service activity
play

Service Activity David Moore, Colleen Shannon, Douglas J. Brown, - PowerPoint PPT Presentation

Dec 27, 2022 •369 likes •886 views

Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan Savage Presented by Thangam Seenivasan & Rabin Karki 1 Simple Question How prevalent are denial-of-service

  1. Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan Savage Presented by Thangam Seenivasan & Rabin Karki 1

  2. Simple Question How prevalent are denial-of-service attacks in the Internet? 2

  3. Why is it important? Loss could total more than $1.2 billion -analysts DDOS attacks have become common 3 Borrowed from G.Voelkar’s presentation

  4. Recent DDOS attack 4

  5. Challenges • No quantitative data available about the prevalence of DOS attacks • Obstacles gathering DOS traffic data – ISP consider such data private and sensitive – Need to monitored from a large number of sites to obtain representative data 5

  6. Solution • Backscatter Analysis – Estimate prevalence of worldwide DOS attacks – Traffic monitoring technique – Conservative estimate on the prevalence – Lower bound on the intensity of attacks 6

  7. Outline • Background • Methodology • Attack detection and classification • Analysis of DOS 7

  8. DOS attacks • An attempt to make a computer resource unavailable to its intended users • Classes of attacks – Logic attacks (exploits software flaws) • Ping-of-Death – Resource attacks • Sending a large number of spurious requests This paper focuses only on resource attacks 8

  9. Resource attacks • Network – Overwhelm the capacity of network devices – Attacker sends packets as rapidly as possible • CPU – Load the CPU by requiring additional processing – SYN flood • For each SYN packet to a listening TCP port – The host must search through existing connections – Allocate new data structures • Even a small SYN flood can overwhelm a remote host 9

  10. Distributed attacks • More powerful attacks – From multiple hosts Attacker Coordinated attack Communication for remote control Runs a daemon Compromised Compromised Compromised 10

  11. IP Spoofing • Many attackers spoof IP source address – To conceal their locations • Use random address spoofing – To overcome blacklisting/filtering This paper focuses solely on attacks with random address spoofing 11

  12. Outline • Background • Methodology • Attack detection and classification • Analysis of DOS 12

  13. Key Idea • Attackers spoof source address randomly • Victim, in turn respond to attack packets • Unsolicited responses (backscatter) equally distributed across IP address space • Received backscatter is evidence of an attacker elsewhere 13

  14. Backscattering Attacker 14 Borrowed from G.Voelkar’s presentation

  15. Typical victim responses 15

  16. Backscatter Analysis • Probability of one given host on the Internet receiving at least one unsolicited response during an attack of m packets • Probability of n hosts receiving at least one of m packets 16

  17. Backscatter Analysis • Monitor from n distinct hosts • Expected number of backscatter packets given an attack of m packets • These samples contain - Identity of the victim - Timestamp - Kind of attack 17

  18. Backscatter Analysis • If arrival rate of unsolicited packets from a victim is R’ • Extrapolated attack rate R on the victim is packets per sec 18

  19. Assumptions • Address uniformity – attackers spoof source addresses at random • Reliable delivery – Attack traffic and backscatter is delivered reliably • Backscatter hypothesis – Unsolicited packets observed by the monitor represent backscatter 19

  20. Limitation - Address uniformity • Many attacks do not use address spoofing – ISPs increasingly employ ingress filtering • “Reflector attacks” – Source address is specifically selected • Motivation for IP spoofing has been reduced – Automated methods for compromising host – DDOS attacks using true IP addresses Each factor cause the analysis to underestimate the total number of attacks 20

  21. Limitation – Reliable delivery • Packets from attacker may be queued and dropped • Filtered and rate limited by a firewall • Some traffic do not elicit a response • Responses may be queued and dropped Causes the analysis to underestimate the total number of attacks and attack rate 21

  22. Backscatter hypothesis • Any server in the Internet can send unsolicited packets – Possible to eliminate flows consistently destined to a single host • Misinterpretation of random port scans as backscatters • Vast majority attacks can be differentiated from typical scanning activity Provides a conservative estimate of current denial-of-service activity 22

  23. Outline • Background • Methodology • Attack detection and classification • Analysis of DOS 23

  24. Attack detection and classification • Identify and extract backscatter packets from raw trace • Combine related packets into attack flows – Based on victims IP address • Filter out some attack flows based on intensity, duration and rate 24

  25. Extracting backscatter packets • Remove packets – Involving legitimate hosts – Packets that do not correspond to response traffic – Remove TCP RST packets used for scanning • These scans have sequential scanning patterns • Remover RSTs with clearly non-random behavior • Remove duplicate packets – Same <src IP, dst IP, protocol, src port, dst port> in the last five minutes 25

  26. Flow-based classification • Flow-based identification – Flow: Series of consecutive packets sharing the same victim IP address – Flow lifetime: Timeout approach • Defines when a flow begins and ends • Packets arrive within a fixed timeout relative to the most recent packet in the flow – same flow • More conservative timeout: long flows • Shorter timeout: large number of short flows 26

  27. Flow timeout 300 seconds (5 minutes) 27

  28. Filtering attack flows • Packet threshold – Minimum number of packets necessary to classify it to be an attack – Filter out short attacks which have negligible impact • Attack duration – Time between first and last packet of a flow – Filter out short attacks • Packet rate – Threshold for maximum rate of packet arrivals – Largest packet rate across 1-minute buckets 28

  29. Packet threshold 25 packets 29

  30. Attack duration 60 seconds 30

  31. Packet rate 0.5 pps 31

  32. Extracted Information • IP Protocol (TCP, UDP, ICMP) • TCP flag settings (SYN/ACKs, RSTs) • ICMP payload (copies of original packets) • Port settings (source and destination ports) • DNS information 32

  33. Outline • Background • Methodology • Attack detection and classification • Analysis of DOS 33

  34. Analysis: Experimental Platform Captures all the inbound traffic via Hub Sole ingress link 2 24 distinct IPs, 1/256 of the total Ipv4 address space

  35. Summary of Attack Activity

  36. Summary of Attack Activity • Collection done over a period of 3 years (Feb 1, 2001 – Feb 25, 2004). • Captured 22 traces of DoS activity. • Each trace roughly spans a week. • Total 68,700 attacks to 34,700 unique victim IPs. • 1,066 million backscatter packets (≤1/256 th of the total backscatter traffic generated)

  37. Summary of Attack Activity • No strong diurnal patterns, as seen in Web or P2P file sharing. • Rate of attack doesn’t change significantly over the period of time. • Attacks were not clustered on particular subnets.

  38. Summary of Attack Activity • Exhibits daily periodic behavior. • At the same time everyday, attack increases from est. 2,500 pps to 100,000-160,000 pps. • Attack persists for one hour before subsiding again. • Tuesdays off (suggests attacks are scripted).

  39. Attack Classification: Protocol

  40. Attack Classification: Protocol Table shows – • 95% of attacks and 89% of packets use TCP protocol. • Distant second is ICMP with 2.6% of attacks. • Breakdown of TCP attacks shows most of the attacks target multiple ports. • Most popular individual target ports: HTTP (80), IRC (6667), port 0, Authd(113)

  41. Attack Classification: Rate • 500 SYN pps are enough to overwhelm a server. • 65% attacks had 500 pps or higher. • 4% attacks had ≥ 14,000 pps, enough to compromise attack- resistant firewalls.

  42. Attack Classification: Duration • 60% attacks less than 10 min • 80% are less than 30 min • 2.4% are greater than 5 hrs • 1.5% are greater than 10 hrs • 0.53% span multiple days • PDF graph shows peak is at 5 min (10.8%), 10 min (9.7%)

  43. Victim Classification: Type

  44. Victim Classification: TLD • Over 10% targeted com & net • 1.3-1.7% targeted org & edu • 11% were targeted to ro • 4% to br

  45. Victim Classification: Repeated Attacks • Most victims (89%) were attacked in only one trace. • Most of the remaining victims (7.8%) appear in two traces. • Victims can appear in multiple traces because of attacks that span trace boundaries. • 3% victims appear in more than 3 traces, nevertheless.

  46. Victim Classification: Repeated Attacks 15 victims that appear in 10 or more traces

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Inferring Internet Inferring Internet Denial- -of of- -Service Activity Service Activity

Inferring Internet Inferring Internet Denial- -of of- -Service Activity Service Activity

Inferring Internet Inferring Internet Denial- -of of- -Service Activity Service Activity Denial Geoffrey M. Voelker Geoffrey M. Voelker University of California, San Diego University of California, San Diego Joint work with David Moore

369 views • 32 slides
Harness Your Internet Activity Vantio AuthServe Enabling Efficiency and Service Differentiation

Harness Your Internet Activity Vantio AuthServe Enabling Efficiency and Service Differentiation

Harness Your Internet Activity Vantio AuthServe Enabling Efficiency and Service Differentiation Ralf Weber October 13, 2014 Vantio AuthServe Authoritative DNS Proven High-performance Always-on Service Tested with up to 1 Billion

395 views • 14 slides
Activities and Services MyApp AcmePDF startActivity() Activity Activity startService()

Activities and Services MyApp AcmePDF startActivity() Activity Activity startService()

Activities and Services MyApp AcmePDF startActivity() Activity Activity startService() Broadcast, Messenger, IBinder, etc Service Andy Spencer http://pileus.org/andy/cs239 1/4 Intent Processing

511 views • 4 slides
Welcome to the Civil Service Commissions Political Activity presentation Roland P. Fejarang

Welcome to the Civil Service Commissions Political Activity presentation Roland P. Fejarang

Welcome to the Civil Service Commissions Political Activity presentation Roland P. Fejarang Personnel Management Administrator Eric D. Miller Administrative Counsel Daniel D. Leon Guerrero Executive Director and The Staff of the CIVIL

911 views • 35 slides
ITMC April 15, 2019 Agenda 1. Review of Activity since Fall 2018 Meeting A. Campus Site

ITMC April 15, 2019 Agenda 1. Review of Activity since Fall 2018 Meeting A. Campus Site

ITMC April 15, 2019 Agenda 1. Review of Activity since Fall 2018 Meeting A. Campus Site Visits B. Customer Council Established C. Service Lifecycle D. Conceptual Roadmap E. Service Definitions 2. Update on Service Definitions A.

470 views • 20 slides
words? Now complete activity 1 Use this to help complete activity 2 Now complete activity 2 To

words? Now complete activity 1 Use this to help complete activity 2 Now complete activity 2 To

What is meant by word class? Here are some examples: Noun adjective verb Can you think of any more types of words? Now complete activity 1 Use this to help complete activity 2 Now complete activity 2 To uplevel a sentence is to

1.41k views • 120 slides
Family violence Integrated service activity case study #ManyWays16 Gamblers Help Program:

Family violence Integrated service activity case study #ManyWays16 Gamblers Help Program:

Dr Shari Siegloff and Phil Eddy Anglicare Victoria Family violence Integrated service activity case study #ManyWays16 Gamblers Help Program: Loddon Mallee Region Consistent evidence of an association between gambling problems and family

641 views • 15 slides
FDP101X October 2018 DAY 2: ACTIVITY 2 DAY 2: ACTIVITY 2 PEER ASSESSMENT ACTIVITY BY DR.

FDP101X October 2018 DAY 2: ACTIVITY 2 DAY 2: ACTIVITY 2 PEER ASSESSMENT ACTIVITY BY DR.

FDP101X October 2018 DAY 2: ACTIVITY 2 DAY 2: ACTIVITY 2 PEER ASSESSMENT ACTIVITY BY DR. SACHIN H. DHANANI RC1092 K.I.T.S COLLEGE OF ENGINEERING Introduction To Ordinary Differential Equations by Dr. Sanjeev Kumar View the the following

357 views • 4 slides
Using Commas Using Commas Introductory Activity Independent Focused Activity Review Activity

Using Commas Using Commas Introductory Activity Independent Focused Activity Review Activity

Using Commas Using Commas Introductory Activity Independent Focused Activity Review Activity Consolidation Activity Assessment Aim I can use commas to make sure the reader understands precisely what I am trying to say. Success Criteria

501 views • 11 slides
ACTIVITY AND FRAGMENTS Introduction An application is composed of at least one Activity GUI

ACTIVITY AND FRAGMENTS Introduction An application is composed of at least one Activity GUI

ACTIVITY AND FRAGMENTS Introduction An application is composed of at least one Activity GUI It is a software component that stays behind a GUI (screen) Activity It runs inside the main thread and it should be reactive to

1.02k views • 32 slides
York Endoscopy Unit Open day S Chintapatla Total Activity, York AIM To discuss ERCP service

York Endoscopy Unit Open day S Chintapatla Total Activity, York AIM To discuss ERCP service

York Endoscopy Unit Open day S Chintapatla Total Activity, York AIM To discuss ERCP service across Scarborough and York Transnasal endoscopy what is it? Endoscopic examination of the UGI tract via the nasal route Select Images

624 views • 34 slides
Chem 212 Unit 2 Jeopardy Activity 200 400 600 800 1000 Activity - 200 Write

Chem 212 Unit 2 Jeopardy Activity 200 400 600 800 1000 Activity - 200 Write

Chem 212 Unit 2 Jeopardy Activity 200 400 600 800 1000 Activity - 200 Write the solubility product for La(IO 3 ) 3 activity coefficients. K=[La3+] La+ [IO 3 -]^3 IO 3 - Activity - 400 What is the equation to solve for

549 views • 25 slides
Year 4 Science - Sound Activity 1 - Vibrations - Page 2 Activity 2 How do we hear? - Page

Year 4 Science - Sound Activity 1 - Vibrations - Page 2 Activity 2 How do we hear? - Page

Year 4 Science - Sound Activity 1 - Vibrations - Page 2 Activity 2 How do we hear? - Page 8 Activity 3 Loud and quiet sounds - Page 15 Activity 4 - Pitch - Page 21 Activity 5 Pitch Optional Challenge Page 30 Activity 6 - Quiz

1.01k views • 54 slides
ITCC March 9, 2016 Room 438 - ITD Agenda 1:00 Update on EA Activity Jeff Quast 1:15 Update

ITCC March 9, 2016 Room 438 - ITD Agenda 1:00 Update on EA Activity Jeff Quast 1:15 Update

ITCC March 9, 2016 Room 438 - ITD Agenda 1:00 Update on EA Activity Jeff Quast 1:15 Update on ITD Activity Jeff Quast 1:30 ITD Rate Reductions Greg Hoffman 1:45 Service Level Agreements Gary Vetter 1:55 IT Planning Process Justin Data

447 views • 12 slides
Activity theory Basic concept of activity theory in relation to HCI studies Origin of Activity

Activity theory Basic concept of activity theory in relation to HCI studies Origin of Activity

Activity theory Basic concept of activity theory in relation to HCI studies Origin of Activity theory (AT) AT originated within Soviet psychology in 1920s by its roots from the cultural historical school founded by Vygotsky. Further

445 views • 6 slides
Lab 2 Activity &amp; Layout KUAN-TING LAI 2020/9/28 Concept of Activities Activity shows

Lab 2 Activity &amp; Layout KUAN-TING LAI 2020/9/28 Concept of Activities Activity shows

Lab 2 Activity &amp; Layout KUAN-TING LAI 2020/9/28 Concept of Activities Activity shows the UI components One activity, one window (screen) Enables one app to invoke another app Use Intent to communicate An activity can

802 views • 27 slides
Countering SYN Flood Denial-of-Service (DoS) Attacks Ross Oliver Tech Mavens

Countering SYN Flood Denial-of-Service (DoS) Attacks Ross Oliver Tech Mavens

Countering SYN Flood Denial-of-Service (DoS) Attacks Ross Oliver Tech Mavens reo@tech-mavens.com What is a Denial-of- Service (DoS) attack? ! Attacker generates unusually large volume of requests, overwhelming your servers ! Legitimate

493 views • 27 slides
Realize SFC Using ONOS SDN Controller Mohan Kumar, Senior Software Engineer, Huawei Indian Cathy

Realize SFC Using ONOS SDN Controller Mohan Kumar, Senior Software Engineer, Huawei Indian Cathy

Realize SFC Using ONOS SDN Controller Mohan Kumar, Senior Software Engineer, Huawei Indian Cathy Zhang, Principal Architect, Huawei USA 1. Understand OpenStack Neutron SFC Feature: Its Flexible Architecture to Integrate with Multiple SDN

520 views • 25 slides
Final Presentation &amp; Poster (Group) Due: Friday, March 13, 2009 Goal The goal of this

Final Presentation &amp; Poster (Group) Due: Friday, March 13, 2009 Goal The goal of this

CSE441 Winter 2009: Assignment 13 Instructor: James Landay Final Presentation &amp; Poster (Group) Due: Friday, March 13, 2009 Goal The goal of this assignment is to learn how to present your work in a visual form to interested parties from

284 views • 4 slides
Data Plane Broker Integration, Configuration &amp; Implementation. Paul McCherry Data Plane

Data Plane Broker Integration, Configuration &amp; Implementation. Paul McCherry Data Plane

Data Plane Broker Integration, Configuration &amp; Implementation. Paul McCherry Data Plane Broker Integration OSM Creation: Connection Points, Bandwidth Deletion: Service_Id DPB WIM Connector Modify: In development, Service_Id

241 views • 20 slides
PORTFOLIO OF SERVICES Who is mrHouston? 360 Our story We have been maximizing our clients

PORTFOLIO OF SERVICES Who is mrHouston? 360 Our story We have been maximizing our clients

PORTFOLIO OF SERVICES Who is mrHouston? 360 Our story We have been maximizing our clients value for over 18 years. We are a key player in ICT management. Who we are Our multidisciplinary, highly qualified team is composed of 50 people.

402 views • 24 slides
DEFENDING DIGITAL BUSINESS AGAINST CYBER ATTACKS Presentation SAI 21/02/2019 Our Agenda 1

DEFENDING DIGITAL BUSINESS AGAINST CYBER ATTACKS Presentation SAI 21/02/2019 Our Agenda 1

www.nviso.be DEFENDING DIGITAL BUSINESS AGAINST CYBER ATTACKS Presentation SAI 21/02/2019 Our Agenda 1 Demo time 2 Threat actor groups 3 Nation states 4 Hacktivism 5 Organized cyber crime 6 The bad competitor 7 The Internet of

777 views • 42 slides
Legislative Audit Workshop Cybersecurity in the Year 2020 Jim Edman Chief Information Security

Legislative Audit Workshop Cybersecurity in the Year 2020 Jim Edman Chief Information Security

Legislative Audit Workshop Cybersecurity in the Year 2020 Jim Edman Chief Information Security Officer Miguel Penaranda Deputy CISO 5/19/2020 Critical Cyber Security Recommendations Backup Your Data Apply Automatic Updates &amp; Patches

655 views • 27 slides
Statistical Opportunities in Network Security David J. Marchette marchettedj@nswc.navy.mil Naval

Statistical Opportunities in Network Security David J. Marchette marchettedj@nswc.navy.mil Naval

Statistical Opportunities in Network Security David J. Marchette marchettedj@nswc.navy.mil Naval Surface Warfare Center Code B10 &lt; &gt; - + Interface 2003 p.1/36 Outline Intro to Network Data Monitoring Denial of Service Attacks

644 views • 39 slides

More recommend