Flooding?????????? - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Flooding??????????

Description:

Title: IPV6 Author: ncucc Last modified by: ncucc Created Date: 3/19/2003 12:38:38 AM Document presentation format: Company: ncu Other titles – PowerPoint PPT presentation

Number of Views:69
Avg rating:3.0/5.0
Slides: 36
Provided by: ncu73
Category:
Tags: ipv6 | flooding | header

less

Transcript and Presenter's Notes

Title: Flooding??????????


1
Flooding??????????
  • ???? ????
  • ???
  • center7_at_cc.ncu.edu.tw

2
? ?
  • 1.????
  • 2.??????
  • 3.Flooding???????
  • 4.????????????
  • 5.??

3
1.????
  • ?????????
  • Internet wide open????
  • Forged IP address
  • Forged application port
  • Forged protocol id.

4
  • ICMP/UDP Flooding
  • Attackers can markedly increase the volume of
    attack traffic
  • congest regional networks
  • jam the network links throughout the transmission
    path

5
  • TCP Attack
  • Denial of Service (DoS)
  • attack on well-known services
  • providing the attacker with full remote access to
    the servers.
  • Distributed Flooding Attack
  • overwhelm the transport routing resources.

6
2 ??????
  • ??????
  • Intensive traffic volume
  • ICMP Flooding (host-to-host)
  • PING Storm (N host-to-host)
  • Intensive connection
  • SYN Flooding
  • host-to-M_hosts
  • DoS/DDoS
  • N (host-to- M_hosts)

7
  • Forged transportation attributes
  • Spoofed Source IP address
  • Smurf, DRDoS
  • ???? src_port, dst_port
  • ??firewall????????
  • ?????/????
  • Group Flooding Traffic
  • DDoS
  • DRDoS

8
  • ??????log
  • Tcpdump
  • Snoop Broadcast packet header
  • LAN segment
  • Packet-based
  • NetFlow
  • WAN Router??/??????header??
  • Transport traffic log
  • Flow-based

9
  • Tcpdump
  • ?????????????????
  • ??????tcpdump ??LAN?????log
  • ??????????????
  • end-to-end IP addresses, packet length,?socket
    ports
  • ??????????????????.
  • ???????????

10
  • Related works
  • Kushida T.
  • ??Tcpdump ??FDDI??packet log
  • ?????TCP,UDP????????.
  • Thompson K.
  • ???????ATM????
  • TCP? UDP??
  • ??????
  • FTP, WWW, DNS
  • RealPlayer

11
  • Router NetFlow??????
  • Source_IP.source port destination_IP.
    destination port
  • source destination interface
  • protocol identifier
  • packet count / byte count

12
  • ???????
  • Top-N ?? host Traffic
  • Source IP ???? list
  • Dest. IP ???? list
  • Top-N ?? host Traffic
  • www, eDonkey/eMule,
  • ??/????????
  • Source/Dest IP address
  • Application port

13
  • This work
  • measures the top-N traffic volume of ICMP/UDP
    communication partners
  • by accumulating the flow count, packet count and
    byte count
  • with the index of the source and destination IP
    addresses.
  • Monitoring/Detecting the extremely abnormal
    Flooding Traffic
  • Automatically block the extremely attack traffic

14
3. Flooding???????
  • Flooding Attack??
  • ??? source and dest. port??????
  • ??????????processing??
  • ????????
  • Computing resource of the destination hosts
  • Flooding Attack ????
  • ????????
  • Intensive packet volume
  • Intensive flow count

15
  • ??????indexing
  • IP Communication Partners
  • Source_IP gt Destination_IP 1-to-1
  • Source_IP gt A.B...(dest_port) 1-to-N
  • ??Netflow log ?
  • Indexing with Host pair
  • (Not flow, Not session)
  • ??protocol id. ???IP pair??
  • icmp_flowspairi, udp_flowspairi
  • icmp_packetspairi, udp_packetspairi
  • icmp_bytespairi, udp_bytespairi

16
  • ???X-Attack ??????
  • Monitoring ICMP/UDP Flooding Traffic
  • ??/??/??????????????
  • netflow log?
  • Packet_Size,
  • Packet???,Bytes??
  • ???????
  • Obviously distinct from general traffic
  • icmp_packetpairi / hour
  • udp_packetpairi / hour
  • Dozens of million packet (107)

17
  • ??Hypertext Preprocessor (PHP) scripting????
  • ????????X-Attack????
  • ????????,invoke PHP ??????????????.
  • ??ICMP/UDP??????
  • Fig.1, Fig.2

18
(No Transcript)
19
(No Transcript)
20
(No Transcript)
21
  • Streaming/Game UDP??
  • 163.13.10.141lt-gt61.171.38.242
  • Counter_Strike servers
  • (27015/UDP service port)???
  • ????????70 200 Bytes/Packet
  • 218.146.254.203, 64.95.80.9
  • MediaPlayer servers
  • ????????Mbytes ??
  • ????????1500 Bytes/Packet

22
  • 203.242.146.143gt203.72.179.12 TFtp flow
  • ?????????TFtp??,
  • mean packet size?? 544 Byte/Packet.
  • ????IP????netflow logs,
  • ?????????????? SYN request
  • ? httpd service port ( 80/TCP)
  • (packet size? 48 Bytes),
  • ??????Nimda virus????

23
(No Transcript)
24
(No Transcript)
25
4 Flooding Attack ??????????
  • Attack host pair????????
  • packet???????????????
  • General udp_packetpairi
  • Little than 105 pkt per hour
  • Attack traffic
  • Higher than 107 pkt per hour
  • ???Attack??
  • ??????????? IP ??
  • ?????????????victim??

26
  • ??????????????
  • ???? threshold ??????
  • icmp_packetpairi/ hour gt 10,000,000
  • udp_packetpairi/ hour gt 10,000,000
  • ?????? router
  • ??????Top-N ICMP/UDP traffic records
  • ???? Access Control Lists (ACLs)
  • ???????????

27
  • ?????????
  • ????RWhois IP??????????
  • ????source IP?????/??mail address
  • ??????????,???????/??
  • ?????????,????X-Attack ????
  • ??UDP???Packet/Byte???
  • X-Attack ??packet???????????????
  • ???ICMP/UDP host pairs?????list
  • ???????????

28
, i 0, 1, 2, ... , n

, i 0, 1, 2, ... , n
29
(No Transcript)
30
(No Transcript)
31
(No Transcript)
32
Fig. 4 Traffic Volume of X-Attack ICMP/UDP
Flooding
33
5.??
  • ??????????????
  • ??????/????????
  • ???????????
  • Attack???????/????
  • Windows 2000 without patch (dominant)
  • Linux web server
  • FreeBSD web server
  • Blaster???????/????
  • Windows 2000 /XP
  • ???MS patches, Fix_Blast.exe, Fix_Welch.exe

34
  • ??well-know service ??????
  • Abnormal SMTP Traffic (Spam)
  • Abormal P2P Attack Traffic
  • ??????stochastic modeling
  • ??????TCP??????
  • ???????P2P??
  • Reference Site
  • http//lisa.tyc.edu.tw

35
  • Thank You !
Write a Comment
User Comments (0)
About PowerShow.com