Detection of Denial of Service attacks using AGURI

1
Detection of Denial of Service attacks using AGURI

• Ryo Kaizaki(Keio Univ.)
• Kenjiro Cho(sonyCSL)
• Osamu Nakamura(Keio Univ.)

2
Goal of our system

• Detection of flooding attacks
• AGURI
• Traffic profiler for a long term
• Deviation
• Characteristic of traffic for a long term
• Characteristic of traffic in a current

3
BackgroundsCurrent Internet Infrastructure

• Packet switching network
• Shares every resources
• Bandwidth of the links
• Routers processing unit
• Can not control ill behavior flows(flooding
  attacks)

4
Current Internet Behavior
Host A
Server
Router A
Router D
Host B
Router C
Router B
Host C
5
Current Internet Behavior
Host A
Server
Router A
Router D
Host B
Router C
Router B
Host C
6
Current Internet Behavior
Host A
Server
Router A
Router D
Host B
Router C
Router B
Host C
7
Current Internet Behavior
Host A
Server
Router A
Router D
Host B
Router C
Router B
Host C
8
Current Internet Behavior
Attacker
Host A
Server
Router A
Router D
Host B
Router C
Router B
Host C
9
Current Internet Behavior

• Flooding attacks

Attacker
Host A
Server
Router A
Router D
Host B
Router C
Router B
Host C
10
Current Internet Behavior

• Router C drops packets

Attacker
Host A
Server
Router A
Router D
Host B
Router C
Packet drop
Router B
Host C
11
Current Internet Behavior

• Monitor network using MRTG
• Detection of increasing traffic
• Can not detect attacker and victims

Attacker
Host A
Server
Router A
Router D
Host B
Router C
Packet drop
Router B
Host C
12
SolutionDesign of AGURI System

• Tool for monitoring network
• Profiling characteristic of traffic
• src_ip_addr
• dst_ip_addr
• src_port_num
• dst_port_num
• Archiving profiling data for a long term

13
Uniqueness Feature of AGURI

• We can see characteristic of traffic for a long
  term using AGURI.

• We can see difference
• Characteristic of traffic for a long term
• Characteristic of traffic in current network flow

• We can detect flooding attacks ,calculating
  difference.

14
Evaluation of AGURI inInternet Infrastructure

• Evaluation of Commodity Network Infrastructure
• Storage Period
• 1 month long traffic (trans pacific link)
• Proved Network
• WIDE Internet backbone(Japanese Experimental
  Network Infrastructure)
• 4 types of time granulation
• Month and current
• Day and current
• Hour and current
• 5 minutes and current

15
Relation Between AGURI andAttack Detection

• Deviation can detect the beginning of flooding
  attacks.
• When flooding attacks continues for a long
  term,we need archived data in a longer term.

16
ContributionsImpact on Network Traffic
Management

• Enhance internet as a trusted infrastructure
• For stopping attacks ,we need 3 steps
• Detect attacks
• Trace attacker
• Operation(filtering ..etc)
• We achieved 1st step about flooding attacks.

• Results as a high reliability in server / router
  operation.
• Detection of mal-function in network services
• Higher risk to attacker
• Detection of attacker is much easier

17
AGURI Next Step

• More detailed evaluation using AGURI
• Reliability in detection phase
• Detection of true ATTACKERS
• Scalability issues
• Multiple sets of AGURI in IXP will
• Improve detection accuracy
• Collaborative enhancement to via IXP attacks
• Designing
• Contribution to IP trace back mechanism