can be detected
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 2020
Definition of attacksDefinition of attacks
Attacks which must be detectedAttacks which must be detectedAttacks which can put servers into denialAttacks which can put servers into denial--service stateservice statePoints where more than 1024 SYN packets are sent Points where more than 1024 SYN packets are sent within 180 second within 180 second There are 10 attacks in our monitored trafficThere are 10 attacks in our monitored traffic
definition thesatisfying attacks ofnumber detectcannot that attacks ofnumber attacks detectingnot ofy Probabilit =
attacks as detected points ofnumber attacks as detectedy erroneousl points ofnumber detection erronous ofy Probabilit =
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 2121
Simulation of monitored trafficSimulation of monitored trafficSmaller threshold, more erroneous detectionSmaller threshold, more erroneous detectionMost attacks can be detected without erroneous Most attacks can be detected without erroneous detectiondetection
Not detect
Erroneously detect
Probability
00.1
0.2
0.3
0.4
0.5
0.6
0.7
100 200 3000 threshold
There are only two erroneous Detection caused by a single client sending 20 SYNs/sec
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 2222
We injected lowWe injected low--rate attack into the traced trafficrate attack into the traced trafficAttacks whose rates are more than 14 Attacks whose rates are more than 14 SYNsSYNs/sec /sec can be detected without erroneous detectioncan be detected without erroneous detection
Detectable attack rateDetectable attack rate
Threshold need to detect
Probability of erroneous detectionThreshold need to detect
probability
0
0.1
0.2
0.3
20
0
40
60
80
100
10 12 14 16 18 Attack rate(SYNs/sec)
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 2323
Averages of squared difference increase gradually Averages of squared difference increase gradually after the beginning of attacks after the beginning of attacks Our proposed method can detect faster.Our proposed method can detect faster.
One of reasons is because our method adopts a One of reasons is because our method adopts a parametric approach.parametric approach.
Time to detect attacksTime to detect attacks
threshold=70
20
0
40
60
80
100
0 20 40 60
Average of squared difference
18 SYNs/sec
16 SYNs/sec
Time from the beginning of attack(sec)
12 SYNs/sec
Time needed to detect attacks 10
100
1000
10000
12 16 20 24
Our method
Existing method
Attack rate(SYNs/sec)28
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 2424
Summary and future workSummary and future work
SummarySummaryWe monitored and analyzed packets at the gateway We monitored and analyzed packets at the gateway of Osaka Universityof Osaka UniversityWe fit the arrival rate of SYN packets to a normal We fit the arrival rate of SYN packets to a normal distribution distribution We can detect attacks by the difference between We can detect attacks by the difference between arrival rates of SYN packets and a normal distributionarrival rates of SYN packets and a normal distribution
Future workFuture workSetting the parametersSetting the parametersModeling other types of trafficModeling other types of traffic
Nov 30, 2004Nov 30, 2004 Globecom 2004Globecom 2004 2525
Thank youThank you