a lerting
play

A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS - PowerPoint PPT Presentation

Feb 08, 2023 •588 likes •767 views

DD O S D ETECTION AND A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in the SURFnet network Mostly flooding attacks Customers are heavily affected and complain These attacks are cheap and

  1. DD O S D ETECTION AND A LERTING Daniel Romão Niels van Dijkhuizen

  2. BACKGROUND  DDoS attacks are commonly seen in the SURFnet network  Mostly flooding attacks  Customers are heavily affected and complain  These attacks are cheap and easily performed

  3. BOOTERS / DDOSSERS / STRESSERS

  4. CURRENT SOLUTION  What does SURFnet currently use?  Fixed threshold alerting  IP fragmentation alerting  BGP off-ramping and traffic washing Can we make it better?

  5. RESEARCH QUESTIONS “Can we derive DDoS mitigation rules from the available production data in near real- time in order to alert and mitigate?”  What kind of DDoS attacks can we detect?  Can we detect them in near real-time?  Can we extract enough information for mitigation?

  6. WHAT WE PROPOSED

  7. APPROACH 1. Collect one week NetFlow data  One on hundred sampling 2. Filter interesting application protocols  53/udp (DNS), 123/udp (NTP), 80/tcp (HTTP), … 3. Categorize traffic by behavior 4. Create baselines  Application protocols Rest of the traffic (icmp, tcp, udp) 

  8. MODEL

  9. FINDING NEW ANOMALIES

  10. ANALYSIS  Correlations:  Bytes per packet  Source – Destination ratios (symmetry)  Categories identified:  Regular traffic without noise (e.g. HTTP/TCP)  Regular traffic with noise (e.g. DNS/UDP)  Non-regular traffic (e.g. NTP/UDP)

  11. EXAMPLE OF BEHAVIORS

  12. Smoothing: (friedman) REGULAR WITH NOISE IQR rule for outliers: Smoothing + offset:

  13. ANALYSIS (CONT.)  For the other categories our statistical analysis was not as effective  Traffic without noise -> baseline but hand-picked offset  Non-regular traffic -> threshold

  14. OUR PROTOTYPE  NfSen plugin written in Perl and HTML/PHP  Run every five minutes  Run-time: 10 seconds  Baselines and configuration stored in a SQLite database  Adaptive baseline  Weighting value  E-mail alerting

  15. CONCLUSION  What kind of DDoS attacks can we detect?  We can detect anomalies based on high volume. However...  Verified for profiled application protocols and rest.  Due to constraints , we didn’t dive into low -rate anomalies.  Can we detect them in near real-time?  Yes, within a 5 minutes interval (or even faster)  Can we extract enough information for mitigation?  No, but we expect that to be possible with further development of the plugin

  16. FUTURE WORK  Automate analysis  Gather more information to detect the type of the anomaly  Make the model distributed  Integration with a mitigation system

  17. Cool, right? THANK YOU!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

STIDS 2010 Brian Ulicny, Chris Matheus a Mieczyslaw M. (Mitch) Kokar a,b a VIStology, Inc. a,b

STIDS 2010 Brian Ulicny, Chris Matheus a Mieczyslaw M. (Mitch) Kokar a,b a VIStology, Inc. a,b

A S EMANTIC W IKI A LERTING E NVIRONMENT I NCORPORATING C REDIBILITY AND R ELIABILITY E VALUATION STIDS 2010 Brian Ulicny, Chris Matheus a Mieczyslaw M. (Mitch) Kokar a,b a VIStology, Inc. a,b Northeastern University W HAT A RE W E T RYING TO D O ?

999 views • 31 slides
Sustainable aviation biofuels in the Norwegian Transport Plan Ms. Tove Fllo, Director General

Sustainable aviation biofuels in the Norwegian Transport Plan Ms. Tove Fllo, Director General

Norwegian Ministry of Transport and Communications Sustainable aviation biofuels in the Norwegian Transport Plan Ms. Tove Fllo, Director General Nordic leadership in aviation emission reductions Copenhagen 10 October 2017 Norwegian

258 views • 8 slides
Citizens Millage Advisory Committee April 25, 2019 AGENDA Program Budget Status General

Citizens Millage Advisory Committee April 25, 2019 AGENDA Program Budget Status General

Citizens Millage Advisory Committee April 25, 2019 AGENDA Program Budget Status General Items Project Updates Career Tech Center Update Northside High School Update Southside High School Update Ramsey Jr High Update

493 views • 36 slides
NTP Radioisotopes SOC Ltd A subsidiary of Necsa SOC Ltd Pelindaba, South Africa Status of NTPs

NTP Radioisotopes SOC Ltd A subsidiary of Necsa SOC Ltd Pelindaba, South Africa Status of NTPs

NTP Radioisotopes SOC Ltd A subsidiary of Necsa SOC Ltd Pelindaba, South Africa Status of NTPs Conversion Programme www.ntp.co.za 2017 Mo 99 Topical Meeting on Molybdenum 99 Production Technology Development 10 13 September 2017;

192 views • 17 slides
Diane Evans, NTP President American Land Title Association Enter Congress Sweeping overhaul

Diane Evans, NTP President American Land Title Association Enter Congress Sweeping overhaul

NEW PARADIGM TO CLOSINGS Title Industry Prepares Diane Evans, NTP President American Land Title Association Enter Congress Sweeping overhaul of the United States financial regulatory system, a transformation on a scale not seen since the

667 views • 38 slides
Solar Project Development and PURPA May 2016 1 Utility Scale Solar Development Missouri

Solar Project Development and PURPA May 2016 1 Utility Scale Solar Development Missouri

Solar Project Development and PURPA May 2016 1 Utility Scale Solar Development Missouri has begun to see development and construction of utility-scale solar projects What is the Public Service Commissions role in shaping the

603 views • 21 slides
Missile Defense Radar through Real-Time Electromagnetic (EM) Simulation Injection

Missile Defense Radar through Real-Time Electromagnetic (EM) Simulation Injection

Missile Defense Radar through Real-Time Electromagnetic (EM) Simulation Injection Ted.Selig@FishEye.net GTC 2016 Source MDA.mil Fylingdales Phased Array Radar Source: www.mda.mil Phased Array Radar Antenna Face Source: www.loc.gov Behind of

360 views • 21 slides
San Pedro Waterfront Berths 74-84 Promenade and Town Square June 19, 2019 Agenda A. Overview

San Pedro Waterfront Berths 74-84 Promenade and Town Square June 19, 2019 Agenda A. Overview

San Pedro Waterfront Berths 74-84 Promenade and Town Square June 19, 2019 Agenda A. Overview B. Project Scope Demolition Promenade Town Square C. San Pedro Public Market D. Phasing E. Pedestrian Access/Parking F.

368 views • 20 slides
oje c t Pro je c t & CE QA No tific a tio n He a ring Pr e se ntation T opic s Pro je

oje c t Pro je c t & CE QA No tific a tio n He a ring Pr e se ntation T opic s Pro je

T ahoe Vista Re c r e ation Ar e a Ac c e ssor y Par king Pr oje c t Pro je c t & CE QA No tific a tio n He a ring Pr e se ntation T opic s Pro je c t Ove rvie w o Pha se I (c o mple te d) o Sc o pe o f Pro je c t o Pro po se

722 views • 13 slides
Change Order 0018 9-Month Delay Claim Resolution Proposed Action Authorizes the Chief

Change Order 0018 9-Month Delay Claim Resolution Proposed Action Authorizes the Chief

Change Order 0018 9-Month Delay Claim Resolution Proposed Action Authorizes the Chief Executive Officer to execute Change Order 00018 with Ansaldo Honolulu Joint Venture for the settlement of the Core Systems Contractors nine (9) month

300 views • 16 slides
Rookery South ERF Community Liaison Panel 29 th April 2019 AGENDA 1. Apologies for

Rookery South ERF Community Liaison Panel 29 th April 2019 AGENDA 1. Apologies for

Rookery South ERF Community Liaison Panel 29 th April 2019 AGENDA 1. Apologies for absence/resignations etc. 2. Facilitator's opening remarks and notes from previous meeting 14 Jan 2019 3. Brief update on JR appeal - VERBAL (Tom Koltis) 4.

182 views • 14 slides
Project Project Scope Building Radio system for vehicles (non revenue and revenue) which

Project Project Scope Building Radio system for vehicles (non revenue and revenue) which

Radio System Replacement Project Project Scope Building Radio system for vehicles (non revenue and revenue) which including radio base stations, network system In addition, the new radio system will add state of the art digital

488 views • 6 slides
Item 4. ESER G.O. Bond Program Update and ESER 2014 De-Appropriation from Emergency Firefighting

Item 4. ESER G.O. Bond Program Update and ESER 2014 De-Appropriation from Emergency Firefighting

Item 4. ESER G.O. Bond Program Update and ESER 2014 De-Appropriation from Emergency Firefighting Water Supply (EFWS) to Police Facilities (PF) and Neighborhood Fire Stations (NFS) 1 Earthquake Safety and Emergency Response Bond Program 2010

485 views • 19 slides
Pier 31 Shed Window & Wall Repair Project Contract No. 2806 November 6, 2018 1 AGENDA 1.

Pier 31 Shed Window & Wall Repair Project Contract No. 2806 November 6, 2018 1 AGENDA 1.

Pier 31 Shed Window & Wall Repair Project Contract No. 2806 November 6, 2018 1 AGENDA 1. Welcome, Introductions, & General Information Andre Antonio 2. Project Overview Wendy Proctor 3. CMD Finbarr Jewell 4. OLSE Anna

391 views • 28 slides
MassDOT Complete Streets Funding Program Presented by Albert Ng, PTP , ENV-SP March 2016

MassDOT Complete Streets Funding Program Presented by Albert Ng, PTP , ENV-SP March 2016

MassDOT Complete Streets Funding Program Presented by Albert Ng, PTP , ENV-SP March 2016 Complete Streets Defined A Complete Street (CS) is one that provides safe and accessible options for all travel modeswalking, biking, transit

421 views • 27 slides
Introduction to Parallel Programming January 14, 2015 www.cac.cornell.edu What is Parallel

Introduction to Parallel Programming January 14, 2015 www.cac.cornell.edu What is Parallel

Introduction to Parallel Programming January 14, 2015 www.cac.cornell.edu What is Parallel Programming? Theoretically a very simple concept Use more than one processor to complete a task Operationally much more difficult to

578 views • 25 slides
Public Hearings on Proposed Changes in Bear Hunting Rules March/April 2016 In 2012, the Wildlife

Public Hearings on Proposed Changes in Bear Hunting Rules March/April 2016 In 2012, the Wildlife

Public Hearings on Proposed Changes in Bear Hunting Rules March/April 2016 In 2012, the Wildlife Resources Commission adopted a statewide management plan for black bears for 2012-2022. GOAL: Use science -based decision making and

716 views • 35 slides
Sesame Outl Outlook 2019 2019 Senegal | | G Gambia | | G Guine-Bissau | | C

Sesame Outl Outlook 2019 2019 Senegal | | G Gambia | | G Guine-Bissau | | C

Sesame Outl Outlook 2019 2019 Senegal | | G Gambia | | G Guine-Bissau | | C Conakry Amrith Kurien - CEO ComAfrique Limited 19 th August 2019 Map of 4 Countries Senegal Gambia Guinea Bissau & Guinea Conakry 2 Sesame P

289 views • 4 slides
1Q18 Quarterly Results SET Opportunity Day 21 May 2018 1Q18 Quarterly Results | SET

1Q18 Quarterly Results SET Opportunity Day 21 May 2018 1Q18 Quarterly Results | SET

1Q18 Quarterly Results SET Opportunity Day 21 May 2018 1Q18 Quarterly Results | SET Opportunity Day | 21 May 2018 Disclaimer The information (the Information) contained in this presentation is strictly confidential and is provided by

502 views • 26 slides
NZ International Golf Strategy Why? Untapped economic impact for NZ! (International golf

NZ International Golf Strategy Why? Untapped economic impact for NZ! (International golf

NZ International Golf Strategy Why? Untapped economic impact for NZ! (International golf tourism is a $32 billion market and NZ currently captures less than 0.3% of this) NZ - a distinctive golf destination waiting to be discovered

288 views • 24 slides
3Q19 Quarterly Results SET Opportunity Day 3 Dec 2019 3Q19 Quarterly Results | SET Digital

3Q19 Quarterly Results SET Opportunity Day 3 Dec 2019 3Q19 Quarterly Results | SET Digital

3Q19 Quarterly Results SET Opportunity Day 3 Dec 2019 3Q19 Quarterly Results | SET Digital Roadshow| 18 Nov 2019 Disclaimer The information (the Information) contained in this presentation is strictly confidential and is provided by

329 views • 31 slides
IMPACT OF THE MONTREAL PROTOCOL REGULATIONS ON PREPLANT SOIL USE AND TRENDS IN ADOPTION OF

IMPACT OF THE MONTREAL PROTOCOL REGULATIONS ON PREPLANT SOIL USE AND TRENDS IN ADOPTION OF

IMPACT OF THE MONTREAL PROTOCOL REGULATIONS ON PREPLANT SOIL USE AND TRENDS IN ADOPTION OF ALTERNATIVES I.J. Porter A , M. Pizano B and M. Besri C , Technology and Economic Assessment Panel (TEAP), Montreal Protocol, and A Department of Primary

180 views • 3 slides
Alternators MAY 2012 A. Removal Procedures Mark the wire as BAT 1. Disconnect negative

Alternators MAY 2012 A. Removal Procedures Mark the wire as BAT 1. Disconnect negative

General Removal & Installation Procedures for Most Heavy Duty Alternators MAY 2012 A. Removal Procedures Mark the wire as BAT 1. Disconnect negative battery cable. Note: there may be more than one negative battery cable if there

331 views • 5 slides
Corporate Presentation December 2019 Cautionary Statements Forward-Looking Statements : The data

Corporate Presentation December 2019 Cautionary Statements Forward-Looking Statements : The data

Corporate Presentation December 2019 Cautionary Statements Forward-Looking Statements : The data and/or statements contained in this presentation that are not historical facts are forward-looking statements, as that term is defined in Section 21E

457 views • 42 slides

More recommend