Presentation is loading. Please wait.

Presentation is loading. Please wait.

Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks."— Presentation transcript:

1 Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks

2 Agenda Introduction 1 Distributed Denial of Services 2 Filtering Techniques 3 Evaluation 4 Proposal 5 Conclusion 6 ITEC-810 2

3 1. Introduction Problem: Distributed Denial of Service (DDoS) attack is a serious and challenging threat that is faced on the Internet at the present time. The consequence of this threat is the cut of service availability and the dramatic reduction of performance on the targeted network. The challenge posed by DDoS Attacks is to distinguish the normal and abnormal traffic; because, these attackers generally hide or mask their true identities and sources. ITEC-810 3

4 1. Introduction Aim: The project is going to analyse and evaluate the different generic types of attacks and filtering techniques for counteracting DDoS attacks. As a result of this project, the lack of information about the advantages and disadvantages of different filtering techniques will be reduced. Outcomes: Report on the strengths and weaknesses of the different filtering techniques. Recommendations and suggestions about the use of some filtering techniques to prevent DoS attacks. ITEC-810 4

5 Agenda Distributed Denial of Services 2 Filtering Techniques 3 Evaluation 4 Proposal 5 Conclusion 6 ITEC-810 5

6 2. DDoS Flood Attacks TCP SYN Flood Attack Smurf IP Attack UDP Flood Attack ICMP Flood Attack. Classification of DDoS Logic/SW Attacks Ping of Death Teardrop Land ITEC-810 6

7 Agenda Filtering Techniques 3 Evaluation 4 Proposal 5 Conclusion 6 ITEC-810 7

8 3. Filtering Techniques Filtering Based on Hop-Count Source Address Prefixes Filtering History-Based IP Filtering FilteringTechniquesFilteringTechniques ITEC-810 8

9  Use network information, such as the number of hops, to distinguish spoofed from legitimate packets.  The challenge in hop-count computation is calculate the hop-count only based in the final and initial TTL.  HCF has two possible states, learning and filtering. 3. Filtering Techniques Hop-Count Filtering ITEC-810 9

10 3. Filtering Techniques Source Address Prefix  Provides support at network level for blocking malicious traffic before it reaches and compromises vulnerable hosts.  SAPF is implemented at routers via access control lists (ACLs) that denies access to a source IP address or prefix.  SAPF record two sets of traffic on the victim. One during a non-attack period (baseline) and during an attack. ITEC-810 10

11 3. Filtering Techniques Source Address Prefix  Based on a comparative analysis of the regular traffic and traffic attack, SPAF produces three types of algorithms.  Positive that denies all traffic going to the victim by default and only allows traffic using ACL rules.  Negative that allows all traffic by default but also have ACL rules to block traffic from some sources prefix.  Mixed that gives a list with a mix of accept and deny rules. ITEC-810 11

12 3. Filtering Techniques Historic Based IP  Solution consist in distinguish bad and good packets by comparing the actual traffic with the previous historic traffic.  The two main parts are: a rule that will be able to distinguish legitimate traffic and a mechanism to look on the IP Address Database.  IAP store frequent IP address based on the numbers of days that appeared and the number of packets by IP address.  HIF use a sliding window to remove expired IP addresses (2 weeks). ITEC-810 12

13 Agenda Evaluation 4 Proposal 5 Conclusion 6 ITEC-810 13

14 Weaknesses Attributes Strengths Limitations 4. Evaluation ITEC-810 14

15  Advantages  Learning and filtering state increment the efficiency of the filtering technique.  HFC is able to recognise up to 90% of spoofed IP packets.  Effectiveness are: the method of capturing legitimate Hop-Count values, the limited possible number of TTL values and the stability on the routing behaviour in the Internet.  Use of aggregation to reduce the size of the IP2HC table. 4. Evaluation Hop-Count Filtering ITEC-810 15

16  Disadvantages:  Possibility to add invalid address on IP2HC table using real IP address.  Use of network address translation (NAT) creates invalid entries and hop-count on the IP2HC table.  Limitations:  HFC make the assumption that most of the available DDoS attacking tools are not able to alter the initial TTL value of the packet.  A incorrect definition of threshold may allow DDoS. 4. Evaluation Hop-Count Filtering ITEC-810 16

17  Advantages  Simplicity and scalability of the solution.  Flexibility to apply different strategies to counteract DDoS and ability of assigning weight to different prefix.  Computational requirements to implement ACLs are small 4. Evaluation Source Address Prefix ITEC-810 17

18  Disadvantages:  Aggregation of source prefix address mixes legitimate IP traffic with illegitimate traffic.  Produce significant collateral damage by block traffic from a prefix  Limitations:  The ACLs rules are based on previous traffic attacks; however, the patterns can change.  Accurate information captured at non-attack and on- going attack period. 4. Evaluation Source Address Prefix ITEC-810 18

19 4. Evaluation Historic Based IP  Advantages  HIF is easy to deploy in the network infrastructure without the necessity of specialized equipment.  Criteria to classify normal traffic.  Rules to narrow the range of IP address to protect.  Efficient solution because the filtering technique is only activated after high level of traffic has been detected. ITEC-810 19

20 4. Evaluation Historic Based IP  Disadvantages:  Size of IAD table.  Effectiveness in look up process.  Limitations:  Resources on equipment.  HIF allow DDoS attack with real IP address. ITEC-810 20

21 Administration complexity Scientific analysis Detection effectiveness Scope of involvement Logging capability Transparency level Factors to consider Implementation complexity Scalability Prevention effectiveness Range of applicability Reaction timeliness Effectiveness leaving Normal traffic 4. Evaluation Methodology ITEC-810 21

22 Factor Significance (SS) Assessment (AS) HFC SAPFHIF Implementation complexity. 3 334 Administration complexity. 4 424 Scalability. 4 3.5 4 Detection effectiveness. 5 3.8N/A4 Prevention effectiveness. 5 4N/A4 Scope of involvement 3 3.5 4 Effectiveness at leaving normal traffic alone 43.733 Transparency level for all involved parties 2 2.544 Reaction timeliness 5 N/A Logging capability 3 N/A2.5N/A Range of applicability 2 3.5 4 Scientific analysis 4 4.532.8 4. Evaluation Methodology SS1*AS1 + SS2*AS2 + SS3*AS3…. + SS12*AS12 Result: Hop-Count Filtering : 133.3 Source Address Prefixes Filtering : 88 History-based IP Filtering : 135.2 ITEC-810 22

23 Agenda Proposal 5 Conclusion 6 ITEC-810 23

24 5. Proposal This project proposes a combination of HIF and SAPF to increase the strength of the filter and reduce the false-positive and collateral damage on the victim  Advantages:  The SAPF learning process increase his accuracy with HIF criteria.  Increase of effectiveness of look up process.  Disadvantages:  The combination increase the complexity of solution.  Limitation:  Resources of equipment. ITEC-810 24

25 5. Proposal HIF and SAPF Factor Significance (SS) Proposed technique Implementation complexity. 3 2.5 Administration complexity. 4 3 Scalability. 4 4 Detection effectiveness. 5 N/A Prevention effectiveness. 5 N/A Scope of involvement 3 3.5 Effectiveness at leaving normal traffic alone 4 N/A Transparency level for all involved parties 2 4 Reaction timeliness 5 N/A Logging capability 3 N/A Range of applicability 2 4 Scientific analysis4N/A ITEC-810 25

26 Agenda Conclusion 6 ITEC-810 26

27 6. Conclusions  The project state that History-based IP Filtering is the most effective solutions based on the factors: detection effectiveness, scalability, implementation and administration complexity.  The project identify as critical key point the selection of the threshold between normal and attack traffic on HIF and HCF.  HIF, SAPF and HCF are effective solutions to prevent flooding attacks.  The project state that Source Address Prefix filtering technique is a inefficient solution. ITEC-810 27

28

Download ppt "Student : Wilson Hidalgo Ramirez Supervisor: Udaya Tupakula Filtering Techniques for Counteracting DDoS Attacks."

Similar presentations

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.

NETWORK SECURITY ADD ON NOTES MMD © Oct2012. IMPLEMENTATION Enable Passwords On Cisco Routers Via Enable Password And Enable Secret Access Control Lists.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.

Network-Based Denial of Service Attacks Trends, Descriptions, and How to Protect Your Network Craig A. Huegen Cisco Systems, Inc. NANOG 12 Interprovider.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Packet Score: Statistics-based Overload Control against Distributed Denial-of- service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan.

Packet Score: Statistics-based Overload Control against Distributed Denial-of- service Attacks: Yoohwan Kim,Wing Cheong Lau,Mooi Choo Chauh, H. Jonathan.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.

Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
------ An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.

An Overview Zhang Fu Outline What is DDoS ? How it can be done? Different types of DDoS attacks. Reactive VS Proactive Defence.
Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 12 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

Denial of Service Attacks: Methods, Tools, and Defenses Authors: Milutinovic, Veljko, Savic, Milan, Milic, Bratislav,

Similar presentations

Ads by Google