DDoS flooding attack detection throug h a step-by-step investigation - - PowerPoint PPT Presentation

ddos flooding attack detection throug h a step by step
SMART_READER_LITE
LIVE PREVIEW

DDoS flooding attack detection throug h a step-by-step investigation - - PowerPoint PPT Presentation

Aug 08, 2023 39 likes •214 views

DDoS flooding attack detection throug h a step-by-step investigation

slide-1
SLIDE 1

0101001111110010011011010101010100101101110011111001010011101101011111010110111110011101111111100010001001110010000111100011100011101110111011110110100111010010101010011111010100010111001111001111100101001110110101111101011011111001110111

DDoS flooding attack detection throug h a step-by-step investigation

Jaehyun Jun Realtime Image Processing & Telecommunication Lab 16 December 2011

slide-2
SLIDE 2

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

Contents

  • Introduction
  • Existing DDoS attack detection method

– DDoS attack methods – DDoS attack detection method

  • DDoS flooding attack detection through a step-by-step investi

gation

  • Experiment
  • Conclusion

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

2 2

slide-3
SLIDE 3

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

Introduction (1/2)

  • People have been provided many convenient, because general

ized computer network infra building and increasing the numb er of internet users could make easy access to computer data

  • The crime occurs economical damage by flooding traffic to net

work or illegal access to computer system which could stop th e right service

  • Still the DDoS attack has been tried and the damage is contin

uously raised

– Target for and attack has been diversified for example, game business site, stock site, internet portal site, (Yahoo, Amazon, etc)

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

3 3

slide-4
SLIDE 4

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

Introduction (2/2)

  • Distributed Denial of Service (DDoS)

– The structure of DDoS attack – Role of DDoS attack nodes

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

4 4

NAME ROLE Attacker Attacker is leading all attack operate instrume nt by remote control and delivers command di rectly Master Master is receiving the command from attack er and orders attack zombies managed by it Zombie They are controlled by master. Attack progra m operates the command came from each ma ster, and finally performs their attack to the vi ctim Victim As final victim, simultaneously they are attack ed from several hosts

slide-5
SLIDE 5

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

Existing DDoS attack detection method (1/4)

  • DDoS attack methods

– SYN Flooding attack, UDP Flooding attack, ICMP Flooding attack

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

5 5

slide-6
SLIDE 6

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

Existing DDoS attack detection method (2/4)

  • DDoS attack methods

– SYN Flooding attack, UDP Flooding attack, ICMP Flooding attack

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

6 6

slide-7
SLIDE 7

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

Existing DDoS attack detection method (3/4)

  • DDoS attack methods

– SYN Flooding attack, UDP Flooding attack, ICMP Flooding attack

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

7 7

slide-8
SLIDE 8

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

Existing DDoS attack detection method (4/4)

  • DDoS attack detection method

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

8 8

Packet flows Behavior classes Dominant state Classification clusters

5-tuple srcIP, dstIP, srcPrt, dstPrt Threshold using feature value distribution (cluster key, entropy) Structural modeling Dominant state analysis

slide-9
SLIDE 9

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

DDoS flooding attack detection through a step-by-step i nvestigation (1/4)

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

9 9

Src_port entropy < Src_port entropy threshold T3

Normal state DDoS state

Dest_IP entropy < Dest_IP entropy threshold T2 Total volume < volume threshold T1 Packets / sec < Packets / sec threshold T4

First danger DDoS attack detection N Y Y Y Y N N N Second danger Third danger

slide-10
SLIDE 10

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

DDoS flooding attack detection through a step-by-step i nvestigation (2/4)

  • Volume threshold(T1) method judging DDoS attack detection

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

10 10

Traffic Compare Volume threshold (T1)

slide-11
SLIDE 11

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

DDoS flooding attack detection through a step-by-step i nvestigation (3/4)

  • The comparison between entropy of destination IP address (T2

) and entropy of source port number (T3) for detecting DDoS attack

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

11 11

Second danger Third danger First danger

Compare Src_port entropy threshold

  • n dest_IP (T3)

Compare dest_IP entropy threshold (T2)

Nomarl State

YES YES NO NO

slide-12
SLIDE 12

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

DDoS flooding attack detection through a step-by-step i nvestigation (4/4)

  • The comparison packet creation rate per second (T4) for dete

ction DDoS attack

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

12 12

Third danger

Compare Src_port entropy threshold

  • n dest_IP (T3)

Nomarl State

YES NO

Compare Packets / sec threshold (T4)

DDoS attack state

slide-13
SLIDE 13

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

The result of experiment (1/4)

  • Experiment environment

– by using OPNET simulation – Component : node_1~12(zombie node), node_13~16(normal node), ro uter_1~5, server – Utilized traffic : DDoS attack traffic, Normal traffic

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

13 13

slide-14
SLIDE 14

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

The result of experiment (2/4)

  • Experiment result and analysis

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

14 14 Traffic amount flow in router_5 when DDoS attack Creation rate each node packet

slide-15
SLIDE 15

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

The result of experiment (3/4)

  • Experiment result and analysis

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

15 15 The entropy of source port number of traffic judged the second danger The entropy of traffic destination IP address flowed in router_5 when DDoS attack happ ens

slide-16
SLIDE 16

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

The result of experiment (4/4)

  • The comparison DDoS attack detection method between beha

vior model of entropy and a step-by-step investigation

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

16 16 The traffic came to server after applying DDoS atta ck Detection method by using behavior model of e ntropy The traffic came to server after applying DDoS attack detection method by using step-by-step investigation

slide-17
SLIDE 17

010100111111001001101101010101010010110111001111100101001110110101111101011011111001110111111110001000100111001000011110001110001110111011101111011010011101001010101001111101010001011100111100111110010100111011010111110101101111100111011111111000

Conclusion

  • With step-by-step, proposal of detecting method DDoS attack

which is caused huge social problem

  • As detecting DDoS attack, attack traffic of attackers or zombie

host can be controlled by a control method

  • The destination(server) of attack is able to provide normal ser

vice to common users

16/12/11

Realtime Image Pr Processing ng & Te Telecommuni unication n Lab.

17 17