4. Internationale Messe für Logistik, Telematik and Transport
Institut für Telematik Universität Karlsruhe (TH) Germany IWAN 2005 – November 23th
description
Transcript of Institut für Telematik Universität Karlsruhe (TH) Germany IWAN 2005 – November 23th
Institut für TelematikUniversität Karlsruhe (TH)
Germany
IWAN 2005 – November 23th
An Extension to Packet Filtering of
Programmable Networks
Marcus Schöller, Thomas Gamer, Roland Bless, and Martina Zitterbart
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 2
Motivation
Building an attack detection system DDoS and worm propagation are major
threats Victim can not take any countermeasures Support from network operator needed Detection as early as possible
Objectives Be extensible to adept to new attacks Be resource saving to fit in high-speed
environments
Build an anomaly based attack detection system based on packet selection
Application level view
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 3
Motivation
Building an attack detection system DDoS and worm propagation are major
threats Victim can not take any countermeasures Support from network operator needed Detection as early as possible Attack are constantly changing
Objectives Be extensible to adept to new attacks Be resource saving to fit in high-speed
environments
Build an anomaly based attack detection system based on packet selection
Network level view
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 4
Anomaly based detection system
Statistical anomaly in an aggregate suggests an attackDDoS: Rapid increase of packets at aggregation pointWorm propagation: Exponential increase of packets
Network level view
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 5
Anomaly based detection system
Statistical anomaly in an aggregate suggests an attackRapid increase of packetsExponential increase of packets
Protocol anomalies within such an aggregateVerify the suggestionTCP connection establishment
• # TCP-SYN approx. # TCP-SYN-ACK TCP-SYN-Flooding
• (# TCP-SYN > # TCP-SYN-ACK) & TCP-RST
Packet selection to find statistical anomaliesAttack hints can be detected with less resources
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 6
Packet Selection – PSAMP WG
Packet filteringField match filteringHash based selectionRouter state filtering
Packet samplingNon-uniform probabilistic samplingSystematic time based sampling n-out-of-N samplingUniform probabilistic samplingSystematic count based sampling
NodeOS is currently limited to this class
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 7
NodeOS specification
IPfix conform filtering at incoming channel (InChan)Packet sampling within EE
• Unnecessary delay for not selected packets
• Resource consuming• High delay• Not applicable for high speed
routers
Two issues Select suitable packet selection
scheme Integrate packet selection in
NodeOS
Execution Environment
Packetprocessing
outChaninChan
NodeOS
packetfilter
Packetsampling
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 8
Selecting a suitable packet selector
Building an attack detection systemPacket filtering is unsuitable
• Attacker can circumvent detection by packet craftingNon-uniform probabilistic sampling is unsuitable
• Deep packet inspection necessarySystematic time-based sampling is unsuitable
• Bad estimation during low bandwidth utilizationn-out-of-N sampling is suitable to only a limited extend
• Generation of unique random numbers necessaryUniform probabilistic sampling is well suitable
• Only random number generator requiredSystematic count based sampling is very well suited
• Least resource demanding
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 9
Packet sampling experiment
Uniform probabilistic sampling Sampling interval: 0,5s and 5s Accuracy depends on number of packets per interval
Same results for systematic count based sampling
Estimation failure of uniform probabilistic sampling
Packet average per sampling
interval
Selection probability
20% 30% 40%
ICMP 87,9 21,81% 16,47% 13,5%
ICMP 890,82 6,84% 5,04% 4,39%
UDP 1041,95 6,15% 4,77% 3,8%
UDP 10451,29 2,15% 1,52% 1,27%
TCP 9343,11 2,11% 1,54% 1,27%
TCP 93423,88 0,69% 0,49% 0,42%
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 10
Extending the NodeOS specification
Packet selection in the incoming channelProcess copy of
selected packets onlyPreserve packet orderReduce packet delayReduce memory usage
Systematic count based samplingLowest resource
demands
Execution Environment
Packet processing
inChan
NodeOS
packetfiltering
packetsampling
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 11
61 795 Tics
Evaluation results
Packet IndexPro
cess
ing
time
[in 1
000
proc
esso
r tic
s]
0
500
1000
1500
2000
2500
3000
500 1000 1500 20000
245 858 Tics
Average of overall processing time
Selected packet205 617 Tics
Not-selected packet1 076 Tics
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 12
Conclusion
Programmable networks well suitedAnalysis modules are instantiated on-demandResource saving
Packet selectionReduce resource demandsExtend NodeOS specification
Other applications based on packet selectionTraffic measurement Traffic accountingTrajectory sampling
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 13
Outlook
Eliminate simplification of our model Internet routes are asymmetric
• Cooperation of detection instancesSimultaneous attacks
• Feedback between detection modulesAdaptive packet selection
CountermeasuresDDoS vs. flash crowds
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Universität Karlsruhe (TH), Germany 14
Thank you!
Questions?
Please visit www.tm.uka.de/projects/flexinet
for further information and downloads!