Flooding??????????

1
Flooding??????????

• ???? ????
• ???
• center7_at_cc.ncu.edu.tw

2
? ?

• 1.????
• 2.??????
• 3.Flooding???????
• 4.????????????
• 5.??

3
1.????

• ?????????
• Internet wide open????
• Forged IP address
• Forged application port
• Forged protocol id.

4

• ICMP/UDP Flooding
• Attackers can markedly increase the volume of
  attack traffic
• congest regional networks
• jam the network links throughout the transmission
  path

5

• TCP Attack
• Denial of Service (DoS)
• attack on well-known services
• providing the attacker with full remote access to
  the servers.
• Distributed Flooding Attack
• overwhelm the transport routing resources.

6
2 ??????

• ??????
• Intensive traffic volume
• ICMP Flooding (host-to-host)
• PING Storm (N host-to-host)
• Intensive connection
• SYN Flooding
• host-to-M_hosts
• DoS/DDoS
• N (host-to- M_hosts)

7

• Forged transportation attributes
• Spoofed Source IP address
• Smurf, DRDoS
• ???? src_port, dst_port
• ??firewall????????
• ?????/????
• Group Flooding Traffic
• DDoS
• DRDoS

8

• ??????log
• Tcpdump
• Snoop Broadcast packet header
• LAN segment
• Packet-based
• NetFlow
• WAN Router??/??????header??
• Transport traffic log
• Flow-based

9

• Tcpdump
• ?????????????????
• ??????tcpdump ??LAN?????log
• ??????????????
• end-to-end IP addresses, packet length,?socket
  ports
• ??????????????????.
• ???????????

10

• Related works
• Kushida T.
• ??Tcpdump ??FDDI??packet log
• ?????TCP,UDP????????.
• Thompson K.
• ???????ATM????
• TCP? UDP??
• ??????
• FTP, WWW, DNS
• RealPlayer

11

• Router NetFlow??????
• Source_IP.source port destination_IP.
  destination port
• source destination interface
• protocol identifier
• packet count / byte count

12

• ???????
• Top-N ?? host Traffic
• Source IP ???? list
• Dest. IP ???? list
• Top-N ?? host Traffic
• www, eDonkey/eMule,
• ??/????????
• Source/Dest IP address
• Application port

13

• This work
• measures the top-N traffic volume of ICMP/UDP
  communication partners
• by accumulating the flow count, packet count and
  byte count
• with the index of the source and destination IP
  addresses.
• Monitoring/Detecting the extremely abnormal
  Flooding Traffic
• Automatically block the extremely attack traffic

14
3. Flooding???????

• Flooding Attack??
• ??? source and dest. port??????
• ??????????processing??
• ????????
• Computing resource of the destination hosts
• Flooding Attack ????
• ????????
• Intensive packet volume
• Intensive flow count

15

• ??????indexing
• IP Communication Partners
• Source_IP gt Destination_IP 1-to-1
• Source_IP gt A.B...(dest_port) 1-to-N
• ??Netflow log ?
• Indexing with Host pair
• (Not flow, Not session)
• ??protocol id. ???IP pair??
• icmp_flowspairi, udp_flowspairi
• icmp_packetspairi, udp_packetspairi
• icmp_bytespairi, udp_bytespairi

16

• ???X-Attack ??????
• Monitoring ICMP/UDP Flooding Traffic
• ??/??/??????????????
• netflow log?
• Packet_Size,
• Packet???,Bytes??
• ???????
• Obviously distinct from general traffic
• icmp_packetpairi / hour
• udp_packetpairi / hour
• Dozens of million packet (107)

17

• ??Hypertext Preprocessor (PHP) scripting????
• ????????X-Attack????
• ????????,invoke PHP ??????????????.
• ??ICMP/UDP??????
• Fig.1, Fig.2

18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21

• Streaming/Game UDP??
• 163.13.10.141lt-gt61.171.38.242
• Counter_Strike servers
• (27015/UDP service port)???
• ????????70 200 Bytes/Packet
• 218.146.254.203, 64.95.80.9
• MediaPlayer servers
• ????????Mbytes ??
• ????????1500 Bytes/Packet

22

• 203.242.146.143gt203.72.179.12 TFtp flow
• ?????????TFtp??,
• mean packet size?? 544 Byte/Packet.
• ????IP????netflow logs,
• ?????????????? SYN request
• ? httpd service port ( 80/TCP)
• (packet size? 48 Bytes),
• ??????Nimda virus????

23
(No Transcript)
24
(No Transcript)
25
4 Flooding Attack ??????????

• Attack host pair????????
• packet???????????????
• General udp_packetpairi
• Little than 105 pkt per hour
• Attack traffic
• Higher than 107 pkt per hour
• ???Attack??
• ??????????? IP ??
• ?????????????victim??

26

• ??????????????
• ???? threshold ??????
• icmp_packetpairi/ hour gt 10,000,000
• udp_packetpairi/ hour gt 10,000,000
• ?????? router
• ??????Top-N ICMP/UDP traffic records
• ???? Access Control Lists (ACLs)
• ???????????

27

• ?????????
• ????RWhois IP??????????
• ????source IP?????/??mail address
• ??????????,???????/??
• ?????????,????X-Attack ????
• ??UDP???Packet/Byte???
• X-Attack ??packet???????????????
• ???ICMP/UDP host pairs?????list
• ???????????

28
, i 0, 1, 2, ... , n

, i 0, 1, 2, ... , n
29
(No Transcript)
30
(No Transcript)
31
(No Transcript)
32
Fig. 4 Traffic Volume of X-Attack ICMP/UDP
Flooding
33
5.??

• ??????????????
• ??????/????????
• ???????????
• Attack???????/????
• Windows 2000 without patch (dominant)
• Linux web server
• FreeBSD web server
• Blaster???????/????
• Windows 2000 /XP
• ???MS patches, Fix_Blast.exe, Fix_Welch.exe

34

• ??well-know service ??????
• Abnormal SMTP Traffic (Spam)
• Abormal P2P Attack Traffic
• ??????stochastic modeling
• ??????TCP??????
• ???????P2P??
• Reference Site
• http//lisa.tyc.edu.tw

35

• Thank You !