51 |
Odvozování pravidel pro mitigaci DDoS / Deriving DDoS Mitigation RulesHurta, Marek January 2017 (has links)
This thesis is aimed at monitoring of computer networks using NetFlow data. It describes main aspects of detection network anomalies using IDS systems. Next part describes Nemea framework, which is used for creating modules. These modules are able to detect network incidents and attacks. Following chapters contain a brief overview of common network attacks with their specific remarks which can help in process of their detection. Based on this analysis, the concept of mitigation rules was created. These rules can be used for mitigation of DDoS attack. This method was tested on several data sets and it produced multiple mitigation rules. These rules were applied on data sets and they marked most of the suspicious flows.
|
52 |
Obrana před volumetrickými DDoS útoky v prostředí SDN / Mitigation of Volumetric DDoS Attacks in SDN EnvironmentHodes, Vojtěch January 2017 (has links)
The aim of this Master's thesis is to explore different attitudes and to design various monitoring and detection concepts of volumetric DDoS attacks in core networks. The thesis deals with data flow control protocols with an emphasis on a modern technology of Software Defined Networks. The last part of the thesis describes verification of the theory by setting up a laboratory environment for volumetric DDoS UDP Flood simulation, detection and automated mitigation.
|
53 |
Erkennung und Unterbindung der DDoS-Teilnahme in Heimroutern: Analyse und Implementierung von ErkennungsmechanismenHeinrich, Lukas 22 December 2023 (has links)
DDoS-Angriffe und die für diese genutzten Botnetze werden u. a. durch die zunehmende Verbreitung von IoT-Geräten stetig größer. Aufgrund der Vorteile einer frühzeitigen
Unterbindung solcher Angriffe ist eine effektive Erkennung der DDoS-Teilnahme in Heimroutern sinnvoll. Diese Arbeit analysiert aktuell verbreitete DDoS-Angriffstypen und entwickelt sowie sammelt verschiedene Erkennungsmechanismen aus der Literatur. Mithilfe ausführlicher Untersuchungen und Tests bezüglich Filterverhalten und Ressourcenbedarf
der Erkennungsmechanismen konnten DDoS-Angriffstypen identifiziert werden, welche effektiv im Heimrouter erkannt und unterbunden werden können.:1 Einleitung
1.1 Problemstellung
1.2 Zielstellung
2 Verbreitetste DDoS-Angriffstypen
2.1 Source IP Spoofing
2.2 Reflection/Amplification
2.2.1 SSDP
2.2.2 WS Discovery
2.2.3 QUIC-Reflection
2.3 TCP-Floods
2.3.1 SYN-Flood
2.3.2 RST- und FIN-Flood
2.3.3 SYN-ACK-Flood
2.3.4 ACK-Flood
2.4 UDP-Flood
2.5 Direkte Application-Layer-Angriffe
2.6 Übersicht
3 Erkennung
3.1 Source IP Spoofing
3.2 SSDP & WS Discovery
3.3 TCP
3.3.1 SYN-Flood
3.3.2 RST- und FIN-Flood
3.3.3 SYN-ACK-Flood
3.3.4 ACK-Flood
3.4 UDP
3.5 Allgemeine Erkennung
3.5.1 MULTOPS
3.5.2 TOPS
3.5.3 D-WARD
4 Implementierung
4.1 Source IP Spoofing
4.2 SSDP & WS Discovery
4.3 TCP (ohne SYN)
4.4 SYN-Flood
4.4.1 SYN Paketratenlimitierung
4.4.2 SYN Proxy
5 Untersuchung
5.1 Tests
5.1.1 Implementierungskomplexität
5.1.2 Speicher- und Rechenkapazitätsbedarf
5.1.3 Filterverhalten
5.2 Andere Erkennungsmethoden
5.2.1 Implementierungskomplexität
5.2.2 Speicher- und Rechenkapazitätsbedarf
5.2.3 Filterverhalten
5.3 Diskussion
6 Fazit & Ausblick
Literaturverzeichnis
Abbildungsverzeichnis
Tabellenverzeichnis / DDoS attacks and the botnets used for them are constantly growing due to the increasing
spread of IoT devices, among other things. Due to the advantages of stopping such attacks
at an early stage, effective detection of DDoS participation in home routers makes sense.
This thesis analyses currently widespread DDoS attack types and develops and collects
various detection mechanisms from the literature. With the help of detailed investigations
and tests regarding filter behaviour and resource requirements of the detections mechanisms, DDoS attack types were identified that can be effectively detected and prevented
in the home router.:1 Einleitung
1.1 Problemstellung
1.2 Zielstellung
2 Verbreitetste DDoS-Angriffstypen
2.1 Source IP Spoofing
2.2 Reflection/Amplification
2.2.1 SSDP
2.2.2 WS Discovery
2.2.3 QUIC-Reflection
2.3 TCP-Floods
2.3.1 SYN-Flood
2.3.2 RST- und FIN-Flood
2.3.3 SYN-ACK-Flood
2.3.4 ACK-Flood
2.4 UDP-Flood
2.5 Direkte Application-Layer-Angriffe
2.6 Übersicht
3 Erkennung
3.1 Source IP Spoofing
3.2 SSDP & WS Discovery
3.3 TCP
3.3.1 SYN-Flood
3.3.2 RST- und FIN-Flood
3.3.3 SYN-ACK-Flood
3.3.4 ACK-Flood
3.4 UDP
3.5 Allgemeine Erkennung
3.5.1 MULTOPS
3.5.2 TOPS
3.5.3 D-WARD
4 Implementierung
4.1 Source IP Spoofing
4.2 SSDP & WS Discovery
4.3 TCP (ohne SYN)
4.4 SYN-Flood
4.4.1 SYN Paketratenlimitierung
4.4.2 SYN Proxy
5 Untersuchung
5.1 Tests
5.1.1 Implementierungskomplexität
5.1.2 Speicher- und Rechenkapazitätsbedarf
5.1.3 Filterverhalten
5.2 Andere Erkennungsmethoden
5.2.1 Implementierungskomplexität
5.2.2 Speicher- und Rechenkapazitätsbedarf
5.2.3 Filterverhalten
5.3 Diskussion
6 Fazit & Ausblick
Literaturverzeichnis
Abbildungsverzeichnis
Tabellenverzeichnis
|
54 |
A simulation study of an application layer DDoS detection mechanismMekhitarian, Araxi, Rabiee, Amir January 2016 (has links)
Over the last couple of years the rise of application layer Distributed Denial of Service (DDoS) attacks has significantly increased. Because of this, many issues have been raised on how organizations and companies can protect themselves from intrusions and damages against their systems and services. The consequences from these attacks are many, ranging from revenue losses for companies to stolen personal data. As the technologies are evolving, application layer DDoS attacks are becoming more effective and there is not a concrete solution that entirely protects against them. This thesis focuses on the available defense mechanisms and presents a general overview of different types of application layer DDoS attacks and how they are constructed. Moreover this report provides a simulation based on one of the defense mechanisms mentioned, named CALD. The simulation tested two different application layer DDoS attacks and showed that CALD can detect and differentiate between the two attacks. This report can be used as a general information source for application layer DDoS attacks, how to detect them and how to defend against them. Furthermore the simulation can be used as a basis on how well a relatively small-scaled implementation of CALD can detect DDoS attacks on the application layer. / Under de senaste åren har ökningen av Distributed Denial of Service (DDoS) attacker på applikationslagret ökat markant. På grund av detta har många frågor uppkommit om hur organisationer och företag kan skydda sig mot intrång och skador mot sina system och tjänster. Konsekvenserna av dessa attacker är många, allt från intäktsförluster för företag till stulen personlig data. Eftersom tekniken utvecklas, har DDoS attacker på applikationslagret blivit mer effektiva och det finns inte en konkret lösning för att hindra dem. Denna rapport fokuserar på de tillgängliga försvarsmekanismer och presenterar en allmän översikt över olika typer av DDoS-attacker på applikationslagret och hur de är uppbyggda. Dessutom bidrar den här rapporten med en redovisning av en simulering baserad på en av de försvarsmekanismer som nämns i rapporten, CALD. Simuleringen testade två olika attacker på applikationslagret och visar att CALD kan upptäcka och skilja mellan de två attackerna. Denna rapport kan användas som en allmän informationskälla för DDoSattacker på applikationslagret och hur man försvarar sig mot och upptäcker dessa. Vidare kan simuleringen användas som utgångspunkt på hur väl en relativt småskalig implementering av CALD kan upptäcka DDoS-attacker på applikationslagret.
|
55 |
Classification de flux applicatifs et détection d'intrusion dans le trafic Internet / Classifying Application Flows and Intrusion Detection in Internet TrafficKorczynski, Maciej 26 November 2012 (has links)
Le sujet de la classification de trafic r´eseau est d’une grande importance pourla planification de r´eseau efficace, la gestion de trafic `a base de r`egles, la gestionde priorit´e d’applications et le contrˆole de s´ecurit´e. Bien qu’il ait re¸cu une atten-tion consid´erable dans le milieu de la recherche, ce th`eme laisse encore de nom-breuses questions en suspens comme, par exemple, les m´ethodes de classificationdes flux de trafics chiffr´es. Cette th`ese est compos´ee de quatre parties. La premi`erepr´esente quelques aspects th´eoriques li´es `a la classification de trafic et `a la d´etec-tion d’intrusion. Les trois parties suivantes traitent des probl`emes sp´ecifiques declassification et proposent des solutions pr´ecises.Dans la deuxi`eme partie, nous proposons une m´ethode d’´echantillonnage pr´ecisepour d´etecter les attaques de type ”SYN flooding”et ”portscan”. Le syst`eme examineles segments TCP pour trouver au moins un des multiples segments ACK provenantdu serveur. La m´ethode est simple et ´evolutive, car elle permet d’obtenir unebonne d´etection avec un taux de faux positif proche de z´ero, mˆeme pour des tauxd’´echantillonnage tr`es faibles. Nos simulations bas´ees sur des traces montrent quel’efficacit´e du syst`eme propos´e repose uniquement sur le taux d’´echantillonnage,ind´ependamment de la m´ethode d’´echantillonnage.Dans la troisi`eme partie, nous consid´erons le probl`eme de la d´etection et de laclassification du trafic de Skype et de ses flux de services tels que les appels vocaux,SkypeOut, les vid´eo-conf´erences, les messages instantan´es ou le t´el´echargement defichiers. Nous proposons une m´ethode de classification pour le trafic Skype chiffr´ebas´e sur le protocole d’identification statistique (SPID) qui analyse les valeurs statis-tiques de certains attributs du trafic r´eseau. Nous avons ´evalu´e notre m´ethode surun ensemble de donn´ees montrant d’excellentes performances en termes de pr´eci-sion et de rappel. La derni`ere partie d´efinit un cadre fond´e sur deux m´ethodescompl´ementaires pour la classification des flux applicatifs chiffr´es avec TLS/SSL.La premi`ere mod´elise des ´etats de session TLS/SSL par une chaˆıne de Markov ho-mog`ene d’ordre 1. Les param`etres du mod`ele de Markov pour chaque applicationconsid´er´ee diff`erent beaucoup, ce qui est le fondement de la discrimination entreles applications. La seconde m´ethode de classification estime l’´ecart d’horodatagedu message Server Hello du protocole TLS/SSL et l’instant d’arriv´ee du paquet.Elle am´eliore la pr´ecision de classification des applications et permet l’identificationviiefficace des flux Skype. Nous combinons les m´ethodes en utilisant une ClassificationNaive Bay´esienne (NBC). Nous validons la proposition avec des exp´erimentationssur trois s´eries de donn´ees r´ecentes. Nous appliquons nos m´ethodes `a la classificationde sept applications populaires utilisant TLS/SSL pour la s´ecurit´e. Les r´esultatsmontrent une tr`es bonne performance. / The subject of traffic classification is of great importance for effective networkplanning, policy-based traffic management, application prioritization, and securitycontrol. Although it has received substantial attention in the research communitythere are still many unresolved issues, for example how to classify encrypted trafficflows. This thesis is composed of four parts. The first part presents some theoreticalaspects related to traffic classification and intrusion detection, while in the followingthree parts we tackle specific classification problems and propose accurate solutions.In the second part, we propose an accurate sampling scheme for detecting SYNflooding attacks as well as TCP portscan activity. The scheme examines TCPsegments to find at least one of multiple ACK segments coming from the server.The method is simple and scalable, because it achieves a good detection with aFalse Positive Rate close to zero even for very low sampling rates. Our trace-basedsimulations show that the effectiveness of the proposed scheme only relies on thesampling rate regardless of the sampling method.In the third part, we consider the problem of detecting Skype traffic and classi-fying Skype service flows such as voice calls, skypeOut, video conferences, chat, fileupload and download. We propose a classification method for Skype encrypted traf-fic based on the Statistical Protocol IDentification (SPID) that analyzes statisticalvalues of some traffic attributes. We have evaluated our method on a representativedataset to show excellent performance in terms of Precision and Recall.The last part defines a framework based on two complementary methods for clas-sifying application flows encrypted with TLS/SSL. The first one models TLS/SSLsession states as a first-order homogeneous Markov chain. The parameters of theMarkov models for each considered application differ a lot, which is the basis foraccurate discrimination between applications. The second classifier considers thedeviation between the timestamp in the TLS/SSL Server Hello message and thepacket arrival time. It improves the accuracy of application classification and al-lows efficient identification of Skype flows. We combine the methods using a NaiveBayes Classifier (NBC).We validate the framework with experiments on three recentdatasets—we apply our methods to the classification of seven popular applicationsthat use TLS/SSL for security. The results show a very good performance.
|
56 |
Metody zajištění IP PBX proti útokům / Securing IP PBX against attacksHynek, Luboš January 2013 (has links)
This master project focuses on the possibilities of protecting the most common free software PBX Asterisk, FreeSWITCH and YATE. In practice, it was verified the behavior of PBX in the attacks and suggested protection against them on one of the most popular distributions of Linux server on CentOS. Tool was created to simulate several types of attacks targeting denial of service. Both protective options PBX themselves and operating system capabilities are used in this work. Comparison was also the possibility of protection of individual PBX with each other. It also includes a brief description of the protocol, topology attacks and recommendation for the operation of softswitches.
|
57 |
Utredning och impementation av säkerhetslösningar för publika API:erGrahn, Kristoffer January 2020 (has links)
Examensarbetet går igenom vanliga säkerhetsrisker med publika API:er och ger information om IIS, Apache, Nginx, OAuth 2.0 och några av deras säkerhetsmoduler som kan implementeras. IIS och Apache har inbyggda hanteringsprocesser för att motverka ”Distributed-Denial-of-Service” (DDoS) attacker som jämförs med varandra utifrån analys av en befintlig rapport som testar två olika DDoS attacktyper. Säkerhetslösningarnas autentiseringsmoduler bryts ner i olika verifieringsprocesser, där det framkommer att verifieringsprocesserna har en gemensam svaghet mot ”Man-in-The-Middle” (MitM) attacker. Rapporten går in djupare hur man kan skydda sig mot MitM attacker med bra krypteringsprotokoll, ”Transport Layer Security” (TLS), samt undersöker den nyaste versionen TLS 1.3 / The thesis examines common security risks with public APIs and provides information about IIS, Apache, Nginx and OAuth 2.0 and some of the security modules they provide that can be implemented. IIS and Apache have builtin modules for handling Distributed-Denial-of-Service (DDoS) attacks that are compared against eachother through analyzing a existing report that tests two different DDoS attack types. The security solutions authentication modules are broken down into different types of verification processes, where it comes forth that the processes share a common security risk against Man-in-the-Middle (MitM) attacks. The report goes through how you can protect against MitM attacks with secure encryption protocols, Transport Layer Security (TLS), and analyzes the newest version TLS 1.3.
|
58 |
Systèmes coopératifs décentralisés de détection et de contre-mesures des incidents et attaques sur les réseaux IP / Collaborative and decentralized detection and mitigation of network attacksGuerid, Hachem 06 December 2014 (has links)
La problématique des botnets, réseaux de machines infectées par des logiciels malveillants permettant de les contrôler à distance, constitue une préoccupation majeure du fait du nombre de machines infectées et des menaces associées: attaque par déni de service distribué (DDoS), spam, vol de données bancaires. Les solutions de lutte contre les botnets proposées présentent des limitations majeures dans le contexte d'un opérateur réseau (contraintes de volumétrie et de passage à l'échelle, respect de la confidentialité et de la vie privée des utilisateurs). Cette thèse propose quatre contributions orientées réseau de lutte contre les botnets. Chaque contribution traite d'une étape complémentaire dans la problématique des botnets: la première contribution permet de remonter à la source d'attaques par déni de service, et ainsi d'identifier un groupe de machines infectées à l'origine de ces attaques. La deuxième contribution concerne la détection des communications entre les machines infectées et leurs serveurs de contrôle et commande dans un réseau à large échelle, et offre ainsi l'opportunité de bloquer ces serveurs pour limiter le risque de nouvelles attaques. La troisième contribution permet une détection collaborative de botnets dans un contexte inter-domaine et inter-opérateur, permettant ainsi de lutter contre l'aspect hautement distribué de ces botnets. Enfin, la dernière contribution proposée permet de remédier aux botnets en ralentissant les communications entre les machines infectées et leur serveur de contrôle, offrant par ce biais une contre-mesure aux stratégies d'évasions développées par les cybercriminels afin de rendre leurs botnets plus résilients. / The problem of botnets, networks of infected hosts controlled remotely by attackers, is a major concern because of the number of infected hosts and associated threats, like distributed denial of service (DDoS), spams, and data theft. State of the art solutions to fight against botnets have major limitations in a context of a network operator (scalability of the solution, confidentiality and privacy of users). In this thesis, we propose four network-based contributions to fight against botnets. Each solution address a different and complementary issue in this area: the first contribution tracebacks the source of denial of service attacks which threaten the network availability, allowing by that way to identify infected devices used to perpetrate these attacks. The second contribution detects the communications between infected computers and their command and control server (C&C) in a large scale network and offers the opportunity to block these servers to minimize the risk of future attacks. The third contribution enables collaborative detection of botnets in an inter-domain and inter-operator context in order to fight against the highly distributed aspect of these botnets. Finally, the last contribution mitigates botnets by slowing down the communication between infected hosts and their C&C server, providing a countermeasure against evasion techniques developed by cybercriminals to make their botnets more resilient
|
59 |
Threats and Mitigation of DDoS Cyberattacks Against the U.S. Power Grid via EV ChargingMorrison, Glenn Sean 30 August 2018 (has links)
No description available.
|
60 |
Impact of DDoS Attack on the Three Common HypervisorS(Xen, KVM, Virtual Box)Sheinidashtegol, Pezhman 01 July 2016 (has links)
Cloud computing is a technology of inter-connected servers and resources that use virtualization to utilize the resources, flexibility, and scalability. Cloud computing is accessible through the network. This accessibility and utilization have its own benefit and drawbacks. Utilization and scalability make this technology more economic and affordable for even small businesses. Flexibility drastically reduces the risk of starting businesses. Accessibility allows cloud customers not to be restricted in a specific location until they could have access to the network, and in most cases through the internet.
These significant traits, however, have their own disadvantages. Easy accessibility makes it more convenient for the malicious user to have access to servers in the cloud. Virtualizations that come to existence by middleware software called Virtual Machine Managers (VMMs) or hypervisors come with different vulnerabilities. These vulnerabilities are adding to previously existed vulnerability of Networks and Operating systems and Applications. In this research we are trying to distinguish the most resistant Hypervisor between (Xen, KVM and Virtual Box) against Distributed Denial of Service (DDoS) attack, an attempt to saturate victim’s resources making them unavailable to legitimate users, or shutting down the services by using more than one machine as attackers by targeting three different resources (Network, CPU, Memory). This research will show how hypervisors act differently under the same attacks and conditions.
|
Page generated in 0.1587 seconds