1. Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey

2. Outline Introduction The Perimeter Model and DOS DOS A Case Study Early Detection of Dos Attacks Beyond the Perimeter Conclusion and Future Work

3. Introduction Dos attacks prevent a user from performing his/her computing functions They overwhelm the victim host to the point of unresponsiveness. Current countermeasures Firewalls, Intrusion Detection Systems

4. New approach for DOS prevention IDS Firewalls part of victim system, they can only respond to an attack and cannot prevent them from happening. Thus when attacks are detected services are shut down The communication medium beyond the perimeter is used to identify the attack signatures

5. Two main classifications of Attack Resource Starvation Ex TCP syn flodding uses up victims resources with half open requests, so no new requests are processed Bandwidth Consumption Ex ICMP flodding or UDP flodding which consumes bandwidth.

6. The perimeter model and DOS Firewalls They implement Access control and audit functions at the interface. They are conduit that network traffic passes through both into and out of network perimeter. The security policies are enforced by means of packet filters using IP addresses,ports, flags, interfaces etc

7. The perimeter model and DOS Intrusion Detection Systems They detect violations of the security policies within the trusted domain and thus identifies the host misusing the system without authorization and takes action against such attacks

8. Failure of Perimeter Model If the firewall is unable to respond, the attack may degrade or halt the services of the perimeter model. For IDS, the aim of attack is not to fill the bandwidth and deny legitimate users but to log all suspicious packets. Thus a lot of spurious packets fill up the log event and fill all hard disk

9. DOS a case study An Intrusion Detection system was used to analyze events of interest. A positive is when the recorded attack equates to an actual EOI(Events of Interest) whereas the false positive is when the event is recorded as an attack but is not.409 positive attacks were recorded and 1084 false positives The 409 positives were generated by a worm attempting to infect other servers by sending a crafted HTTP get request

11. Result of case study The infected hosts inside the network tried to connect to the internet and thus all traffic was routed to the firewall. The firewall’s hard-disk was filled with spurious information, neither the external users could come in nor the internals go out. The firewall crashed.

12. Detection of DOS beyond the perimeter Requirements A mechanism to be devised that detects and responds to the attack prior to its reaching the perimeter. Abnormal vs normal traffic not defined. Thus effective detection beyond the perimeter in the communication medium difficult.

13. X total no of packets directed at h. Y time period packets directed to h S packets that match a particular signature.

15. Signatures The signatures in Early detection are different from perimeter model Attack pattern A high rate of data transfer over a period of time to consume available bandwidth. Signature to distinguish TCP Syn flood as different from flash crowds in which some connections do get established. Thus traffic is gradual increase and gradual decrease for flash crowds.

19. Future Work The more quantitative relationship between different dos attack signatures is required. Attack detection must identify positives and false positives to be effective and affect the legitimate user. Central control and administration of defense mechanism as well as signature updates and policy management required.

20. Conclusion Current defense – perimeter security model consisting of firewalls and IDS which are located on the target system. The case study showed when devices are located on the target system, it is not an effective defense. Detecting DOS beyond the perimeter is effective but needs future work.