Institut für Telematik Universität Karlsruhe (TH) Germany IWAN 2005 – November 23th

Institut für TelematikUniversität Karlsruhe (TH)

Germany

IWAN 2005 – November 23th

An Extension to Packet Filtering of

Programmable Networks

Marcus Schöller, Thomas Gamer, Roland Bless, and Martina Zitterbart

An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 2

Motivation

Building an attack detection system DDoS and worm propagation are major

threats Victim can not take any countermeasures Support from network operator needed Detection as early as possible

Objectives Be extensible to adept to new attacks Be resource saving to fit in high-speed

environments

Build an anomaly based attack detection system based on packet selection

Application level view


Motivation

Building an attack detection system DDoS and worm propagation are major

threats Victim can not take any countermeasures Support from network operator needed Detection as early as possible Attack are constantly changing

Objectives Be extensible to adept to new attacks Be resource saving to fit in high-speed

environments

Build an anomaly based attack detection system based on packet selection

Network level view


Anomaly based detection system

Statistical anomaly in an aggregate suggests an attackDDoS: Rapid increase of packets at aggregation pointWorm propagation: Exponential increase of packets

Network level view


Anomaly based detection system

Statistical anomaly in an aggregate suggests an attackRapid increase of packetsExponential increase of packets

Protocol anomalies within such an aggregateVerify the suggestionTCP connection establishment

• # TCP-SYN approx. # TCP-SYN-ACK TCP-SYN-Flooding

• (# TCP-SYN > # TCP-SYN-ACK) & TCP-RST

Packet selection to find statistical anomaliesAttack hints can be detected with less resources


Packet Selection – PSAMP WG

Packet filteringField match filteringHash based selectionRouter state filtering

Packet samplingNon-uniform probabilistic samplingSystematic time based sampling n-out-of-N samplingUniform probabilistic samplingSystematic count based sampling

NodeOS is currently limited to this class


NodeOS specification

IPfix conform filtering at incoming channel (InChan)Packet sampling within EE

• Unnecessary delay for not selected packets

• Resource consuming• High delay• Not applicable for high speed

routers

Two issues Select suitable packet selection

scheme Integrate packet selection in

NodeOS

Execution Environment

Packetprocessing

outChaninChan

NodeOS

packetfilter

Packetsampling


Selecting a suitable packet selector

Building an attack detection systemPacket filtering is unsuitable

• Attacker can circumvent detection by packet craftingNon-uniform probabilistic sampling is unsuitable

• Deep packet inspection necessarySystematic time-based sampling is unsuitable

• Bad estimation during low bandwidth utilizationn-out-of-N sampling is suitable to only a limited extend

• Generation of unique random numbers necessaryUniform probabilistic sampling is well suitable

• Only random number generator requiredSystematic count based sampling is very well suited

• Least resource demanding


Packet sampling experiment

Uniform probabilistic sampling Sampling interval: 0,5s and 5s Accuracy depends on number of packets per interval

Same results for systematic count based sampling

Estimation failure of uniform probabilistic sampling

Packet average per sampling

interval

Selection probability

20% 30% 40%

ICMP 87,9 21,81% 16,47% 13,5%

ICMP 890,82 6,84% 5,04% 4,39%

UDP 1041,95 6,15% 4,77% 3,8%

UDP 10451,29 2,15% 1,52% 1,27%

TCP 9343,11 2,11% 1,54% 1,27%

TCP 93423,88 0,69% 0,49% 0,42%


Extending the NodeOS specification

Packet selection in the incoming channelProcess copy of

selected packets onlyPreserve packet orderReduce packet delayReduce memory usage

Systematic count based samplingLowest resource

demands

Execution Environment

Packet processing

inChan

NodeOS

packetfiltering

packetsampling


61 795 Tics

Evaluation results

Packet IndexPro

cess

ing

time

[in 1

000

proc

esso

r tic

s]

0

500

1000

1500

2000

2500

3000

500 1000 1500 20000

245 858 Tics

Average of overall processing time

Selected packet205 617 Tics

Not-selected packet1 076 Tics


Conclusion

Programmable networks well suitedAnalysis modules are instantiated on-demandResource saving

Packet selectionReduce resource demandsExtend NodeOS specification

Other applications based on packet selectionTraffic measurement Traffic accountingTrajectory sampling


Outlook

Eliminate simplification of our model Internet routes are asymmetric

• Cooperation of detection instancesSimultaneous attacks

• Feedback between detection modulesAdaptive packet selection

CountermeasuresDDoS vs. flash crowds


Thank you!

Questions?

Please visit www.tm.uka.de/projects/flexinet

for further information and downloads!

Institut für Telematik Universität Karlsruhe (TH) Germany IWAN 2005 – November 23th

Documents

Transcript of Institut für Telematik Universität Karlsruhe (TH) Germany IWAN 2005 – November 23th