Denial of Service attacks on transit networks David Harmelin DANTE

1
Denial of Service attacks on transit
networksDavid Harmelin DANTE

2
DANTE

• advanced network services for the European
  research community TEN-155, GÉANT
• active in testing and evaluating emerging
  technologies http//www.dante.net/tf-ngn
• DANCERT (dancert_at_dante.org.uk)http//www.dante.ne
  t/security

3

• Connecting 30 NRENs
• Backbone and access speeds up to 622 Mbps
• Research interconnections to North America (USA
  Canada) and Asia-Pacific
• Multiple interconnections with the commercial
  Internet

4
Definition of a DoS attack
DoS attack an attack on a network or computer,
the primary aim of which is to disrupt access to
a given service. In this presentation, only DoS
attacks involving flooding of networks are
considered (networked flood-based DoS attacks).
5
Example of a networked DoS
( http//www.dante.net/pubs/dip/42/42.html )
6
DANTE and DoS attacks

• 1999 DoS attacks noticed regularly on TEN-155.
• Beginning 2000 DoS attacks against major
  companies in the news.
• 2000 first tool based on peer-peer matrix
  analysis. Failed.
• End 2000 second tool, based on sampled flow
  data. DANCERT relies on it to reduce the amount
  of DoS attacks.

7
Detecting DoS attacks (1)
8
Detecting DoS attacks (2)

• Central server every X minutes, samples every
  PoP WS with rate 1/Y flows, during Z seconds.
• For each router, if more than N flows are
  received with the same destination IP, raise an
  alarm.
• Current values in use
• Routers with regular netflowX15, Y100, Z10,
  N10
• most attacks gt 100 pkts/s are detected
• Routers with sampled netflow (rate 1/200
  packets)X15, Y10, Z60, N10
• most attacks gt 330 pkts/s are detected

9
Logging DoS attacks
10
C class attacks
Spoofed source addresses within the /24 of the
source.Coded by default in some DoS tools.
Appears as if coming from192.168.0.1,
192.168.0.2, . 192.68.0.254
11
Results

• Running the tool on 4 core routers since
  12/2000.
• Logging all attacks detected since 03/2001
• Trade-off between
• accuracy (confirmed attacks/alarms raised98)
• detection effectiveness (gt100 pkt/s).
• Average of 34 different attacks per day logged,
  up to 5-6 concurrent (96 polls per day).
• 90 C class attacks - easily traceable.
• 75 of attacks are 40 bytes TCP packets.

12
Results - Durations
Most attacks last less than 15 minutes.Fast
inter-domain tracing required to find the source.
13
Results - Traffic generated
Highest 32 Mbps
Highest 27000 pkts/s
Approximate values only. Low accuracy due to
sampling.
14
Results - Monthly evolution (1)
15
Results - Monthly evolution (2)
16
Results - All attacks (pkts/s)
Bubble size duration
17
Results - All attacks (Kbps)
Bubble size duration
18
Results - DoS timings
19
From alarms to DANCERT tickets
DoS attack potentially disruptive?
Randomlyspoofed attack?
Alarm receivedby DANCERT
yes
Identify peersoriginating thetraffic
yes
no
no
yes
DoS attack appears in otherrecent alarms?
Identify sourceswithin peer
Existing DANCERTticket withsame source?
no
no
Do nothing
yes
Send reminder to peer
Issue DANCERT ticket to peers
20
Known limitations of this method

• Routers capabilities (netflow required)
• Detecting networked flood-based DoS attacks
  only...
• but not ALL.
• Detection helps, but further need for
  co-operation.

21
Who should help? How?

• IP network operators
• automatic detection and logging of DoS attacks
• co-operation between CERT teams
• SLAs
• End-sites
• prevention
• trace when DoS traffic sources are reported
• DANTE
• http//www.dante.net/security/dos/
• gives away the in-house software to transit
  providers.