Title: Denial of Service attacks on transit networks David Harmelin DANTE
1Denial of Service attacks on transit
networksDavid Harmelin DANTE
2DANTE
- advanced network services for the European
research community TEN-155, GÉANT - active in testing and evaluating emerging
technologies http//www.dante.net/tf-ngn - DANCERT (dancert_at_dante.org.uk)http//www.dante.ne
t/security
3- Connecting 30 NRENs
- Backbone and access speeds up to 622 Mbps
- Research interconnections to North America (USA
Canada) and Asia-Pacific - Multiple interconnections with the commercial
Internet
4Definition of a DoS attack
DoS attack an attack on a network or computer,
the primary aim of which is to disrupt access to
a given service. In this presentation, only DoS
attacks involving flooding of networks are
considered (networked flood-based DoS attacks).
5Example of a networked DoS
( http//www.dante.net/pubs/dip/42/42.html )
6DANTE and DoS attacks
- 1999 DoS attacks noticed regularly on TEN-155.
- Beginning 2000 DoS attacks against major
companies in the news. - 2000 first tool based on peer-peer matrix
analysis. Failed. - End 2000 second tool, based on sampled flow
data. DANCERT relies on it to reduce the amount
of DoS attacks.
7Detecting DoS attacks (1)
8Detecting DoS attacks (2)
- Central server every X minutes, samples every
PoP WS with rate 1/Y flows, during Z seconds. - For each router, if more than N flows are
received with the same destination IP, raise an
alarm. - Current values in use
- Routers with regular netflowX15, Y100, Z10,
N10 - most attacks gt 100 pkts/s are detected
- Routers with sampled netflow (rate 1/200
packets)X15, Y10, Z60, N10 - most attacks gt 330 pkts/s are detected
9Logging DoS attacks
10C class attacks
Spoofed source addresses within the /24 of the
source.Coded by default in some DoS tools.
Appears as if coming from192.168.0.1,
192.168.0.2, . 192.68.0.254
11Results
- Running the tool on 4 core routers since
12/2000. - Logging all attacks detected since 03/2001
- Trade-off between
- accuracy (confirmed attacks/alarms raised98)
- detection effectiveness (gt100 pkt/s).
- Average of 34 different attacks per day logged,
up to 5-6 concurrent (96 polls per day). - 90 C class attacks - easily traceable.
- 75 of attacks are 40 bytes TCP packets.
12Results - Durations
Most attacks last less than 15 minutes.Fast
inter-domain tracing required to find the source.
13Results - Traffic generated
Highest 32 Mbps
Highest 27000 pkts/s
Approximate values only. Low accuracy due to
sampling.
14Results - Monthly evolution (1)
15Results - Monthly evolution (2)
16Results - All attacks (pkts/s)
Bubble size duration
17Results - All attacks (Kbps)
Bubble size duration
18Results - DoS timings
19From alarms to DANCERT tickets
DoS attack potentially disruptive?
Randomlyspoofed attack?
Alarm receivedby DANCERT
yes
Identify peersoriginating thetraffic
yes
no
no
yes
DoS attack appears in otherrecent alarms?
Identify sourceswithin peer
Existing DANCERTticket withsame source?
no
no
Do nothing
yes
Send reminder to peer
Issue DANCERT ticket to peers
20Known limitations of this method
- Routers capabilities (netflow required)
- Detecting networked flood-based DoS attacks
only... - but not ALL.
- Detection helps, but further need for
co-operation.
21Who should help? How?
- IP network operators
- automatic detection and logging of DoS attacks
- co-operation between CERT teams
- SLAs
- End-sites
- prevention
- trace when DoS traffic sources are reported
- DANTE
- http//www.dante.net/security/dos/
- gives away the in-house software to transit
providers.