Blacklisting and Blocking
|
|
- Rodger Holmes
- 8 years ago
- Views:
Transcription
1 Blacklisting and Blocking Sources of Malicious Traffic Athina Markopoulou University of California, Irvine Joint work with Fabio Soldo, Anh UC Irvine and Katerina EPFL 1
2 Outline Motivation on Malicious Internet Traffic: Attack and Defense Two Defense Mechanisms Proactive: Predictive Blacklisting Reactive: Source-Based Filtering Conclusion 2
3 Malicious Traffic on the Internet Compromising systems scanning, worms, website attacks phishing, social engineering attacks... Launching attacks spam click-fraud Denial-of-Service attacks Botnets t large groups of compromised hosts, remotely controlled 3
4 The solution requires many components Monitoring and detection of malicious activity in the network and/or at hosts signature-based, behavioral analysis Mitigation at the hosts: remove malicious code in the network: block, rate-limit, scrub malicious traffic Internet architecture 4
5 Defense at the edge of the network Network 1 Network 2 router router Logging IDS Firewall Logging IDS Firewall Logging IDS Firewall Logging IDS Firewall Network 3 Network 4 Our focus is on (1) blacklisting and (2) blocking malicious traffic 5
6 Dshield Dataset 6 months of IDS+firewall logs from Dshield.org (May-Oct 2008): ~600 contributing networks, 60M+ source IPs, 400M+ logs Contributing network Dshield.org Logs Time Victim ID Src IP Dst IP Src Port Dst Port Protocol Flags (contributor) Pros: huge amount of data, diverse sample, used by many researchers Cons: no detailed information on alerts, may include errors 6
7 Outline Background Malicious Internet Traffic: Attack and Defense Two Defenses Mechanisms Proactive: Predictive Blacklisting Reactive: Source-Based Filtering Conclusion 7
8 Predictive Blacklisting Problem definition: Given past logs of malicious activity collected at various locations Predict sources likely l to send malicious i traffic to each victim network in the future. Blacklist: list of worst (e.g. top-100) attack sources Prediction vs. Detection 8
9 Data analysis Superposition of several behaviors Nu mber of alerts Source ( Attacker ) IP Day 9
10 A multi-level prediction model Different predictors capture different patterns in the dataset: Model temporal dynamics Model spatial correlation between victims/attackers i Combine different predictors Formulate as a Recommendation Systems problem in particular collaborative filtering 10
11 Recommender systems: example Netflix: you rate movies and you get suggestions 11
12 Formulating Predictive Blacklisting as a Recommendation System (CF) Recommendation System Predictive Blacklisting Users Attackers Item ms 3 2?? ? -?? 1 1?? 4? -- 37? 1? -? 12? 1?? ? ? 9 4?? -? 27???? 2? 3 8? - 2?? ????? R = Rating Matrix 11 2? - User? Attack??? rating volume Victi ims Goal: predict rating matrix: r a,v (t) 12
13 Predictor I: (attacker, victim) pair Temporal dynamics r TS a v, ( t) Data analysis: attacks from the same source within short time 13
14 Predictor I: (a, v) time series r TS a v, ( t) Data analysis: repeated attacks within short time periods Prediction: Use EWMA model to capture this temporal trend Accounts for the short memory of attack sources. Computationally efficient Includes as special case t=1 Past activity at time t t Predicted activity 14
15 Predictor II: similar victims spatial correlation Data analysis: victims share common attackers. [Katti et al, IMC 2005], [Zhang et al, Usenix Security 2008] Common attackers Our approach: Victims 15
16 Predictor II: similar victims defining similarity Similarity of victims u,v captures: the number of common attackers and when they are attacked Common attackers Our approach: victims v1 v2 v3 v4 a1 a2 a3 a
17 Predictor II: similar victims k-nearest neighbors (knn) r KNN a v, ( t) Traditional knn: trust your peers Identify k most similar victims ( neighbors ) + predict your rating based on theirs New challenges due to time varying ratings Our approach: Predicted activity Sum over the neighborhood of v Time series forecast given past logs Similarity between time-varying vectors 17
18 Predictor III: Attackers-Victims Data analysis: Co-clustering group of attackers consistently target the same group of victims. this behavior often persists over time We used the Cross-Association (CA) method to automatically identify dense clusters of victims-attackers. 18
19 Intuition: Predictor III: Attackers-Victims Prediction EWMA CA r ( ) a, v t pairs (a,v) in dense clusters are more likely to occur use the density of the cluster, as the predictor, where EWMA-CA: further weight by persistence over time 19
20 A multi-level prediction model Summary Different predictors capture different patterns: Temporal trends EWMA TS of (attacker,victim) Neighborhood models: KNN: Similarity of victims EWMA CA: Interaction of attackers-victims Combine different predictors 20
21 Combining different predictors Weighted Average with weights proportional to the accuracy of each predictor on a pair (a,v). 21
22 Performance Analysis Baseline Blacklisting i Techniques Local Worst Offender List (LWOL) Most prolific local attackers Reactive but not proactive Global Worst Offender List (GWOL) Most prolific global attackers Might contain irrelevant attackers Non prolific attackers are elusive to GWOL Collaborative Blacklisting (HPB) [J. Zhang, P. Porras, J. Ullrich, Highly Predictive Blacklisting, USENIX Security 2008] Also implemented and offered as a service (HPB) by Dshield.org Methodology: Use link-analysis on the victims similarity graph to predict future attacks 22
23 Performance Analysis total hit count 60 days of Dshield hildl logs, 5 days training, i 1 day testing, ti BL length=1000, The combined method significantly improves the hit count (up to 70%, 57% on avg) exhibits less variation over time Combined method HPB GWOL 23
24 Predicting Attacks what is the best we can do? Training, day t 1 Test, day t 2 v i LocalUB(v i )=3 Local Upper Bound: #IPs in training & test window of a particular contributor x - x x x x x x x - x x x x GlobalUB=5 Global Upper Bound: # IPs in training window of any contributor 24
25 Predicting Attacks room for improvement Collaboration helps! Our method ( BL =1000) Large gap from prior methods 25
26 Performance Analysis robustness to random errors Robustness achieved by diverse methods E.g. an attacker may send traffic to a single victim (detected by temporal) or to several victims (detected by spatial behavior); or he can limit his attack activity 26
27 Predictive Blacklisting as a RS System Summary Contributions Combined predictors that capture different patterns in the data Significant improvement with simple techniques still room for further improvement New formulation as a recommenders system (collaborative filtering) problem paves the way to powerful techniques: e.g., capture global structure (latent factors), joint spatio-temporal models References F.Soldo, A.Le, A.Markopoulou, "Predictive Blacklisting as an Implicit Recommendation system, IEEE INFOCOM 2010 and in arxiv.org In the news: MIT Technology Review, Slashdot, ACM TechNews 27
28 How to use a list of malicious sources? A policy decision: E.g. scrub, give lower priority, block, monitor, do nothing One option is to block (filter) malicious sources when: during flooding attacks by million-node botnets where: at firewalls or at the routers 28
29 Outline Background Malicious Internet Traffic: Attack and Defense Two Defenses Mechanisms Proactive: Predictive Blacklisting Reactive: Optimal Source-Based Filtering Conclusion 29
30 Filtering at the routers Access Control Lists (ACLs) Match a packet header against rules, e.g. source and destination IP addresses Source-based filter: ACL that denies access to a source IP/prefix Filters implemented in TCAM Can keep up with high speeds Limited resource There are less filters than attack sources 30
31 Filter Selection at a Single Router tradeoff: number of filters vs. collateral l damage Filter an attack source A.B.C.D attackers legitimate users c c c c c c Filter a prefix A.B.C.* ISP edge router C V 31
32 Optimal Source-Based Filtering Design a family of filter selection algorithms that: take as input: a blacklist of malicious (bad) sources a whitelist of legitimate (good) sources a constraint on the number of filters Fmax a constraint on the access bandwidth C the operator s policy optimally select which source IP prefixes to filter so as to optimize the operator s objective subject to the constraints ABC* A.B.C. 0 2^32-1 A.B.C.D so far, heuristically done (through ACLs or rate limiters) 32
33 Optimal Source-Based Filtering [l,r]: range in the IP space p/l: prefix p of length l F max : number of filters (<<N) A General Framework : whether we block range [l,r] or not : weight assigned to source IP address, i. : cost of blocking a range [l,r] 33
34 Optimal Source-Based Filtering Expressing Operator s Policy Assignment of weights W i is the operator s knob: indicates volume of traffic sent, or importance assigned by the operator W i >0 (good source i), W i <0 (bad source i ), W i =0 (indifferent) Objective function = = cost of good sources in range [l,r] cost of bad sources in range [l,r] 34
35 Filter Selection Algorithms Problem Overview RANGE-based: filter IP or range [l,r] [Soldo, El Defrawy, Markopoulou, Van De Merwe, Krishnamurthy: ITA 09] FILTER-ALL-RANGE FILTER-SOME-RANGE FILTER-ALL-DYNAMIC-RANGE RANGE PREFIX-based: filter IP source or prefix [Soldo, Markopoulou, Argyraki: INFOCOM 09, arxiv.org] FILTER-ALL: block all malicious sources FILTER-SOME: block some malicious sources FILTER-ALL-DYNAMIC: BL varies over time FLOODING: bandwidth constraint t at access router DISTRIBUTED-FLOODING: filters at multiple routers 35
36 Filter Selection Algorithms Algorithms Overview RANGE-based: filter IP or range [l,r] [Soldo, El Defrawy, Markopoulou, Van De Merwe, Krishnamurthy: ITA 09] FILTER-ALL-RANGE FILTER-SOME-RANGE FILTER-ALL-DYNAMIC-RANGE RANGE PREFIX-based: filter IP source or prefix [Soldo, Markopoulou, Argyraki: INFOCOM 09, arxiv.org] FILTER-ALL: O(N) FILTER-SOME: O(N) FILTER-ALL-DYNAMIC: O(N) FLOODING: NP-hard, pseudo-polynomial l alg. O(C 2 N) + heuristic DISTRIBUTED-FLOODING: distributed solution following a dynamic programming g approach 36
37 Longest Common Prefix Tree of a BL LCP-Tree(BL) : binary tree, leaves are addresses in BL, intermediate nodes are their longest common prefixes It can be found from the full binary tree of IP prefixes E.g. for BL={ , , }, the LCP-Tree(BL) is: / /31 3 bad, 5 good addresses 0 good, 2 bad addresses / / / / /32 Finding a set of filters: no need to look for all possible sets of prefixes sufficient to look only for prunings of the LCP tree lends itself to a dynamic programming approach 37
38 Filter-All-Prefix Problem Statement Given: a blacklist BL, weight w i (for each good IP i), F max filters choose: prefixes p/l (x p/l ) so as to: filter all bad addresses and minimize collateral damage 38
39 Filter-All-Prefix Dynamic Programming Algorithm : cost of optimal allocation of F filters within a prefix p p s L s R F-n 1, filters within left subtree n 1, filters within right subtree n=1,1,,f: means that we want to block all malicious sources (leaves) 39
40 Filter-All-Prefix DP Algorithm: Example N = 10 Fmax = 4 0/1 32/5 57/6 58/6
41 Filter-Some-Prefix N = 10 Fmax = 4 32/5 3/6 57/6 58/6
42 N = 10 Fmax = 4 Need to be (re)computed: O(F max log(n)) Filter-All-Prefix-Dynamic Time-varying i case
43 FLOODING Problem Statement Given: a blacklist BL, a whitelist WL, a weight of address = traffic volume generated, a constraint on the link capacity C, and F max filters choose: source IP prefixes, x p/l so as to: minimize the collateral damage and fit the total traffic within the link capacity C 43
44 FLOODING is NP-hard FLOODING DP Algorithm reduction from knapsack with cardinality constraint (1.5K) An optimal pseudo-polynomial polynomial dynamic programming algorithm, solves the problem in: O((CF max ) 2 N) similar to the previous DP but solve 2-dimensional KP the LCP-Tree includes both good and bad addresses DP extended to take into account the capacity constraint A heuristic, by adjusting the granularity (ΔC>1) of C 44
45 Distributed Flooding filters at several routers attackers Deploy filters at several routers increase total filter budget Each router (u) has its own: view of good/bad traffic capacity in incoming link filter budget Filtering at several routers: not only which prefix to block but also on which router c c c c c c Solution: can be solved in a distributed way outperforms independent decisions Victim 45
46 Evaluation using Dshield data FLOODING vs. rate limiting i i Attack sources, from a point of view of a single victim in Dshield Good sources: [Kohler et al. TON 06, Barford et al. PAM 06] Before attack: good traffic was C/10 < C During attack: bad traffic is 10C CD/N Optimal filter selection preserves the good traffic and drops the bad. 46
47 Intuition why optimization helps compared to non-optimized filtering Malicious sources are clustered in the IP address space Malicious sources are not co-located with legitimate sources Filtering can block IP prefixes with malicious sources, without penalizing (many) legitimate sources. 47
48 Evaluation using Dshield data (2) FILTER-ALL-PREFIX vs. generic clustering algorithms Malicious addresses: attacking 2 specific victim networks (most and least clustered) in Dshield dataset Good addresses generated: using a multifractal [Kohler et al. TON 06, Barford et al. PAM 06] Optimal filter selection outperforms generic clustering 48
49 Evaluation using Dshield data (3) DISTRIBUTED-FLOODING: the value of coordination i CD/N Coordination among routers helps 49
50 Optimal Source-Based Filtering Summary Framework for optimal filter selection defined various filtering problems designed efficient algorithms to solve them Lead to significant improvements on real datasets Compared to non-optimized filter selection, to generic clustering, or to uncoordinated routers because of clustering of malicious sources 50
51 Outline Background Malicious Internet Traffic: Attack and Defenses Two Defenses Mechanisms Proactive: Blacklisting as a Recommendation System Reactive: Filtering as an Optimization Problem Conclusion Parts of larger system that collects and analyzes data from multiple sensors and takes appropriate action 51
52 Thank you! 52
Efficient Filter Construction for Access Control in Firewalls
Efficient Filter Construction for Access Control in Firewalls Gopinath C.B Vinoda A.M Department of Computer science and Engineering Department of Master of Computer Applications, Government Engineering
More informationPredictive Blacklisting as an Implicit Recommendation System
Predictive Blacklisting as an Implicit Recommendation System Fabio Soldo, Anh Le, Athina Markopoulou University of California, Irvine {fsoldo, anh.le, athina}@uci.edu Abstract A widely used defense practice
More informationFiltering Sources of Unwanted Traffic Based on Blacklists
Filtering Sources of Unwanted Traffic Based on Blacklists Fabio Soldo, Karim El Defrawy, Athina Markopoulou University of California, Irvine Bala Krishnamurthy, Kobus van der Merwe AT&T Research Abstract
More informationhighly predictive blacklisting
J i a n Z h a n g, P h i l l i p P o r r a s, a n d Johannes Ullrich highly predictive blacklisting Jian Zhang is an assistant professor in the department of computer science at Louisiana State University.
More informationHighly Predictive Blacklisting
Highly Predictive Blacklisting Jian Zhang SRI International Menlo Park, CA 9425 Phillip Porras SRI International Menlo Park, CA 9425 Johannes Ullrich SANS Institute Bethesda, MD 2814 Abstract The notion
More informationIntrusion Log Sharing University of Wisconsin-Madison
Intrusion Log Sharing University of Wisconsin-Madison John Bethencourt (bethenco@cs.wisc.edu) Jason Franklin (jfrankli@cs.wisc.edu) Mary Vernon (vernon@cs.wisc.edu) 1 Talk Outline Background: Blacklists,
More informationSecurity Toolsets for ISP Defense
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
More informationFIREWALL AND NAT Lecture 7a
FIREWALL AND NAT Lecture 7a COMPSCI 726 Network Defence and Countermeasures Muhammad Rizwan Asghar August 3, 2015 Source of most of slides: University of Twente FIREWALL An integrated collection of security
More informationDetecting Network Anomalies. Anant Shah
Detecting Network Anomalies using Traffic Modeling Anant Shah Anomaly Detection Anomalies are deviations from established behavior In most cases anomalies are indications of problems The science of extracting
More informationHow To Block A Ddos Attack On A Network With A Firewall
A Prolexic White Paper Firewalls: Limitations When Applied to DDoS Protection Introduction Firewalls are often used to restrict certain protocols during normal network situations and when Distributed Denial
More informationGame-based Analysis of Denial-of- Service Prevention Protocols. Ajay Mahimkar Class Project: CS 395T
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T Overview Introduction to DDoS Attacks Current DDoS Defense Strategies Client Puzzle Protocols for DoS
More informationFirewalls P+S Linux Router & Firewall 2013
Firewalls P+S Linux Router & Firewall 2013 Firewall Techniques What is a firewall? A firewall is a hardware or software device which is configured to permit, deny, or proxy data through a computer network
More informationAttack and Defense Techniques 2
Network Security Attack and Defense Techniques 2 Anna Sperotto, Ramin Sadre Design and Analysis of ommunication Networks (DAS) University of Twente The Netherlands Firewalls Network firewall Internet 25
More informationHOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT
HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest
More informationDDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT
DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad
More informationFIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others
FIREWALLS FIREWALLS Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others FIREWALLS: WHY Prevent denial of service attacks: SYN flooding: attacker
More informationCisco Security Intelligence Operations
Operations Operations of 1 Operations Operations of Today s organizations require security solutions that accurately detect threats, provide holistic protection, and continually adapt to a rapidly evolving,
More informationManaging Incompleteness, Complexity and Scale in Big Data
Managing Incompleteness, Complexity and Scale in Big Data Nick Duffield Electrical and Computer Engineering Texas A&M University http://nickduffield.net/work Three Challenges for Big Data Complexity Problem:
More informationShould the IETF do anything about DDoS attacks? Mark Handley
Should the IETF do anything about DDoS attacks? Mark Handley The Problem The Internet architecture was designed to delivery packets to the destination efficiently. Even if the destination does not want
More informationAn Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks
2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh
More informationCisco Network Foundation Protection Overview
Cisco Network Foundation Protection Overview June 2005 1 Security is about the ability to control the risk incurred from an interconnected global network. Cisco NFP provides the tools, technologies, and
More informationBit Vector Algorithms Enabling High-Speed and Memory- Efficient Firewall Blacklisting
Bit Vector Algorithms Enabling High-Speed and Memory- Efficient Firewall Blacklisting Lane Thames Randal Abler David Keeling Georgia Institute of Technology Georgia Institute of Technology Georgia Institute
More informationRadware s Attack Mitigation Solution On-line Business Protection
Radware s Attack Mitigation Solution On-line Business Protection Table of Contents Attack Mitigation Layers of Defense... 3 Network-Based DDoS Protections... 3 Application Based DoS/DDoS Protection...
More informationFiltering Based Techniques for DDOS Mitigation
Filtering Based Techniques for DDOS Mitigation Comp290: Network Intrusion Detection Manoj Ampalam DDOS Attacks: Target CPU / Bandwidth Attacker signals slaves to launch an attack on a specific target address
More informationThe Coremelt Attack. Ahren Studer and Adrian Perrig. We ve Come to Rely on the Internet
The Coremelt Attack Ahren Studer and Adrian Perrig 1 We ve Come to Rely on the Internet Critical for businesses Up to date market information for trading Access to online stores One minute down time =
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, JUNE 2010, ISSUE: 02 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS S.Seetha 1 and P.Raviraj 2 Department of
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationIndex Terms Domain name, Firewall, Packet, Phishing, URL.
BDD for Implementation of Packet Filter Firewall and Detecting Phishing Websites Naresh Shende Vidyalankar Institute of Technology Prof. S. K. Shinde Lokmanya Tilak College of Engineering Abstract Packet
More informationDual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor
International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Engineering, Business and Enterprise
More informationIntroduction of Intrusion Detection Systems
Introduction of Intrusion Detection Systems Why IDS? Inspects all inbound and outbound network activity and identifies a network or system attack from someone attempting to compromise a system. Detection:
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationEFFICIENT DETECTION IN DDOS ATTACK FOR TOPOLOGY GRAPH DEPENDENT PERFORMANCE IN PPM LARGE SCALE IPTRACEBACK
EFFICIENT DETECTION IN DDOS ATTACK FOR TOPOLOGY GRAPH DEPENDENT PERFORMANCE IN PPM LARGE SCALE IPTRACEBACK S.Abarna 1, R.Padmapriya 2 1 Mphil Scholar, 2 Assistant Professor, Department of Computer Science,
More informationProvider-Based Deterministic Packet Marking against Distributed DoS Attacks
Provider-Based Deterministic Packet Marking against Distributed DoS Attacks Vasilios A. Siris and Ilias Stavrakis Institute of Computer Science, Foundation for Research and Technology - Hellas (FORTH)
More informationTDC s perspective on DDoS threats
TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)
More informationINCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS
WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by
More informationChapter 8 Security Pt 2
Chapter 8 Security Pt 2 IC322 Fall 2014 Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012 All material copyright 1996-2012 J.F Kurose and K.W. Ross,
More informationDDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR
Journal homepage: www.mjret.in DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR Maharudra V. Phalke, Atul D. Khude,Ganesh T. Bodkhe, Sudam A. Chole Information Technology, PVPIT Bhavdhan Pune,India maharudra90@gmail.com,
More informationDDoS Mitigation Techniques
DDoS Mitigation Techniques Ron Winward, ServerCentral CHI-NOG 03 06/14/14 Consistent Bottlenecks in DDoS Attacks 1. The server that is under attack 2. The firewall in front of the network 3. The internet
More informationTechnical Series. A Prolexic White Paper. 12 Questions to Ask a DDoS Mitigation Provider
A Prolexic White Paper 12 Questions to Ask a DDoS Mitigation Provider Introduction Distributed Denial of Service (DDoS) attacks continue to make global headlines, but an important facet of each incident
More informationIntrusion Forecasting Framework for Early Warning System against Cyber Attack
Intrusion Forecasting Framework for Early Warning System against Cyber Attack Sehun Kim KAIST, Korea Honorary President of KIISC Contents 1 Recent Cyber Attacks 2 Early Warning System 3 Intrusion Forecasting
More informationDDoS Attack Traceback
DDoS Attack Traceback and Beyond Yongjin Kim Outline Existing DDoS attack traceback (or commonly called IP traceback) schemes * Probabilistic packet marking Logging-based scheme ICMP-based scheme Tweaking
More informationEfficient Security Alert Management System
Efficient Security Alert Management System Minoo Deljavan Anvary IT Department School of e-learning Shiraz University Shiraz, Fars, Iran Majid Ghonji Feshki Department of Computer Science Qzvin Branch,
More informationDDoS Overview and Incident Response Guide. July 2014
DDoS Overview and Incident Response Guide July 2014 Contents 1. Target Audience... 2 2. Introduction... 2 3. The Growing DDoS Problem... 2 4. DDoS Attack Categories... 4 5. DDoS Mitigation... 5 1 1. Target
More informationOn the effect of forwarding table size on SDN network utilization
IBM Haifa Research Lab On the effect of forwarding table size on SDN network utilization Rami Cohen IBM Haifa Research Lab Liane Lewin Eytan Yahoo Research, Haifa Seffi Naor CS Technion, Israel Danny Raz
More informationDr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu. DDoS and IP Traceback. Overview
DDoS and IP Traceback Dr. Arjan Durresi Louisiana State University, Baton Rouge, LA 70803 durresi@csc.lsu.edu Louisiana State University DDoS and IP Traceback - 1 Overview Distributed Denial of Service
More informationDefense In Depth To Fight Against The Most Persistent DDoS
Defense In Depth To Fight Against The Most Persistent DDoS All enterprises with an Internet presence should worry about Distributed Denial-of-Service (DDoS) - some more than others. It is a fact of life
More informationKNOM Tutorial 2003. Internet Traffic Measurement and Analysis. Sue Bok Moon Dept. of Computer Science
KNOM Tutorial 2003 Internet Traffic Measurement and Analysis Sue Bok Moon Dept. of Computer Science Overview Definition of Traffic Matrix 4Traffic demand, delay, loss Applications of Traffic Matrix 4Engineering,
More informationHow To Stop A Malicious Dns Attack On A Domain Name Server (Dns) From Being Spoofed (Dnt) On A Network (Networking) On An Ip Address (Ip Address) On Your Ip Address On A Pc Or Ip Address
DNS Amplification Are YOU Part of the Problem? (RIPE66 Dublin, Ireland - May 13, 2013) Merike Kaeo Security Evangelist, Internet Identity merike@internetidentity.com INTRO Statistics on DNS Amplification
More informationThe Reverse Firewall: Defeating DDOS Attacks Emanating from a Local Area Network
Pioneering Technologies for a Better Internet Cs3, Inc. 5777 W. Century Blvd. Suite 1185 Los Angeles, CA 90045-5600 Phone: 310-337-3013 Fax: 310-337-3012 Email: info@cs3-inc.com The Reverse Firewall: Defeating
More informationCHAPETR 3. DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM
59 CHAPETR 3 DISTRIBUTED DEPLOYMENT OF DDoS DEFENSE SYSTEM 3.1. INTRODUCTION The last decade has seen many prominent DDoS attack on high profile webservers. In order to provide an effective defense against
More informationFirst Line of Defense
First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Gain comprehensive visibility into DDoS attacks and cyber-threats with easily accessible
More informationVulnerability Analysis of Hash Tables to Sophisticated DDoS Attacks
International Journal of Information & Computation Technology. ISSN 0974-2239 Volume 4, Number 12 (2014), pp. 1167-1173 International Research Publications House http://www. irphouse.com Vulnerability
More informationDESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER
DESTINATION BASED RTBH FILTERING AT ATTACK ORIGINATING INTERNET SERVICE PROVIDER Sarita Sharma 1, Davender Saini 2 1 Student M. Tech. ECE (2013-2015) Gurgaon Institute of Technology Management (M.D.U)
More informationOnline Identification of Multi-Attribute High-Volume Traffic Aggregates Through Sampling
Online Identification of Multi-Attribute High-Volume Traffic Aggregates Through Sampling Yong Tang Shigang Chen Department of Computer & Information Science & Engineering University of Florida, Gainesville,
More informationIndex Terms Denial-of-Service Attack, Intrusion Prevention System, Internet Service Provider. Fig.1.Single IPS System
Detection of DDoS Attack Using Virtual Security N.Hanusuyakrish, D.Kapil, P.Manimekala, M.Prakash Abstract Distributed Denial-of-Service attack (DDoS attack) is a machine which makes the network resource
More informationLimitations of Packet Measurement
Limitations of Packet Measurement Collect and process less information: Only collect packet headers, not payload Ignore single packets (aggregate) Ignore some packets (sampling) Make collection and processing
More informationDDoS Threat Report. Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter
DDoS Threat Report Insights on Finding, Fighting, and Living with DDoS Attacks v1.1 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter DDoS in the News - 2014 DDoS Trends
More informationNetwork Security through Software Defined Networking: a Survey
jerome.francois@inria.fr 09/30/14 Network Security through Software Defined Networking: a Survey Jérôme François, Lautaro Dolberg, Olivier Festor, Thomas Engel 2 1 Introduction 2 Firewall 3 Monitoring
More informationSecure Networks for Process Control
Secure Networks for Process Control Leveraging a Simple Yet Effective Policy Framework to Secure the Modern Process Control Network An Enterasys Networks White Paper There is nothing more important than
More informationTraffic Engineering for Multiple Spanning Tree Protocol in Large Data Centers
Traffic Engineering for Multiple Spanning Tree Protocol in Large Data Centers Ho Trong Viet, Yves Deville, Olivier Bonaventure, Pierre François ICTEAM, Université catholique de Louvain (UCL), Belgium.
More informationKnowledge Based System for Detection and Prevention of DDoS Attacks using Fuzzy logic
Knowledge Based System for Detection and Prevention of DDoS Attacks using Fuzzy logic Amit Khajuria 1, Roshan Srivastava 2 1 M. Tech Scholar, Computer Science Engineering, Lovely Professional University,
More informationCYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION
CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION MATIJA STEVANOVIC PhD Student JENS MYRUP PEDERSEN Associate Professor Department of Electronic Systems Aalborg University,
More informationHow Cisco IT Protects Against Distributed Denial of Service Attacks
How Cisco IT Protects Against Distributed Denial of Service Attacks Cisco Guard provides added layer of protection for server properties with high business value. Cisco IT Case Study / < Security and VPN
More informationEntropy-Based Collaborative Detection of DDoS Attacks on Community Networks
Entropy-Based Collaborative Detection of DDoS Attacks on Community Networks Krishnamoorthy.D 1, Dr.S.Thirunirai Senthil, Ph.D 2 1 PG student of M.Tech Computer Science and Engineering, PRIST University,
More informationDISTRIBUTED DENIAL OF SERVICE OBSERVATIONS
: DDOS ATTACKS DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1 DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s
More informationTowards Optimal Firewall Rule Ordering Utilizing Directed Acyclical Graphs
Towards Optimal Firewall Rule Ordering Utilizing Directed Acyclical Graphs Ashish Tapdiya and Errin W. Fulp Department of Computer Science Wake Forest University Winston Salem, NC, USA nsg.cs.wfu.edu Email:
More informationDenial of Service Attacks and Resilient Overlay Networks
Denial of Service Attacks and Resilient Overlay Networks Angelos D. Keromytis Network Security Lab Computer Science Department, Columbia University Motivation: Network Service Availability Motivation:
More informationIPv6 SECURITY. May 2011. The Government of the Hong Kong Special Administrative Region
IPv6 SECURITY May 2011 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part without the express
More informationMcAfee. Firewall Enterprise. Application Note TrustedSource in McAfee. Firewall Enterprise. version 8.1.0 and earlier
Application Note TrustedSource in McAfee Firewall Enterprise McAfee version 8.1.0 and earlier Firewall Enterprise This document uses a question and answer format to explain the TrustedSource reputation
More informationService Description DDoS Mitigation Service
Service Description DDoS Mitigation Service Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK Tel: +800 4683 7681 Email: info@interoute.com Contents Contents 1 Introduction...3 2 An Overview...3
More informationOn-Premises DDoS Mitigation for the Enterprise
On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has
More informationTowards Autonomic DDoS Mitigation using Software Defined Networking
Towards Autonomic DDoS Mitigation using Software Defined Networking Authors: Rishikesh Sahay, Gregory Blanc, Zonghua Zhang, Hervé Debar NDSS Workshop on Security of Emerging Networking Technologies (SENT
More informationAn Efficient Filter for Denial-of-Service Bandwidth Attacks
An Efficient Filter for Denial-of-Service Bandwidth Attacks Samuel Abdelsayed, David Glimsholt, Christopher Leckie, Simon Ryan and Samer Shami Department of Electrical and Electronic Engineering ARC Special
More informationArchitecture. The DMZ is a portion of a network that separates a purely internal network from an external network.
Architecture The policy discussed suggests that the network be partitioned into several parts with guards between the various parts to prevent information from leaking from one part to another. One part
More informationCPCC Networking. Faculty. Hamid Jafarkhani Ahhmed Eltawil Homayoun Yousefi zadeh Anima Anandkuma Athina Markopoulou
CPCC Networking Faculty Hamid Jafarkhani Ahhmed Eltawil Homayoun Yousefi zadeh Anima Anandkuma Athina Markopoulou Network Coding Basic Idea Allow intermediate nodes to combine packets Receivers must decode
More informationDenial of Service Attacks
(DoS) What Can be DoSed? First Internet DoS Attack The TCP State Diagram SYN Flooding Anti-Spoofing Better Data Structures Attacking Compact Data Structures Generic Solution SYN Cookies It s Not Perfect
More informationPresentation_ID. 2001, Cisco Systems, Inc. All rights reserved.
Presentation_ID 2001, Cisco Systems, Inc. All rights reserved. 1 IPv6 Security Considerations Patrick Grossetete pgrosset@cisco.com Dennis Vogel dvogel@cisco.com 2 Agenda Native security in IPv6 IPv6 challenges
More informationGregSowell.com. Mikrotik Security
Mikrotik Security IP -> Services Disable unused services Set Available From for appropriate hosts Secure protocols are preferred (Winbox/SSH) IP -> Neighbors Disable Discovery Interfaces where not necessary.
More informationAlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals
AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationSurvey on DDoS Attack Detection and Prevention in Cloud
Survey on DDoS Detection and Prevention in Cloud Patel Ankita Fenil Khatiwala Computer Department, Uka Tarsadia University, Bardoli, Surat, Gujrat Abstract: Cloud is becoming a dominant computing platform
More informationBotnet Detection Based on Degree Distributions of Node Using Data Mining Scheme
Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme Chunyong Yin 1,2, Yang Lei 1, Jin Wang 1 1 School of Computer & Software, Nanjing University of Information Science &Technology,
More informationHow To Protect A Dns Authority Server From A Flood Attack
the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point
More informationDefending Networks with Incomplete Information: A Machine Learning Approach. Alexandre Pinto alexcp@mlsecproject.org @alexcpsec @MLSecProject
Defending Networks with Incomplete Information: A Machine Learning Approach Alexandre Pinto alexcp@mlsecproject.org @alexcpsec @MLSecProject Agenda Security Monitoring: We are doing it wrong Machine Learning
More informationFlashback: Internet design goals. Security Part Two: Attacks and Countermeasures. Security Vulnerabilities. Why did they leave it out?
Flashback: Internet design goals Security Part Two: Attacks and Countermeasures 1. Interconnection 2. Failure resilience 3. Multiple types of service 4. Variety of networks 5. Management of resources 6.
More informationIntroducing FortiDDoS. Mar, 2013
Introducing FortiDDoS Mar, 2013 Introducing FortiDDoS Hardware Accelerated DDoS Defense Intent Based Protection Uses the newest member of the FortiASIC family, FortiASIC-TP TM Rate Based Detection Inline
More informationAttacks Against the Cloud: A Mitigation Strategy. Cloud Attack Mitigation & Firewall on Demand
Attacks Against the Cloud: A Mitigation Strategy C L O U D A T T A C K M I T I G A T I O N & F I R E W A L L O N D E M A N D A l e x Z a c h a r i s a z a h a r i s @ a d m i n. g r n e t. g r G R N E
More informationImplementation of Botcatch for Identifying Bot Infected Hosts
Implementation of Botcatch for Identifying Bot Infected Hosts GRADUATE PROJECT REPORT Submitted to the Faculty of The School of Engineering & Computing Sciences Texas A&M University-Corpus Christi Corpus
More informationTECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING
TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING 20 APRIL 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to
More informationDDoS Vulnerability Analysis of Bittorrent Protocol
DDoS Vulnerability Analysis of Bittorrent Protocol Ka Cheung Sia kcsia@cs.ucla.edu Abstract Bittorrent (BT) traffic had been reported to contribute to 3% of the Internet traffic nowadays and the number
More informationInternational Journal of Computer Science and Network (IJCSN) Volume 1, Issue 5, October 2012 www.ijcsn.org ISSN 2277-5420. Bhopal, M.P.
Prevention of Buffer overflow Attack Blocker Using IDS 1 Pankaj B. Pawar, 2 Malti Nagle, 3 Pankaj K. Kawadkar Abstract 1 PIES Bhopal, RGPV University, 2 PIES Bhopal, RGPV University, 3 PIES Bhopal, RGPV
More informationIntrusion Detection in AlienVault
Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat
More informationConfiguring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA
Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationIntroducing IBM s Advanced Threat Protection Platform
Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM
More informationDenial of Service Attacks, What They are and How to Combat Them
Denial of Service Attacks, What They are and How to Combat Them John P. Pironti, CISSP Genuity, Inc. Principal Enterprise Solutions Architect Principal Security Consultant Version 1.0 November 12, 2001
More informationA Review of Anomaly Detection Techniques in Network Intrusion Detection System
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
More informationThreatSTOP Technology Overview
ThreatSTOP Technology Overview The Five Parts to ThreatSTOP s Service We provide 5 integral services to protect your network and stop botnets from calling home ThreatSTOP s 5 Parts: 1 Multiple threat feeds
More informationCSE331: Introduction to Networks and Security. Lecture 17 Fall 2006
CSE331: Introduction to Networks and Security Lecture 17 Fall 2006 Announcements Project 2 is due next Weds. Homework 2 has been assigned: It's due on Monday, November 6th. CSE331 Fall 2004 2 Summary:
More informationSecurity vulnerabilities in the Internet and possible solutions
Security vulnerabilities in the Internet and possible solutions 1. Introduction The foundation of today's Internet is the TCP/IP protocol suite. Since the time when these specifications were finished in
More information