IPFIX IE Extensions for DDoS Attack Detection draft-fu-dots-ipfix-extension-01



Similar documents
An Elastic and Adaptive Anti-DDoS Architecture Based on Big Data Analysis and SDN for Operators

Analysis of a DDoS Attack

TDC s perspective on DDoS threats

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

CS 356 Lecture 16 Denial of Service. Spring 2013

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

DDoS Protection on the Security Gateway

Introduction to DDoS Attacks. Chris Beal Chief Security Architect on Twitter

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Network Monitoring and Management NetFlow Overview

SURE 5 Zone DDoS PROTECTION SERVICE

Network Management & Monitoring

How To Block A Ddos Attack On A Network With A Firewall

Analysis of Network Packets. C DAC Bangalore Electronics City

OpenDaylight Project Proposal Dynamic Flow Management

VALIDATING DDoS THREAT PROTECTION

Introduction to Netflow

Carrier/WAN SDN Brocade Flow Optimizer Making SDN Consumable

Distributed Denial of Service (DDoS)

Firewall Defaults and Some Basic Rules

Automated Mitigation of the Largest and Smartest DDoS Attacks

SecurityDAM On-demand, Cloud-based DDoS Mitigation

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

DDoS Overview and Incident Response Guide. July 2014

Flow Analysis Versus Packet Analysis. What Should You Choose?

Web Application Level Approach against the HTTP Flood Attacks IOSEC HTTP Anti Flood/DoS Security Gateway Module

A VoIP Traffic Monitoring System based on NetFlow v9

PROFESSIONAL SECURITY SYSTEMS

Eudemon8000 High-End Security Gateway HUAWEI TECHNOLOGIES CO., LTD.

Introducing FortiDDoS. Mar, 2013

FortiDDoS. DDoS Attack Mitigation Appliances. Copyright Fortinet Inc. All rights reserved.

First Line of Defense

How valuable DDoS mitigation hardware is for Layer 7 Sophisticated attacks

DDoS Threat Report. Chris Beal Chief Security Architect on Twitter

DoS/DDoS Attacks and Protection on VoIP/UC

Firewalls and Intrusion Detection

IPv6 and DDoS Protec0on: Securing Carrier Grade NAT Infrastructure

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Cheap and efficient anti-ddos solution

Knowledge Based System for Detection and Prevention of DDoS Attacks using Fuzzy logic

Netflow Overview. PacNOG 6 Nadi, Fiji

Automated Mitigation of the Largest and Smartest DDoS Attacks

Firewall Firewall August, 2003

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

FortiDDos Size isn t everything

KASPERSKY DDoS PROTECTION. Protecting your business against financial and reputational losses with Kaspersky DDoS Protection

BEHAVIORAL SECURITY THREAT DETECTION STRATEGIES FOR DATA CENTER SWITCHES AND ROUTERS

Configuring TCP Intercept (Preventing Denial-of-Service Attacks)

Chapter 8 Network Security

Bridging the gap between COTS tool alerting and raw data analysis

Security Toolsets for ISP Defense

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION

Introduction of Intrusion Detection Systems

How To Stop A Ddos Attack On A Network From Tracing To Source From A Network To A Source Address

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

DDoS Attacks & Mitigation

About Firewall Protection

Availability Digest. Prolexic a DDoS Mitigation Service Provider April 2013

FIREWALLS. Firewall: isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others

RID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.

Acquia Cloud Edge Protect Powered by CloudFlare

First Line of Defense

Development of a Network Intrusion Detection System

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

CloudFlare advanced DDoS protection

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Application of Netflow logs in Analysis and Detection of DDoS Attacks

McAfee Network Security Platform [formerly IntruShield] Denial-of-Service [DoS] Prevention Techniques Revision C Revised on: 18-December-2013

Radware Emergency Response Team. SSDP DDoS Attack Mitigation

Firewall Technologies. Access Lists Firewalls

Check Point DDoS Protector

How Cisco IT Protects Against Distributed Denial of Service Attacks

JUST FOR THOSE WHO CAN T TOLERATE DOWNTIME WE ARE NOT FOR EVERYONE

Complete Protection against Evolving DDoS Threats

CS155 - Firewalls. Simon Cooper <sc@sgi.com> CS155 Firewalls 22 May 2003

WhitePaper. Mitigation and Detection with FortiDDoS Fortinet. Introduction

Application Security Backgrounder

Arbor s Solution for ISP

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Detecting Flooding Attacks Using Power Divergence

How To Protect A Dns Authority Server From A Flood Attack

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Denial of Service Attacks

Real Life DoS/DDOS Threats and Benefits of Deep DDOS Inspection. Oğuz YILMAZ CTO Labris Networks

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

The Ecosystem of Computer Networks. Ripe 46 Amsterdam, The Netherlands

IxLoad-Attack: Network Security Testing

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Radware s Attack Mitigation Solution On-line Business Protection

1. Firewall Configuration

NetStream (Integrated) Technology White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

Plugging Network Security Holes using NetFlow. Loopholes in todays network security solutions and how NetFlow can help

Protect your network: planning for (DDoS), Distributed Denial of Service attacks

DDoS Attacks - Peeling the Onion on One of the Most Sophisticated Ever Seen. Eldad Chai, VP Product

DDoS Protection Technology White Paper

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

Application DDoS Mitigation

Transcription:

IPFIX IE Extensions for DDoS Attack Detection draft-fu-dots-ipfix-extension-01 Tianfu Fu futianfu@huawei.com Dacheng Zhang dacheng.zdc@alibaba-inc.com Liang Xia (Frank) frank.xialiang@huawei.com Min Li l.min@huawei.com 1

What is IPFIX Refers to Applying IPFIX to Network Measurement and Management by Brian Trammell What is IPFIX Introducing the IPFIX IE-DOCTORS 2

How IPFIX Fits into DOTS From DOTS charter: The aim of DDoS Open Threat Signaling (DOTS) is to develop a standards based approach for the realtime signaling of DDoS related telemetry and threat handling requests and data between elements concerned with DDoS attack detection, classification, traceback, and mitigation. From draft-ietf-dotsrequirements: Attack telemetry: Collected network traffic characteristics enabling the detection, classification, and in many cases traceback of a DDoS attack.... To achieve this aim, the protocol must permit the DOTS client to request or withdraw a request for coordinated mitigation;... and to supply summarized attack information and additional hints the DOTS server elements can use to increase the accuracy and speed of the attack response. This document focuses on the DDoS related telemetry information part for DOTS, and proposes using a set of IPFIX IEs for the goal of DDoS attack inspection. 3

IPFIX Information Elements (IEs) for Security Standard IEs An example of IEs for security A syn flood attack process processing delay (T2-T1)increases. TCP half-connection states increase suddenly Session completing ratio decreases suddenly. Server side packet loss ratio increases suddenly. Key Metrics for Attack Detection IP 5 tuple Session delay(handshake time T2-T1) Abnormal connection state(terminate, half-connection, RST, ACK/SYN-ACK) Fragment packet statistics DNS statistics (UDP Flood) Session completing ratio Session packet loss ratio Packet payload signature Session packet statistics (FSD, Flow Size Distribution) Others... 4

Major Steps of Using IPFIX in DDoS Attack Session Sampling (IPFIX IEs) Data sampling policies Inspection (Telemetry Process) Data Mining Abnormal session ratio increases suddenly answer-seizure ratio decreases suddenly Latency increases suddenly Concurrent sessions increase suddenly TCP FSD sunken UDP FSD floating Packet digest repetition degree increases suddenly Abnormality Screening Coarse Grained Abnormal session source destination subnet TOPN Abnormal session source destination IP TOPN Abnormal session service TOPN Fine Grained Precisely locate the attack source Precisely locate the attack target Identify abnormal elephant flow Generate attack suppression policies ACLs block attack traffic Sending digest of packet contents block attack traffic Sending traffic steering policies for cleaning Traffic cleaning policies 5

Major Steps of Using IPFIX in DDoS Attack DOTS client or router/switch Inspection (DOTS Elements Interaction) 1. Attack telemetry Information (IPFIX) 2. Attack detection based on telemetry information DOTS Server 3. Mitigation policy Mode 1 DOTS Server Enabled Mitigation Mitigator DOTS client or router/switch 1. Attack telemetry Information (IPFIX) DOTS Server Mitigator 2. Attack detection based on telemetry information 3. Notify DOTS client it s under attack 4. DOTS client sends mitigation request 5. Mitigation policy Mode 2 DOTS Client Enabled Mitigation 6

Challenges of Using IPFIX in DDoS Attack Inspection Packet sampling can not be aware of the session related information: statistics, status, duration, other metrics; Low packet sampling probability for small session: the smaller packet sampling probability leads to big difficulty to detect small session based attacks (SYN-Flood, ACK-Flood, etc); Lack of support for correlated bidirectional sampling: today s packet sampling is independently applied in each direction and leads to the difficulty to correlate the statistic of both sides. Example: SNMP/DNS Reflected Amplification; Current information is not sufficient: without detailed information, it s impossible to distinguish some attacks, such as IP fragment attack and Slowloris HTTP attack, from the ordinary ones 7

Solution: Security Extension of IPFIX

IPFIX Security Extension IEs Upstream/downstream counters for packets and octets pktupstreamcount pktdownstreamcount octetupstreamcount octetdownstreamcount ICMP echo/reply counters icmpechodeltacount icmpechoreplydeltacount TCP connection anomaly information A new values is added to FlowEndReason: 0x06 protocol exception timeout tcpcontrolstatebits tcpoutofordertotalcount tcppayloadoctettotalcount Network session related: completing ratio, abnormal session ratio, concurrent session ratio, half-connection, etc. Apply for DDoS flood attack inspection for syn, udp, icmp, dns, ntp, and so on. 9

IPFIX Security Extension IEs (Continue) Fragment statistic fragmentpacketdeltacount fragmentfirsttooshortdeltacount fragmentflagerrordeltacount Flow Metric Distribution octetvariance flowtimeintervalvariance flowsessionendmilliseconds flowtimeinterval serverresponsetime clientresponsetime sessionresponsetime DDoS Fragment attack inspection Session packet number/distribution, session size distribution, session running time and response time, session time distribution, etc. Apply for various DDoS flood attack inspection: syn, udp, dns, icmp, fragment, etc. 10

Next Steps Solicit comments; Keep on improving 11

Thanks! Liang Xia (Frank) 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information