Presentation is loading. Please wait.

Presentation is loading. Please wait.

Open-Eye Georgios Androulidakis National Technical University of Athens.

Published byCecilia Barrett Modified over 8 years ago

Similar presentations

Presentation on theme: "Open-Eye Georgios Androulidakis National Technical University of Athens."— Presentation transcript:

1 Open-Eye Georgios Androulidakis National Technical University of Athens

2 Denial of Service Attacks  An attack to suspend the availability of a service  DoS: single machine sends an enormous amount of packets against the target machine  Distributed DoS: traffic flows from various sources to exhaust network or computing resources

3 Main Characteristics of DoS  Variable targets: Single hosts or whole domains Computer systems or networks Active network components (e.g. routers)  Variable uses & effects: Hacker wars High profile commercial targets (or just competitors…). Useful in cyber-warfare, terrorism etc.

4 Our Solution: An anomaly detection tool Open-Eye

5 Open-Eye  DDoS Attack Detection Tool  Analyses flows that are exported from Cisco Netflow enabled routers  Compatible with Netflow v9  Works with IPv4 and IPv6 traffic  Uses anomaly detection algorithm based on specific metrics and thresholds  Based on Panoptis (http://panoptis.sourceforge.net)

6 NetFlow What is a flow? Defined by seven keys:  Source IP address  Destination IP address  Source Port  Destination Port  Layer 3 Protocol Type  TOS byte  Input logical interface (ifIndex)

7 NetFlow Sequence Router (from Cisco.com) 1.Create and update flows in NetFlow Cache Inactive timer expired (15 sec is default) Active timer expired (30 min is default) NetFlow cache is full (oldest flows expire) RST or FIN TCP Flag Export Packet Payload (flows) 2.Expiration 3.Aggregation? e.g. Protocol-Port Aggregation Scheme becomes 4.Export Version Yes No Aggregated Flows – export Version 8 or 9 Non-Aggregated Flows – export Version 5 or 9 5.Transport Protocol

8 Network Topology

9 Architecture (1)  Two main modules: - Collector The Collector is responsible for receiving flow data from the Netflow enabled routers, information is analyzed and stored in a local data structure. - Detector The Detector is responsible for calculating the metrics and comparing the results to detection thresholds. It is periodically activated, implements extensive logging of detection events and generates e-mail notifications with security alerts to the administrator.

10 Architecture (2)

11 Data structures (1)  Arrays for number of packets and number of flows for every pair of interfaces  Hash Tables with the Dst IP (key) and the number of packets and flows (values) for each IP for every pair of interfaces

12 Data structures (2)

13 DoS Detection Metrics Metrics for Packets/Flows based on deviation CP ij = Current Packets/Flows from interface i to j AP ij = Average Packets/Flows from interface i to j

14 Topology of our experiments

15 Attack Graphs (1)  Packet increase during the attack (TCP SYN Flood)

16 Attack Graphs (2)  Flow increase during the attack (TCP SYN Flood)

17 Attack Graphs (3)  Packet increase during the attack (TCP SYN Flood)

18 Attack Graphs (4)  Flow increase during the attack (TCP SYN Flood)

19 Attack Graphs (5)  Packet increase during the attack

20 Attack Graphs (6)  Number of flows is normal

21 Web Interface (1)

22 Web Interface (2)

23 Questions & Answers

Download ppt "Open-Eye Georgios Androulidakis National Technical University of Athens."

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.

REFLEX INTRUSION PREVENTION SYSTEM.. OVERVIEW The Reflex Interceptor appliance is an enterprise- level Network Intrusion Prevention System. It is designed.
An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,

An Adaptable Inter-Domain Infrastructure Against DoS Attacks Georgios Koutepas National Technical University of Athens, Greece SSGRR 2003w January 10,
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Supercomputing Center Measurement and Performance Analysis of Supercomputing Traffic by FlowScan+ 2.0 Supercomputing Center of KISTI Kookhan Kim August.

Supercomputing Center Measurement and Performance Analysis of Supercomputing Traffic by FlowScan+ 2.0 Supercomputing Center of KISTI Kookhan Kim August.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Lecture 5: TCP/IP OSI layers 3 (IP) and 4 (TCP/UDP) IPv4 – addresses and routing, “best-effort” service Ethernet, Appletalk, etc wrap IP packets with their.

Lecture 5: TCP/IP OSI layers 3 (IP) and 4 (TCP/UDP) IPv4 – addresses and routing, “best-effort” service Ethernet, Appletalk, etc wrap IP packets with their.
Anomaly Detection Steven M. Bellovin https://www.cs.columbia.edu/~smb Matsuzaki ‘maz’ Yoshinobu 1.

Anomaly Detection Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios.

Design and Operational Characteristics of a Distributed Cooperative Infrastructure against DDoS Attacks Georgios Koutepas, Fotis Stamatelopoulos, Vasilios.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.

8-1 Internet security threats Mapping: m before attacking: gather information – find out what services are implemented on network  Use ping to determine.
Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.

Statistical based IDS background introduction. Statistical IDS background Why do we do this project Attack introduction IDS architecture Data description.
Application of NetFPGA in Network Security Hao Chen 2/25/2011.

Application of NetFPGA in Network Security Hao Chen 2/25/2011.
RD-CSY2001-08/09 Distance Vector Routing Protocols.

RD-CSY /09 Distance Vector Routing Protocols.
1 CCNA 2 v3.1 Module 10. 2 Intermediate TCP/IP CCNA 2 Module 10.

1 CCNA 2 v3.1 Module Intermediate TCP/IP CCNA 2 Module 10.

Similar presentations

Ads by Google