Presentation is loading. Please wait.

Presentation is loading. Please wait.

Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan.

Published byBernard Privott Modified over 9 years ago

Similar presentations

Presentation on theme: "Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan."— Presentation transcript:

1 Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan

2 ISP Perspective of DDoS Attack Victim Attacker (Incarnation II) My ISP ISP3 ISP2 Hot potato routing

3 Problem Statement How can an ISP find out if: How can an ISP find out if: Its Backbone is carrying “useless” attack traffic? Its Backbone is carrying “useless” attack traffic? Its Backbone is itself under attack? Its Backbone is itself under attack? Focus of this talk: Focus of this talk: Sketch a solution approach Sketch a solution approach Discuss the main challenges Discuss the main challenges

4 Approach Record “normal” traffic at routers; identify anomalies Exchange suspicions among routers to reinforce anomaly detection Traffic Profile Destination: 10.1.203.210 #Flows: … #Bytes: … MB Traffic Profile Destination: 10.1.203.210 #Flows: … #Bytes: … MB

5 Basic Approach 1. Record “normal” traffic at routers 2. Detect “abnormalities” in traffic Challenges a. What is normal and what is abnormal? b. Is it robust? c. How quickly can we identify deviations? d. Can it really be implemented on a backbone router? e. Response strategy?

6 Proposed Solution Maintain Traffic Profiles Each router constructs profiles of traffic Each router constructs profiles of traffic Longer time-windows  normal traffic Longer time-windows  normal traffic Smaller time-windows  current traffic Smaller time-windows  current traffic Become suspicious if current profile violates normal profile Become suspicious if current profile violates normal profile

7 Important Challenges 1. Day-of-week and Time-of-day effects Maintain per-day per-daytime statistics Maintain per-day per-daytime statistics 2. Flash crowds Example of “harmless” but infrequent event Example of “harmless” but infrequent event Attack-volume alone is not a sufficient indicator Attack-volume alone is not a sufficient indicator “Fingerprint” the destination-bound traffic “Fingerprint” the destination-bound traffic Number of sources, source-subnets, flows, distribution of flow lengths, etc. Number of sources, source-subnets, flows, distribution of flow lengths, etc.

8 Traffic Fingerprints Some examples Total traffic to destination Total traffic to destination Source subnet characterization Source subnet characterization Total number of “flows” to a destination Total number of “flows” to a destination How many /24 subnets are observed in the traffic to this destination How many /24 subnets are observed in the traffic to this destination Flow-length distribution Flow-length distribution E.g., are there a lot of small flows? E.g., are there a lot of small flows?

9 Stream Sampling Memory/computation constraints at routers Memory/computation constraints at routers Keep statistics about every destination? Keep statistics about every destination? Only for popular ones  traffic to whom exceeds a fraction  of link capacity Only for popular ones  traffic to whom exceeds a fraction  of link capacity Use sample-and-hold or multistage filters [Estan01] Use sample-and-hold or multistage filters [Estan01] Count unique subnets in a packet stream Count unique subnets in a packet stream Memory =  (size of stream)! Memory =  (size of stream)! Use F 0 computation algorithms [Alon96, Gibbons01] Use F 0 computation algorithms [Alon96, Gibbons01] Do it in much smaller (constant!!) space and time Do it in much smaller (constant!!) space and time

10 Proposed Solution Increasing Robustness Single router has only local view  can make mistakes Single router has only local view  can make mistakes Traffic perturbations due to traffic engineering Traffic perturbations due to traffic engineering False alarms! False alarms! Suppose attacker “mimics” normal traffic at a router Suppose attacker “mimics” normal traffic at a router Attack goes undetected! Attack goes undetected! Mimicking at more than a few routers within an ISP would be hard! Mimicking at more than a few routers within an ISP would be hard! Use router consensus for reinforcing suspicions across routers Use router consensus for reinforcing suspicions across routers

11 Preliminary Results Single Router Detection Accuracy Experimental Setup Abilene-II traffic trace (70 minutes) Abilene-II traffic trace (70 minutes) Samples taken across a window of about 1 minute Samples taken across a window of about 1 minute Synthetic attack traffic (trinoo, TFN, TFN2k, etc.) Synthetic attack traffic (trinoo, TFN, TFN2k, etc.) Attack Detection Accuracy False positive rates ≤ 6%, lower for “ unpopular ” destinations False positive rates ≤ 6%, lower for “ unpopular ” destinations False negative rates decrease rapidly as the “ rate ” of attack traffic increases False negative rates decrease rapidly as the “ rate ” of attack traffic increases

12 Conclusions and Future Work Conclusions Conclusions Fingerprinting traffic allows for detection of subtle attack patterns not apparent from volume alone Fingerprinting traffic allows for detection of subtle attack patterns not apparent from volume alone Distributed detection makes it harder for an attacker to mimic traffic at multiple routers Distributed detection makes it harder for an attacker to mimic traffic at multiple routers Directions for future work Directions for future work Identify various attack scenarios Identify various attack scenarios Optimize computation/space requirements Optimize computation/space requirements Consensus algorithm; convergence and effectiveness Consensus algorithm; convergence and effectiveness Validate over real attack datasets Validate over real attack datasets

13 Backup Slide Overheads Use  = 0.1  memory ~ 3600 bytes per destination Use  = 0.1  memory ~ 3600 bytes per destination Approximate number of popular destinations = 1/  Approximate number of popular destinations = 1/  where  is the fraction of link capacity where  is the fraction of link capacity 360 KB per statistic – if we use  = 1% 360 KB per statistic – if we use  = 1% Can a high-end router have a few MBs of SRAM? Can a high-end router have a few MBs of SRAM? AlgorithmsAMS96GT01 Accuracy 1+ ,  > 1 1 ± ,  > 0 Memory (bytes) 4 36/  2 Byte operations ~4 ~4~6 Counting unique items in a stream (zeroeth moment F 0 )

Download ppt "Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan."

Similar presentations

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.

Data Streaming Algorithms for Accurate and Efficient Measurement of Traffic and Flow Matrices Qi Zhao*, Abhishek Kumar*, Jia Wang + and Jun (Jim) Xu* *College.
ABSTRACT We consider the problem of computing information theoretic functions such as entropy on a data stream, using sublinear space. Our first result.

ABSTRACT We consider the problem of computing information theoretic functions such as entropy on a data stream, using sublinear space. Our first result.
A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,
Estimating TCP Latency Approximately with Passive Measurements Sriharsha Gangam, Jaideep Chandrashekar, Ítalo Cunha, Jim Kurose.

Estimating TCP Latency Approximately with Passive Measurements Sriharsha Gangam, Jaideep Chandrashekar, Ítalo Cunha, Jim Kurose.
Efficient Constraint Monitoring Using Adaptive Thresholds Srinivas Kashyap, IBM T. J. Watson Research Center Jeyashankar Ramamirtham, Netcore Solutions.

Efficient Constraint Monitoring Using Adaptive Thresholds Srinivas Kashyap, IBM T. J. Watson Research Center Jeyashankar Ramamirtham, Netcore Solutions.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Fast, Memory-Efficient Traffic Estimation by Coincidence Counting Fang Hao 1, Murali Kodialam 1, T. V. Lakshman 1, Hui Zhang 2, 1 Bell Labs, Lucent Technologies.

Fast, Memory-Efficient Traffic Estimation by Coincidence Counting Fang Hao 1, Murali Kodialam 1, T. V. Lakshman 1, Hui Zhang 2, 1 Bell Labs, Lucent Technologies.
SKELETON BASED PERFORMANCE PREDICTION ON SHARED NETWORKS Sukhdeep Sodhi Microsoft Corp Jaspal Subhlok University of Houston.

SKELETON BASED PERFORMANCE PREDICTION ON SHARED NETWORKS Sukhdeep Sodhi Microsoft Corp Jaspal Subhlok University of Houston.
Packet Caches on Routers: The Implications of Universal Redundant Traffic Elimination Ashok Anand, Archit Gupta, Aditya Akella University of Wisconsin,

Packet Caches on Routers: The Implications of Universal Redundant Traffic Elimination Ashok Anand, Archit Gupta, Aditya Akella University of Wisconsin,
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.

Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Packet Caches on Routers: The Implications of Universal Redundant Traffic Elimination Ashok Anand, Archit Gupta, Aditya Akella University of Wisconsin,

Packet Caches on Routers: The Implications of Universal Redundant Traffic Elimination Ashok Anand, Archit Gupta, Aditya Akella University of Wisconsin,
Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1

Edith C. H. Ngai1, Jiangchuan Liu2, and Michael R. Lyu1
Detecting Traffic Differentiation in Backbone ISPs with NetPolice Ying Zhang Zhuoqing Morley Mao Ming Zhang.

Detecting Traffic Differentiation in Backbone ISPs with NetPolice Ying Zhang Zhuoqing Morley Mao Ming Zhang.
Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.

Streaming Algorithms for Robust, Real- Time Detection of DDoS Attacks S. Ganguly, M. Garofalakis, R. Rastogi, K. Sabnani Krishan Sabnani Bell Labs Research.
The Impact of False Sharing on Shared Congestion Management Aditya Akella and Srinivasan Seshan (Computer Science Department, Carnegie Mellon University)

The Impact of False Sharing on Shared Congestion Management Aditya Akella and Srinivasan Seshan (Computer Science Department, Carnegie Mellon University)
An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.

An Effective Placement of Detection Systems for Distributed Attack Detection in Large Scale Networks Telecommunication and Security LAB. Dept. of Industrial.
1 Traffic Engineering for ISP Networks Jennifer Rexford IP Network Management and Performance AT&T Labs - Research; Florham Park, NJ

1 Traffic Engineering for ISP Networks Jennifer Rexford IP Network Management and Performance AT&T Labs - Research; Florham Park, NJ
Communication-Efficient Distributed Monitoring of Thresholded Counts Ram Keralapura, UC-Davis Graham Cormode, Bell Labs Jai Ramamirtham, Bell Labs.

Communication-Efficient Distributed Monitoring of Thresholded Counts Ram Keralapura, UC-Davis Graham Cormode, Bell Labs Jai Ramamirtham, Bell Labs.
Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.

Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.

Similar presentations

Ads by Google