Visualization of Amplification Attacks in Amplifier Networks - - PowerPoint PPT Presentation

visualization of amplification attacks in amplifier
SMART_READER_LITE
LIVE PREVIEW

Visualization of Amplification Attacks in Amplifier Networks - - PowerPoint PPT Presentation

Apr 14, 2023 128 likes •296 views

Lehrstuhl fr Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen Visualization of Amplification Attacks in Amplifier Networks Zwischenvortrag Michael Kpferl 08.06.2015 Agenda Motivation

slide-1
SLIDE 1

Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Technische Universität München

Visualization of Amplification Attacks in Amplifier Networks

Zwischenvortrag Michael Köpferl 08.06.2015

slide-2
SLIDE 2

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

2

Agenda  Motivation  Research Questions  Approach  Challenges  Schedule and final steps

slide-3
SLIDE 3

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

3

Addressed problem and its motivation  Amplification Attack

  • Spoofed source IP (Victim’s IP)
  • Server with amplifying service

 Impact to amplifier network and Victim

  • Amplifier network:
  • Block from Victim’s network
  • Traffic => costs
  • Legal problems
  • Victim: Denial of Service
slide-4
SLIDE 4

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

4

Research questions (1/5) How to effectively visualize amplification attacks such that a network operator can easily detect them?  Time Series Graph  Visualize delta (average and current traffic)  Send notification by e-mail

slide-5
SLIDE 5

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

5

Research questions (2/5) How to recognize, which internal and external systems and networks are affected?  group detected attacks  Top-X list  network map

slide-6
SLIDE 6

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

6

Research questions (3/5) How to react accordingly by shutting down or limiting access to systems or services?  Evaluate visualization / react to warning … and …  Block / rate limit access  Shutdown specific systems  Fix bugs

slide-7
SLIDE 7

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

7

Research questions (4/5) How can an attack be investigated later in detail to learn from it?  Prelude IDS as data storage  Visualization and raw data

  • Evaluate grouped data
  • Evaluate IP header and packet content

 Specific timeframes  Search history

slide-8
SLIDE 8

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

8

Research questions (5/5) Does the visualization help to identify false positives or false negatives?  Idea for false negatives:

  • Lower amplification factors
  • Lower minimum traffic

 Idea for false positives:

  • Delta visualization
  • evaluate visualization manually
  • apply additional knowledge
slide-9
SLIDE 9

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

9

Approach (Software)

Prewikka

  • Web interface to access the Prelude DB
  • => amplification graphs

Prelude (SIEM)

  • Stores data in MySQL DB
  • => store additional data
  • => support anonymization
  • Alerts the network operator

Suricata (IDS)

  • Detects amplification attacks
  • Alerts Prelude via IDMEF interface
  • Logs additional data to file
  • detection rule
slide-10
SLIDE 10

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

10

Approach (Development Setup) Test / Development Setup

slide-11
SLIDE 11

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

11

Approach (Visualization) Visualization  D3.js (Data Driven Documents)  Data export from Prelude DB into CSV

  • useful SELECTs and aggregation necessary
  • DB connector script to be used by D3.js

SQL -> CSV

slide-12
SLIDE 12

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

12

Visualization Demo

slide-13
SLIDE 13

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

13

Visualization Demo

slide-14
SLIDE 14

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

14

Challenges Additional challenges that appeared during the work  Stability of Suricata while logging to Prelude

  • hardware problem with the iLab room => VM setup

 Storing of Domain Names

  • concept developed, will be added to Prelude DB

 Anonymization Question

  • concept developed, will be implemented in a cron

job to be called regularly that anonymizes old data

slide-15
SLIDE 15

Visualization of Amplification Attacks in Amplifier Networks – Michael Köpferl – 08.06.2015

15

Schedule

slide-16
SLIDE 16

Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik Technische Universität München

FIN

Visualization of Amplification Attacks in Amplifier Networks

  • Zwischenvortrag -

Questions? Michael Köpferl - 08.06.2015