Spectral Techniques for Internet Traffic Christos Papadopoulos and - - PowerPoint PPT Presentation

spectral techniques for internet traffic
SMART_READER_LITE
LIVE PREVIEW

Spectral Techniques for Internet Traffic Christos Papadopoulos and - - PowerPoint PPT Presentation

Feb 18, 2023 39 likes •185 views

Spectral Techniques for Internet Traffic Christos Papadopoulos and John Heidemann USC/ISI Data Catalog Workshop CAIDA, June 3, 2004 christos@isi.edu, johnh@isi.edu Research Topics Security DDoS classification Attack signatures

slide-1
SLIDE 1

Spectral Techniques for Internet Traffic

Christos Papadopoulos and John Heidemann USC/ISI Data Catalog Workshop CAIDA, June 3, 2004 christos@isi.edu, johnh@isi.edu

slide-2
SLIDE 2

Research Topics

  • Security

– DDoS classification – Attack signatures

  • Network management

– Detection of saturated links – TCP dynamics

  • Methodology: Spectral analysis
slide-3
SLIDE 3

Single vs. Multi-source Attacks

  • Single src attack produces

linear cumulative spectrum 290Hz Single-source

  • Multi-src attacks produce

localization of power in low frequencies 175Hz Multi-source

slide-4
SLIDE 4

Single vs. Multi-source Attacks (cont.)

Steps:

  • Compare F(60%) to identify

single-/multi-source attacks

  • Single-source:

F(60%) mean 268Hz (240-295Hz)

  • Multi-source:

F(60%) mean 172Hz (142-210Hz)

  • Robustly categorize Unclassified

attacks Results reported at SIGCOMM 2003, Hussain et al.

slide-5
SLIDE 5

Congested vs. Un-congested Link

Un-congested Link (TCP, UMD->USC, 64MB window) Spectrum of congested link shows clear signature. Congestion shows up as strong high frequency component.

slide-6
SLIDE 6

Playground: Los Nettos

  • Regional network for LA area
  • ~15 years in existence
  • Three upstream providers (Verio, Level3,

Cogent) plus Internet 2

  • 6 members and O(100) associates

– mix of academic and commercial

  • About 45K machines
slide-7
SLIDE 7

Los Nettos

NGC USC Tustin OWB CIT VHF DS3 Circuits DWP(4) Fiber Level3 Fiber (2) SBC Gigaman City of Pasadena Fiber(2) Internet2 Level3 HSC DWP FE Cogent Verio Internet2 CalREN 818 JPL ICT PAIX-LA LAIIX LAAP

MEMBER Affiliate HUB Transit Xchange I2

CRG HMC ISI CalREN

slide-8
SLIDE 8

Current Data Collection: Links

  • Currently monitored links

– Verio (200mbps) – Part of Internet 2 (in/out of USC)

  • Other available links

– Level3 (300mbps) – Rest of Internet 2 (200mbps) – Cogent (60mbps)

slide-9
SLIDE 9

DNS: B and L Root Servers

slide-10
SLIDE 10

Current Data Collection: Trace Hardware

  • Trace hardware

– PCs with 250GB local disks – Netgear GA620 fiber cards – Driver tuned to partial packet capture

  • RAID boxes

– About 6TB

slide-11
SLIDE 11

Current Data Collection: Trace Software

  • PCs running FreeBSD
  • Tcpdump

– Headers only

  • Traces saved in 2 min files on local disk
  • Local analysis and periodic transfer to

RAID boxes

slide-12
SLIDE 12

Trace Analysis

Yes Analyze/ Store Delete tcpdump No Examine manually 2-min trace Yes Find IP Mapping Attack ? Attack ? Delete No

Threshold = 60 DNS: 2000, Exclude p2p

  • Captured 80 attacks (July-Nov 2002)
  • Work by Alefiya Hussain
slide-13
SLIDE 13

Available Traces

  • All 80 DDoS attacks

– anonymized – binned (1ms) time-series

  • Available as a DVD
  • Must sign 1-page, reasonable MOU

– Then we mail you the DVD

  • Some attacks distributed to about 8-10

takers without advertising

slide-14
SLIDE 14

Our Requirements

  • Packet-level traces
  • Accurate, high resolution timestamps
  • Metadata to describe attacks
  • ..more..
  • Contact {johnh@isi.edu or

christos}@isi.edu for more information