paper_ppt
-
Upload
mahesh-borkar -
Category
Documents
-
view
213 -
download
0
Transcript of paper_ppt
-
7/27/2019 paper_ppt
1/9
INTRODUCTION
Availability is defined as the property of data and services being
accessible to an authorized party within a reasonable time of
request.each network system must be available to its user i.e
minimum security.Dos attacks can destroy or exhaust resources by
generating large amounts of bogus traffic towards victim. they
prevent permissible access to resources of the victim.the taxonomy
of ddos attacks and their respective defence mechanism are definedin this paper.
There are mainly threee approaches of defeating attacks:
1: detection
2: prevention.
3: response
Detection mechanism tries to detect attacks after they have
happened. Proactive measures try to secure systems and protocols
against attacks, while response mechanism tries to detect the attack
and reduce their aftershock. The paper focuses on a detection
mechanism that detects the attack at early stage. The paper starts
with a brief terminology. It then goes through proactive detection
phases and ends with the description of the SNMP-based
implementation and conclusion.
-
7/27/2019 paper_ppt
2/9
TERMINOLOGY
Denial of service attacks (dos): it refers to any technique that is
used to prevent a host or network of hosts on internet from eitheraccessing the internet or responding to requests from other hosts
on the internet. There are three or four types of machines in each
dos-attack, attacker, slaves, target.
Distributed denial of service attack.(ddos) is a kind of dos attack
which uses thousands of more slaves through the internet. after the
attacker commands the slaves they send failure packets to the
target. even if target is not shutdown ,the large amount of bogus
packets consume the target bandwidth and legitimate packets
cannot pass through the artificial traffic towards the target. this is
shown in the diagram below.
Slaves
-
7/27/2019 paper_ppt
3/9
nms agent
network management system(nms): is a system capable of
recording the activity of the network system. SNMP management
is often called internet management and is often called internet
management system and is widely used.
Simple network management protocol(SNMP):is a protocol
defined by internet engineering task force(IETF).this management
system consists of managed nodes ,management stations and
management protocol. an agent keeps information about its
managed node running one or more SNMP agent. An agent keeps
information about its node in database called managementinformation base (MIB).
MIB defines the information that will be maintained by associated
SNMP agent. they are comprised of managed objects and are
master
S1
S4
S3
S2
target
-
7/27/2019 paper_ppt
4/9
identified by object identifiers.MIB variables are used in control
and supervision of traffic in network. Their values will change
with passing packets.
A QUICK REVIEW OF THE ATTACK MODEL.
-
7/27/2019 paper_ppt
5/9
ATTACKER
CLIENT
NODE NODE NODE NODE
VICTIM
-
7/27/2019 paper_ppt
6/9
The attacker, sitting at home, uses client software to send
commands to the nodes. The nodes inturn send floods of packets,
or malformed packets to crash the system(or both),
towards the victim.
Typically, the client software that the attacker is using to direct
these attacks is not on his home system, but sitting on another
system(usually a compromised host with several hops from
attackers home system to help prevent authorities from tracking
down the attacker).From here a set of commands are currently sent
using ICMP packets, with the data possibly encrypted.TFN2K
advances this sheath mode of communication by allowing for
remote one-way communication, decoy packets and fairlysophisticated encryption.
The nodes themselves can number in thousands. With one node,
millons of packets can be sent in one minute. Using up all the
available bandwidth a victim might have. With thousands
geographically dispersed node billions of packets could certainly
Cripple any victim, including victims with multiple ISP as well as
high bandwidth routers.
-
7/27/2019 paper_ppt
7/9
WEAKNESSES IN THE ATTACK MODEL WHICH WE CAN
EXPLOIT.
WEAKNESS IN ATTACKER:
The biggest weakness for attacker is two critical phases---
checking his/her work, and communication with the client.It is
entirely possible that the attacker will do a DNS lookup of the
address of the target ,possibly ping or try to access the site via a
web browser right before or after the attack starts.These accesses
may appear in the log files in the target machine.
If the client software is running on the home machine ,it is possiblethat the nodes running the attack software will tell telltale signs of
connectivity ,such as the home machines IP address viewable in a
netstat listing.
WEAKNESS IN CLIENT:
Similar weaknesses exist for client as for attacker.If the attacker is
running the client software on a remote machine,it is possible that
the attacker mya noy have the legitimate access to that machine but
may have left some signs of it.
WEAKNESS IN NODES:
The nodes which could number in thousands ,are obviously
housing and running the attack software that launches the ddos
attack.Commercial scanners such as hacker shields and others have
or will shortly have check for these.
-
7/27/2019 paper_ppt
8/9
DETECTING ATTACKS
In this phase we define the MIB variables that changed when
attack packets reach the target. This can be done in two ways:
Using domain knowledge about the characteristics of the attack.
For example we know in advance that mstream attack send large
amount of TCPAck packets on to the target, therefore when the
attack packets reach the the target tcpInsegs MIB changes.
Comparing MIB variables behavior during attack and normal
operation and the time differences between the processes
determine the precursors of the attack.
THIS INVOLVES FOLLOWING PHASES:
STAGE 1 STAGE 2
S
Which mib changed at the victim. Which mib is relevant?
STAGE 3.
What are the thresholds?
M
S
S
S
VM
S
S
S
V
M S
S
S
V
-
7/27/2019 paper_ppt
9/9
CONCLUSION:
Pattern based methods which try to detect the attacksresult in errors. The ANAMOLY method which we discussed is by
far the best method for proactive detection of ddos attacks.
Depending on which ddos attack is used it is possible to send
packets towards the offending address and cause the attacks to shut
down. By using zombie_zapper program,it might be possible to
shut off the attacking ddos nodes.
Further work is needed to train our system in high capacitynetworks to improve the capacity of this system.To this day the
hacking community is still at large eyeing this area for exploitation.
REFRENCES:
K.Kendall a database of computer attacks for evaluation of
intrusion detection system,. MIT Press.
www.packetstorm.com
IIT Kanpurs Hackers workshop IITKHACK04.
http://www.packetstorm.com/http://www.packetstorm.com/http://www.packetstorm.com/