DISTRIBUTED tcpdump CAPABILITY FOR LINUX

1
Research Paper
DISTRIBUTED tcpdump CAPABILITY FOR LINUX
EJAZ AHMED SYEDDr. JIM MARTIN
Internet Research Group. Department Of Computer
Science Clemson University.
2
Project Goals

• Design and implement a tool that does distributed
  tcpdump capability for Linux.
• Basic Operation Description
• A client sends a command to a server instructing
  the server to do particular tcpdump commands. At
  the server, there needs to be a way for the
  tcpdump data to be sent back to the client.
• Significance
• A generic building block that can be deployed
  in a highly distributed manner for Distributed
  Denial Of Service (DDoS) and Intrusion Detection
  (ID).
• Work is closely related to the frame work
  developed for
  intrusion detection.

3
PROBLEM DEFINITION SCOPE

• Distributed Denial of Service and Intrusion
  Detection System (IDS)
• A denial-of-service attack is
  characterized by an explicit attempt by attackers
  to prevent legitimate users of a service from
  using that service.Examples include
• attempts to flood a network, thereby preventing
  legitimate network traffic.
• attempts to disrupt connections between two
  machines, thereby preventing access to a service.
• attempts to disrupt service to a specific system
  or person.
• Note Other types of attacks may include a denial
  of service as a component, but the
  denial of service may be part of a larger attack.
• 
  
  ... contd

4

PROBLEM DEFINITION SCOPE
A network-based intrusion detection system (IDS)
might be able to detect an attack instance
(either an attack packet or a sequence of attack
packets) by automatically extracting and
analyzing the attack signatures from a collection
of incoming and outgoing data packets. However,
because of the Source accountability problem of
todays Internet, an IDS generally cannot tell
where the attack packets were originated. Recent
attention Many DDoS (Distributed Denial Of
Service) attacks have affected web sites such as
Yahoo! E-Bay, CNN among many others, utilizing IP
source address spoofing.
5

Nomenclature The Plain DDoS Model
DDoS Attack Infrastructure Hackers from their
own community and they share resources among
themselves. When one Internet host is
compromised (a resource for the hackers), the
host identity and the key to access this host is
announced to all the hackers. Gradually,
compromised hosts are organized and connected
together as a DDoS attack infrastructure. In this
host infrastructure, some hosts play the role of
masters, while others are slaves. Attacker A
15-YEAR-OLD MONTREAL boy with the alleged
Internet codename of Mafia boy was the attacker
who launched the attacks that briefly immobilized
and brought down Internet giants eBay,
Amazon.com, Yahoo.com, and ETrade back in
February through the plain DDoS attack
infrastructure. www.itworld.com
community. Must be a Gryffindor wizard !!
6
The plain DDOS Model 1999-2000
Ref On Design and Evaluation of
Intention-Driven ICMP Traceback. UCLA
7
Tool Functionality

• How to detect the distributed attack ??
• Signatures represent the attacks in a generic
  way.
• A signature is a distributed event pattern that
  represents a distributed attack.
• Generate log files required for further
  processing.
• Specify what information is needed.
• Identify the attack from specific signature
  flow.
• Trace bandwidth consumed by the following flow
  description xxx the data sent back is simple
  byte count per second. Alert the client when
  data specific to flow xxx is observed send back
  an alert message.Alert the client when you see
  this particular flow signature.

8
IMPLEMENTATION ARCHITECTURE

• Pseudo Signatures
• Generate specific command oriented tcpdump log
  files for processing. CMD tcpdump_command,
  param_String, START, STOP, probing_frequency,
  file log_file
• CMD any tcpdump command . File log
  file generated with the resultant tcpdump data.
• Generate list of offending flows
• CMD ID_Non_tcp_friendly_flows, START, STOP,
  probing_frequency, file list_file
• Identify specific offending flows
• CMD search_for_this_flow, reporting_mode,
  probing_frequency, file search_stats
• Search_for_this_flow based on for example ,
  address, port, protocol Reporting_mode
  First occurrence of specific flow, Bandwidth gt
  TCP_Friendly.

9
CARDS Architecture
Fig The CARDS architecture
Ref Design and Implementation of A
Decentralized Prototype System for Detecting
Distributed Attacks. Dr. Ning, Dr. Sushil, Dr.
Sean, North Carolina State University.
10
Extensions

• Provide hooks for some other extended tcpdump
  commands.
• Provide a Interactive Java GUI interface for the
  Client.
• Think !!!!
• NOTE Cpsc881 Students - Fall03 May
  Implement security feature to this application.
  !??!