DDoS detection based on traffic self-similarity

Brignoli, Delio

January 2008

Distributed denial of service attacks (or DDoS) are a common occurrence on the internet and are becoming more intense as the bot-nets, used to launch them, grow bigger. Preventing or stopping DDoS is not possible without radically changing the internet infrastructure; various DDoS mitigation techniques have been devised with different degrees of success. All mitigation techniques share the need for a DDoS detection mechanism. DDoS detection based on traffic self-similarity estimation is a relatively new approach which is built on the notion that undis- turbed network traffic displays fractal like properties. These fractal like properties are known to degrade in presence of abnormal traffic conditions like DDoS. Detection is possible by observing the changes in the level of self-similarity in the traffic flow at the target of the attack. Existing literature assumes that DDoS traffic lacks the self-similar properties of undisturbed traffic. We show how existing bot- nets could be used to generate a self-similar traffic flow and thus break such assumptions. We then study the implications of self-similar attack traffic on DDoS detection. We find that, even when DDoS traffic is self-similar, detection is still possible. We also find that the traffic flow resulting from the superimposition of DDoS flow and legitimate traffic flow possesses a level of self-similarity that depends non-linearly on both relative traffic intensity and on the difference in self-similarity between the two incoming flows.

Rede definida por software para a detecção de anomalias e contramedidas de segurança em smart grid / Software defined network for anomalies detection and security countermeasures in smart grid

Ferrari, Ricardo Cesar Câmara

01 March 2018

Submitted by RICARDO CESAR CAMARA FERRARI null (rccferrari@hotmail.com) on 2018-04-05T15:50:10Z No. of bitstreams: 1 TESEV59.pdf: 2999220 bytes, checksum: d4796fb104f36a34069600090d6741e9 (MD5) / Approved for entry into archive by Cristina Alexandra de Godoy null (cristina@adm.feis.unesp.br) on 2018-04-05T18:37:17Z (GMT) No. of bitstreams: 1 ferrari_rcc_dr_ilha.pdf: 2999220 bytes, checksum: d4796fb104f36a34069600090d6741e9 (MD5) / Made available in DSpace on 2018-04-05T18:37:17Z (GMT). No. of bitstreams: 1 ferrari_rcc_dr_ilha.pdf: 2999220 bytes, checksum: d4796fb104f36a34069600090d6741e9 (MD5) Previous issue date: 2018-03-01 / O trabalho propõe uma aplicação com o uso de desvio padrão para definir limites máximos e mínimos de pacotes e bytes para detecção de anomalias nos fluxos de comunicação entre mestre e escravos com o uso do protocolo DNP3 (Distributed Network Protocol v3.0) em uma Smart Grid, além de detecção e bloqueio de ataques originados de máquinas intrusas ou conhecidas. Atualmente, diversas pesquisas vêm sendo desenvolvidas sobre uso de sistemas Smart Grid, no entanto, sua implantação possui alguns fatores de risco. Esses fatores estão associados às redes de transmissão de dados, às tecnologias de aquisição e controle das informações, e às vulnerabilidades intrínsecas da união dessas tecnologias. A principal motivação dessa proposta origina-se da necessidade de se garantir segurança dos sistemas Smart Grid e o potencial apresentado pelas Redes Definidas por Software (Software Defined Networking – SDN) em analisar os fluxos de dados em um switch. Assim, a investigação dessas vulnerabilidades, bem como, a identificação de situações de ataques são relevantes a fim de propor soluções de defesa. Para isto, a tecnologia de SDN apresentou-se como uma solução viável e otimizada para a proteção de sistemas Smart Grid, permitindo que seja realizado um monitoramento dos fluxos entre mestre e escravos, e a coleta de informações para análise, abrindo oportunidades para aplicações de segurança em Smart Grid. Dessa forma, foram realizados três experimentos, o primeiro com o objetivo de mostrar a vulnerabilidade de uma Smart Grid, o segundo com o intuito de analisar uma aplicação SDN em uma Smart Grid e o terceiro com dois ataques DDoS (Distributed Denial of Service) em uma Smart Grid. O primeiro ataque a partir de máquinas intrusas e o segundo ataque, de escravas, permitindo analisar e monitorar o fluxo de dados e o bloqueio das portas em um Open vSwitch (OVS). Nesse contexto, um componente de um controlador SDN foi modificado para adicionar segurança e monitoramento da rede, tendo um comportamento satisfatório, identificando anomalias e conseguindo realizar bloqueios de portas das máquinas atacantes. / The work proposes an application with the use of standard deviation to define limits of maximum and minimum of packets and bytes for detection of anomalies in the communication flows between master and slave using the Distributed Network Protocol v3.0 (DNP3), besides the detection and blocking of attacks originated from intrusive or known machines. Currently several researches have been developed on the use of Smart Grid systems, however, its implementation has some risk factors. These factors are associated with data transmission networks, information acquisition and control technologies and intrinsic vulnerabilities of the union of these technologies. The main motivation of this proposal comes from the need to guarantee security of Smart Grid systems and the potential presented by Software Defined Networking (SDN). Thus, the investigation of these vulnerabilities, as well as, identification of situations of attacks are relevant in order to propose defense solutions. For this, the SDN technology has presented a viable and optimized solution for the protection of Smart Grid systems, allowing the monitoring of masterslave flows and the collection of information for analysis, opening opportunities for security applications in Smart Grid. In this way, three experiments were carried out, the first to show the vulnerability of an insecure Smart Grid, the second to analyze a SDN application in a Smart Grid and the third with two Distributed Denial of Service (DDoS) attack on a Smart Grid, the first from intrusive machines and the second from slaves, allowing to analyze and monitor the data flow and the lock of the doors in an Open vSwitch (OVS). In this context, a component of an SDN controller has been modified to add security and monitoring of the network, having a satisfactory behavior, identifying anomalies and being able to perform port blocking of the attacking machines.

SDN

Segurança

POX

DDoS

Smart Grid

Rede definida por software para a detecção de anomalias e contramedidas de segurança em smart grid /

Ferrari, Ricardo Cesar Câmara

January 2018

Orientador: Ailton Akira Shinoda / Resumo: O trabalho propõe uma aplicação com o uso de desvio padrão para definir limites máximos e mínimos de pacotes e bytes para detecção de anomalias nos fluxos de comunicação entre mestre e escravos com o uso do protocolo DNP3 (Distributed Network Protocol v3.0) em uma Smart Grid, além de detecção e bloqueio de ataques originados de máquinas intrusas ou conhecidas. Atualmente, diversas pesquisas vêm sendo desenvolvidas sobre uso de sistemas Smart Grid, no entanto, sua implantação possui alguns fatores de risco. Esses fatores estão associados às redes de transmissão de dados, às tecnologias de aquisição e controle das informações, e às vulnerabilidades intrínsecas da união dessas tecnologias. A principal motivação dessa proposta origina-se da necessidade de se garantir segurança dos sistemas Smart Grid e o potencial apresentado pelas Redes Definidas por Software (Software Defined Networking – SDN) em analisar os fluxos de dados em um switch. Assim, a investigação dessas vulnerabilidades, bem como, a identificação de situações de ataques são relevantes a fim de propor soluções de defesa. Para isto, a tecnologia de SDN apresentou-se como uma solução viável e otimizada para a proteção de sistemas Smart Grid, permitindo que seja realizado um monitoramento dos fluxos entre mestre e escravos, e a coleta de informações para análise, abrindo oportunidades para aplicações de segurança em Smart Grid. Dessa forma, foram realizados três experimentos, o primeiro com o objetivo de mostrar a vuln... (Resumo completo, clicar acesso eletrônico abaixo) / Abstract: The work proposes an application with the use of standard deviation to define limits of maximum and minimum of packets and bytes for detection of anomalies in the communication flows between master and slave using the Distributed Network Protocol v3.0 (DNP3), besides the detection and blocking of attacks originated from intrusive or known machines. Currently several researches have been developed on the use of Smart Grid systems, however, its implementation has some risk factors. These factors are associated with data transmission networks, information acquisition and control technologies and intrinsic vulnerabilities of the union of these technologies. The main motivation of this proposal comes from the need to guarantee security of Smart Grid systems and the potential presented by Software Defined Networking (SDN). Thus, the investigation of these vulnerabilities, as well as, identification of situations of attacks are relevant in order to propose defense solutions. For this, the SDN technology has presented a viable and optimized solution for the protection of Smart Grid systems, allowing the monitoring of masterslave flows and the collection of information for analysis, opening opportunities for security applications in Smart Grid. In this way, three experiments were carried out, the first to show the vulnerability of an insecure Smart Grid, the second to analyze a SDN application in a Smart Grid and the third with two Distributed Denial of Service (DDoS) attack on a Smar... (Complete abstract click electronic access below) / Doutor

Smart Grid

SDN

Segurança

POX

DDoS

Detecting a Distributed Denial-of-Service Attack Using Speed Test Data: A Case Study on an Attack with Nationwide Impact

Andersson, Karl, Odlander, Marcus

January 2015

This thesis presents a case study that investigates a large Distributed Denial of Service (DDoS) attack and how it affected speed tests observed by the crowd-based speed test application Bredbandskollen.  Furthermore, the thesis also investigates the possibility of using crowd-based speed tests as a method to detect a DDoS attack. This method has very low overhead which makes it an interesting complement to other methods. This thesis also shows that there was a significant deviation in the number of measurements during the DDoS attack considered in the case study compared to the year average. Furthermore, the measurements of the peak day of the attack had a higher average download speed than the year average. Whereas the higher download speed observation at first may appear non-intuitive, we briefly discuss potential explanations and how such positive anomalies could potentially be used to detect attacks. Detecting DDoS attacks early can lead to earlier recognition of network problems which can aid Internet Service Providers (ISPs) in maintaining the availability of their networks.

DDoS

Threshold

Speedtest

Computer Sciences

Datavetenskap (datalogi)

DDoS-skydd för hemanvändare : En studie kring DDoS

Sönnerfors, Peter, Nilsson, Elliot, Gustafsson, Michael

January 2014

Att försörja sig som streamingpersonlighet på Internet är något som vuxit explosionsartatpå senare tid. Detta leder också till att man blir ett tydligt mål för attacker. Detta arbetehar belyst den problematik som DDoS-attacker skapar när de riktas mot hemanvändare.Olika lösningar på detta problem gås igenom och analyseras. Tester har utförts för attbelysa enkelheten i attacken samt hur den påverkar hemanvändares hårdvara. Testernahar resulterat i att VPN är en kompetent lösning men innehåller även nackdelar. / To make a living as streaming personality on the Internet is something that has grownexponentially in recent times. This also leads to one becoming a clear target for attacks.This work has highlighted the problems that DDoS-attacks create when they are aimedat home users. Various solutions to this problem are reviewed and analyzed. Tests havebeen conducted to illustrate the simplicity of the attack and how it affects home usershardware. The result of the tests has shown that VPN is a competent solution but also hasits disadvantages.

DoS

DDoS

Streaming

Twitch

HOIC

LOIC

VPN

DDoS-Protection

DoS

DDoS

Streaming

Twitch

HOIC

LOIC

VPN

DDoS-Skydd

Computer Sciences

Datavetenskap (datalogi)

Filtrace útoků na odepření služeb / Filtering of denial-of-service attacks

Klimeš, Jan

January 2019

This thesis deals with filtering selected DDoS attacks on denial of the service. The the toretical part deals with the problems of general mechanisms used for DDoS attacks, defense mechanisms and mechanisms of detection and filtration. The practical part deals with the filtering of attacks using the iptables and IPS Suricata firewall on the Linux operating system in an experimental workplace using a network traffic generator to verify its functionality and performance, including the statistical processing of output data from filter tools using the Elasticsearch database.

Prostředí pro testování zařízení umožňujících ochranu před DoS útoky / Environment for Testing of DoS Attack Protection Devices

Tran, Dominik

January 2020

This thesis deals with the development of an environment and necessary set of tests for an evaluation of the DDoS Protector device in terms of functionality and performance. CESNET is developing device called DDoS Protector for protection against denial of service (DDoS) attacks with focus on volumetric and TCP SYN flood attacks. Current development environment does not support generation of stateful (TCP) network traffic and it's difficult to create complex evaluation tests in terms of interaction between various parts of the device. Goal of this work is to create an environment which enables complex evaluation of the device, including generation of both stateful and stateless network traffic combined with multi-vector DDoS attack, thus approaching real network traffic. Cisco TRex was chosen after examination of available traffic generators. Finally set of tests generating various combination of legitimate traffic and attacks was created and DDoS Protector was successfully evaluated.

DDP; TRex; DDoS; DoS; Protector; CESNET

Överbelastningsattacker genom öppna reläer / Denial of Service Attacks Through Open Relays

Göran, Gustafsson, Sebastian, Lundberg

January 2014

Detta arbete behandlar en specifik typ av överbelastningsattack som blir allt mer populär. Dessa attacker utförs genom öppna reläer med syftet att få ut en avsevärt mycket högre effekt än den som annars är uppnåbar. Granskning av attacker utförda genom tjänsterna DNS och NTP har utförts med syftet att ge en klar bild av hur allvarligt hotet är och även klargöra hur en systemadministratör kan säkra tjänsterna för att skydda både sina egna och andras resurser. Resultaten av undersökningar visar att en attack utförd genom en DNS-tjänst ger under optimala förhållanden en amplifikationsfaktor av "102.4" och en attack genom en NTP-tjänst ger under optimala förhållanden en amplifikationsfaktor av "229.16". Resultaten visar även att problemet kan lösas helt eller delvis genom att begränsa tillåtna nätverk eller stänga av rekursion i DNS och kommandon i NTP. / This work concerns a specific type of Denial of Service attack which is becoming increasingly popular. These attacks are carried out through open relays with the purpose of getting a significantly higher effect than otherwise achievable. Examination of attacks carried out through the services DNS and NTP have been conducted with the purpose of providing a clear picture of how serious the threat is and also clarify how a system administrator can secure the services to protect both their own and others resources. The results of our studies show that an attack performed through a DNS service gives under optimal conditions a amplification factor of "102.4" and an attack through a NTP service gives under optimal conditions a amplification factor of "229.16". The results also show that the problem can be solved in whole or in part by limiting the allowed network or disable recursion in DNS and commands in NTP.

DoS

DDoS

Amplification attack

DNS

NTP

DoS

DDoS

Överbelastningsattack

Amplifikationsattack

DNS

NTP

WebSockets och säkerhet i startupbolag : En studie i säkerhet kring WebSockets / WebSockets and Security In Startup Companies : A study in security around WebSockets

Roos, Robert

January 2017

WebSockets är en ny teknik för att möjliggöra snabb kommunikation på internet mellan två eller fler användare. Målet med denna studie var att undersöka de säkerhetsrelaterade problem introduktionen av WebSockets kunde medföra för startupbolag, samt specifikt hur XSS-attacker från ett serversideperspektiv skulle kunna avvärjas. Detta i syfte att ge startupbolag ett underlag att arbeta proaktivt med säkerheten, samt att initialt inte behöva köpa in externa säkerhetstjänster. En kvalitativ undersökning har genomförts med metoden litteraturstudie. Tidigare forskning i ämnet har granskats, såväl inom WebSockets, som påverkan dataintrång och specifikt XSS-attacker kan medföra för en organisation. Denna metastudie har haft som syfte att binda samman tidigare forskning för att besvara studiens frågeställning, en efterfrågad metod inom informatik som lider brist på metastudier för tillfället och där tvärvetenskaplig kunskap inte binds samman i den takt som är önskvärt. Undersökningen resulterade i att lyfta fram de viktigaste hoten att skydda sig mot, bland annat kontrollen av från vilken källa en klient de facto försöker ansluta från till en WebSockets server. Men även olika typer av XSS-attacker, där specifikt callback-modifikation identifierades som en sårbarhet med stora konsekvenser. Avslutningsvis kunde utifrån genomförd litteraturstudie en slutsats presenteras innehållande specificerade rekommendationer vid implementering av WebSockets. / WebSockets is a new communications protocol for the web, enabling fast communication between two or more clients. The overall goal with this study was to investigate the security related problems the introduction of WebSockets could have in start-up companies. Also, how XSS-attacks from a server-side perspective could be averted. This to give the foundation for how start-up companies should work proactively with the security, also not have to turn to external security services. A qualitative study has been performed with the method literature study. Earlier research in the field has been reviewed and analysed. This for both WebSockets and the impact hacking and specifically XSS-attack could have on an organization. This ’metastudy’’s main purpose has been to connect earlier research to answer the problem statements. This has according to research been asked for a lot in the informatics field, where there is a lack of these kinds of ’metastudies’. The study resulted in acknowledging the most important threats to protect against, among others the importance of inspecting what source a client is connecting from to a WebSockets server. But also, several XSS-attacks where specifically callback modification was identified as a vulnerability with big consequences. In the conclusion based on the literature study, recommendations for the proactive security work could be presented.

WebSockets

DDoS

Security

XSS

Startups

WebSockets

DDoS

Säkerhet

XSS

Startups

Information Systems

Método de mitigação contra ataques de negação de serviço distribuídos utilizando sistemas multiagentes. / Method for mitigating against distributed denial of service attacks using multi-agent system.

João Paulo Aragão Pereira

07 July 2014

A qualidade do serviço oferecido por Provedores do Serviço de Internet (Internet Service Provider - ISPs) depende diretamente da quantidade de recursos disponíveis naquele momento. Nas últimas décadas, essa qualidade tem sido afetada por frequentes e intensos ataques que consomem tais recursos, como é o caso dos ataques de Negação de Serviço Distribuídos (Distributed Denial of Service - DDoS). Com o objetivo de tornar a rede dos ISPs mais resiliente aos diferentes tipos de ataques DDoS, foram desenvolvidas técnicas contra tais ataques ao longo dos últimos anos. Com o objetivo de contribuir com a melhoria de tais mecanismos, esta dissertação apresenta um método autônomo reativo para detecção e mitigação de ataques DDoS, utilizando um sistema multiagentes (SMA), em redes de ISPs. A propriedade principal do método proposto é identificar padrões de tráfego característicos de um ataque, como um grande fluxo de pacotes direcionados para um serviço ou equipamento, dentro da rede do ISP. Com os agentes posicionados nas prováveis vítimas e nos pontos da rede com maior fluxo de pacotes, o processo de mitigação inicia-se automaticamente após uma quantidade de pacotes, excedente ao tráfego padrão, passar por qualquer um dos nós monitorados. Como o tráfego entrante na rede do ISP é dinâmico, seja ele legítimo ou malicioso, a utilização de agentes tende a facilitar o processo de definição da rota de ataque, conforme mostram os resultados experimentais obtido com o sistema proposto. / The quality of service offered by the Internet Service Provider (ISP) depends directly on the amount of resources available at that time. In recent decades, this quality has been affected by the frequent and intense attacks that consume these resources, such as the Distributed Denial of Service (DDoS) attacks. In order to make the ISPs network more resilient to different types of DDoS attacks, techniques have been developed against such attacks over the past few years. Aiming to contribute to the improvement of such mechanisms, this dissertation presents a reactive autonomous method for detecting and mitigating DDoS attacks using a Multi-Agent system (MAS), in networks of ISPs. The main property of the proposed method is to identify characteristic traffic patterns of an attack, such as a large stream of packets directed to a service or equipment within the ISP network. With agents positioned on likely victims and at points of the network with the highest packet stream, the mitigation process starts automatically after a number of packets exceeding the traffic pattern, go through any of the monitored nodes. Since the incoming traffic on the network of any ISP is dynamic, whether legitimate or malicious, the using of agents tends to facilitate the process of defining the route of attack, as shown by the experimental results obtained with the proposed system.

DDoS

Detecção e mitigação

Sistema multiagentes

DDoS

Detection and mitigation

Multi-agent system