ddos flooding attack detection throug h a step by step
play

DDoS flooding attack detection throug h a step-by-step investigation - PowerPoint PPT Presentation

Aug 08, 2023 •39 likes •209 views

DDoS flooding attack detection throug h a step-by-step investigation

  1. DDoS flooding attack detection throug h a step-by-step investigation 0101001111110010011011010101010100101101110011111001010011101101011111010110111110011101111111100010001001110010000111100011100011101110111011110110100111010010101010011111010100010111001111001111100101001110110101111101011011111001110111 Jaehyun Jun Realtime Image Processing & Telecommunication Lab 16 December 2011

  2. Contents 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 • Introduction • Existing DDoS attack detection method – DDoS attack methods – DDoS attack detection method • DDoS flooding attack detection through a step-by-step investi gation • Experiment • Conclusion 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 2 2

  3. Introduction (1/2) 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 • People have been provided many convenient, because general ized computer network infra building and increasing the numb er of internet users could make easy access to computer data • The crime occurs economical damage by flooding traffic to net work or illegal access to computer system which could stop th e right service • Still the DDoS attack has been tried and the damage is contin uously raised – Target for and attack has been diversified for example, game business site, stock site, internet portal site, (Yahoo, Amazon, etc) 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 3 3

  4. Introduction (2/2) 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 • Distributed Denial of Service (DDoS) – The structure of DDoS attack – Role of DDoS attack nodes NAME ROLE Attacker is leading all attack operate instrume nt by remote control and delivers command di Attacker rectly Master is receiving the command from attack er and orders attack zombies managed by it Master They are controlled by master. Attack progra m operates the command came from each ma Zombie ster, and finally performs their attack to the vi ctim As final victim, simultaneously they are attack Victim ed from several hosts 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 4 4

  5. Existing DDoS attack detection method (1/4) 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 • DDoS attack methods – SYN Flooding attack, UDP Flooding attack, ICMP Flooding attack 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 5 5

  6. Existing DDoS attack detection method (2/4) 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 • DDoS attack methods – SYN Flooding attack, UDP Flooding attack, ICMP Flooding attack 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 6 6

  7. Existing DDoS attack detection method (3/4) 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 • DDoS attack methods – SYN Flooding attack, UDP Flooding attack, ICMP Flooding attack 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 7 7

  8. Existing DDoS attack detection method (4/4) 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 • DDoS attack detection method 5-tuple srcIP, dstIP, srcPrt, dstPrt Packet flows clusters Threshold using feature value distribution (cluster key, entropy) Classification Dominant state Behavior classes Dominant state analysis Structural modeling 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 8 8

  9. DDoS flooding attack detection through a step-by-step i nvestigation (1/4) 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 DDoS attack First danger Second danger Third danger N Total volume detection < volume threshold T 1 Y N Dest_IP entropy < Dest_IP entropy threshold T 2 Y Src_port entropy N < Src_port entropy threshold T 3 Y N Packets / sec < Packets / sec threshold T 4 Y Normal state DDoS state 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 9 9

  10. DDoS flooding attack detection through a step-by-step i nvestigation (2/4) 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 • Volume threshold(T 1 ) method judging DDoS attack detection Traffic Compare Volume threshold (T 1 ) 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 10 10

  11. DDoS flooding attack detection through a step-by-step i nvestigation (3/4) 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 • The comparison between entropy of destination IP address (T 2 ) and entropy of source port number (T 3 ) for detecting DDoS attack First danger YES Compare NO dest_IP entropy threshold (T 2 ) Second danger YES Nomarl State Compare NO Src_port entropy threshold on dest_IP (T 3 ) Third danger 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 11 11

  12. DDoS flooding attack detection through a step-by-step i nvestigation (4/4) 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 • The comparison packet creation rate per second (T4) for dete ction DDoS attack Compare Src_port entropy threshold on dest_IP (T 3 ) Third danger Nomarl NO Compare State Packets / sec threshold (T 4 ) YES DDoS attack state 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 12 12

  13. The result of experiment (1/4) 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 • Experiment environment – by using OPNET simulation – Component : node_1~12(zombie node), node_13~16(normal node), ro uter_1~5, server – Utilized traffic : DDoS attack traffic, Normal traffic 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 13 13

  14. The result of experiment (2/4) 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 • Experiment result and analysis Creation rate each node packet Traffic amount flow in router_5 when DDoS attack 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 14 14

  15. The result of experiment (3/4) 010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000 • Experiment result and analysis The entropy of source port number of traffic The entropy of traffic destination IP address judged the second danger flowed in router_5 when DDoS attack happ ens 16/12/11 Realtime Image Pr Processing ng & Te Telecommuni unication n Lab. 15 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense

Network Security CIA +Availability By Jinjian Ma Topics DOS/DDoS Detection &amp; Defense Prevention DOS/DDoS Types Vulnerability attack Flooding attack DoS vs DDoS DoS: Attack is launched from single host Less

614 views • 26 slides
Using RtI for SLD eligibility: Using RtI for SLD eligibility: Step by step procedures Step by

Using RtI for SLD eligibility: Using RtI for SLD eligibility: Step by step procedures Step by

Using RtI for SLD eligibility: Using RtI for SLD eligibility: Step by step procedures Step by step procedures Webster Groves School District 2009 Response to Intervention (RtI) is a comprehensive early detection and prevention strategy

688 views • 23 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
min { a i , a j } max { a i , a j } P j P j P i P i P i P j Step 1 Step 2 Step 3 Figure 9.1 A

min { a i , a j } max { a i , a j } P j P j P i P i P i P j Step 1 Step 2 Step 3 Figure 9.1 A

a i a j a i , a j a j , a i min { a i , a j } max { a i , a j } P j P j P i P i P i P j Step 1 Step 2 Step 3 Figure 9.1 A parallel compare-exchange operation. Processes P i and P j send their elements to each other. Process P i keeps min { a i ,

372 views • 22 slides
Step 1 Step 2 Step 3 Step 4 Step 5 Preparation of a sketch Submission of birth map of all

Step 1 Step 2 Step 3 Step 4 Step 5 Preparation of a sketch Submission of birth map of all

Step 1 Step 2 Step 3 Step 4 Step 5 Preparation of a sketch Submission of birth map of all customary information forms to Preparation and adoption of Convening and submission Submission of Application Ste land owned by ILG obtain

1.23k views • 4 slides
o o o o Step 1:

o o o o Step 1:

o o o o Step 1: Bachelor of Laws (Western Sydney School of Law) Step 2: Professional Legal Training (College of Law et ors) Step 3: Admission to the Supreme

366 views • 14 slides
Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD.,

Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD.,

Outbreak Investigation Outbreak Investigation Step by Step Step by Step Darin Areechokchai MD., DTM&amp;H., MCTM. Surveillance and Investigation Section Bureau of Epidemiology, Department of Disease Control Ministry of Public Health, Thailand

1.27k views • 83 slides
Step by step guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3:

Step by step guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3:

Step by step guide Step 1: Purchasing an RSBlog! membership Step 2: Downloading RSBlog! Step 3: Installing RSBlog! 3.1 Installing the component 3.2 Installing a new language file Step 4: Import plugins (optional) 4.1 Import Joomla! articles

889 views • 67 slides
Quick guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3:

Quick guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3:

Quick guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3: Installing RSEvents! Step 4: Configure RSEvents! Step 5: Add user permissions Step 6: Create event categories Step 7: Create event locations Step 8:

627 views • 35 slides
FROM XML TO RDF STEP BY STEP: APPROACHES FOR LEVERAGING

FROM XML TO RDF STEP BY STEP: APPROACHES FOR LEVERAGING

Co-funded by the Horizon 2020 Framework Programme of the European Union Grant Agreement Number 644771 FROM XML TO RDF STEP BY STEP: APPROACHES

613 views • 26 slides
FIRST DAY OF SCHOOL STEP BY STEP DIRECTION TO GETTING LOGGED ONTO YOUR FIRST DAY OF 7TH OR 8TH

FIRST DAY OF SCHOOL STEP BY STEP DIRECTION TO GETTING LOGGED ONTO YOUR FIRST DAY OF 7TH OR 8TH

FIRST DAY OF SCHOOL STEP BY STEP DIRECTION TO GETTING LOGGED ONTO YOUR FIRST DAY OF 7TH OR 8TH GRADE AUGUST 10,2020 IS A MINIMUM DAY STUDENTS WILL LOG 7:45AM - ONTO THEIR 12:27PM CLASSES AND ENGAGE WITH THEIR TEACHERS AND PEERS STEP 1:

276 views • 6 slides
Small step and Auto Zhuoran Liu May 30th Difference between small step and big step The big

Small step and Auto Zhuoran Liu May 30th Difference between small step and big step The big

Type Theory and Coq Small step and Auto Zhuoran Liu May 30th Difference between small step and big step The big step specify how a given expression can be evaluated to its final value. The style is simple and natural for many purposes and is

196 views • 19 slides
Step by step guide Step 1: Purchasing a RSTickets!Pro membership Step 2: Downloading

Step by step guide Step 1: Purchasing a RSTickets!Pro membership Step 2: Downloading

Step by step guide Step 1: Purchasing a RSTickets!Pro membership Step 2: Downloading RSTickets!Pro 2.1 Downloading the component 2.2 Downloading the plugins/modules 2.3 Downloading additional language packs Step 3: Installing RSTickets!Pro

548 views • 44 slides
Quick guide Step 1: Purchasing RSMail! Step 2: Download RSMail! Step 3: Installing RSMail! Step

Quick guide Step 1: Purchasing RSMail! Step 2: Download RSMail! Step 3: Installing RSMail! Step

Quick guide Step 1: Purchasing RSMail! Step 2: Download RSMail! Step 3: Installing RSMail! Step 4: RSMail! settings Step 5: Add Subscribers 5.1. Create subscriber lists 5.2. Add subscribers 5.2.1 Manual add 5.2.2 Import from CSV Step 6

625 views • 14 slides
Quick guide Step 1: Purchasing a RSComments! membership Step 2: Download RSComments! Step 3:

Quick guide Step 1: Purchasing a RSComments! membership Step 2: Download RSComments! Step 3:

Quick guide Step 1: Purchasing a RSComments! membership Step 2: Download RSComments! Step 3: Installing RSComments! Step 4: Configure RSComments 4.1 General Configuration 4.2 Configure comments Step 5: Add user permissions Step 6: Moderate

337 views • 8 slides
Step by step guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step

Step by step guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step

Step by step guide Step 1: Purchasing an RSEvents! membership Step 2: Downloading RSEvents! Step 3: Installing RSEvents! Step 4: Configure RSEvents! 4.1 General settings 4.2 Dashboard settings 4.3 Events 4.3.1 Event general settings 4.3.2

1.29k views • 80 slides
Proposals to fix the edge Ca thenetwork Compute Storage Why How How connect to nearest edge

Proposals to fix the edge Ca thenetwork Compute Storage Why How How connect to nearest edge

More Security Start oith Denial of Service CDN Last class Authentication vs Authorization SYN flood why does it work How fixed DDos was it What Proposals to fix the edge Ca thenetwork Compute Storage Why How How connect to nearest edge

58 views • 4 slides
Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking

Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking

Addressing Shortcomings of Existing DDoS Protection Software Using Software-Defined Networking SSP 2018, Hildesheim Lukas Ifflnder , Stefan Geissler, Jrgen Walter, Lukas Beierlieb, Samuel Kounev 08.11.2018

677 views • 46 slides
This time Digging into Networking Protocols With a particular focus on TCP details, a t t a c

This time Digging into Networking Protocols With a particular focus on TCP details, a t t a c

This time Digging into Networking Protocols With a particular focus on TCP details, a t t a c k s, and defenses Layer 3: (Inter)network layer Bridges multiple subnets to provide end-to-end internet connectivity between nodes 7

1.59k views • 134 slides
TCP SYN Flood Mitigation Techniques Julian Villing Friday 25 th January, 2019 Chair of Network

TCP SYN Flood Mitigation Techniques Julian Villing Friday 25 th January, 2019 Chair of Network

Chair of Network Architectures and Services Department of Informatics Technical University of Munich TCP SYN Flood Mitigation Techniques Julian Villing Friday 25 th January, 2019 Chair of Network Architectures and Services Department of

511 views • 16 slides
Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar

Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar

Optical-Aware DDoS Defense Matt Hall, Ramakrishnan Durairajan, Guyue (Grace) Liu, Vyas Sekar DDoS Attacks A persistent threat on the global Internet Working from home new online tools for collaboration New tools new attack

405 views • 9 slides
Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug

Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug

Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics TCP Layer Responsible for reliable end-to-end transfer of application data.

632 views • 32 slides
Towards a Vecsigrafo Portable Semantics in Knowledge-based Text Analytics Ronald Denaux &amp;

Towards a Vecsigrafo Portable Semantics in Knowledge-based Text Analytics Ronald Denaux &amp;

Towards a Vecsigrafo Portable Semantics in Knowledge-based Text Analytics Ronald Denaux &amp; Jos Manuel Gmez Prez HSSUES Oct. 21st, 2017 The Cognitive Chasm How can humans and AI interact with and understand each other? Is this

471 views • 17 slides
Cryptography Markus Kuhn Computer Laboratory, University of Cambridge

Cryptography Markus Kuhn Computer Laboratory, University of Cambridge

Cryptography Markus Kuhn Computer Laboratory, University of Cambridge https://www.cl.cam.ac.uk/teaching/1819/Crypto/ These notes are merely provided as an aid for following the lectures. They are no substitute for attending the course. Lent

1.26k views • 108 slides

More recommend