Dixit Verma Characterization and Implications of Flash Crowds and DoS attacks on websites

Similar documents
Chapter 7. Denial of Service Attacks

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

DENIAL OF SERVICE ATTACKS

COMPUTER NETWORK SECURITY

Denial of Service (DoS)

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

Computer Security: Principles and Practice

Distinguishing DDoS Attacks from Flash Crowds Using Probability Metrics

Network Security. Chapter 0. Attacks and Attack Detection

Denial of Service and Distributed Denial of Service Attacks

ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS

Multicast Subsecond Convergence

Detecting Distributed Denial-of. of-service Attacks by analyzing TCP SYN packets statistically. Yuichi Ohsita Osaka University

Discriminating DDoS Attacks from Flash Crowds in IPv6 networks using Entropy Variations and Sibson distance metric

Check Point DDoS Protector Simple and Easy Mitigation

Basic Concepts in Intrusion Detection

CSE Computer Security

Introduction to Security. Computer Networks Term A15

DDoS Testing with XM-2G. Step by Step Guide

CONTENT DISTRIBUTION. Oliver Michel University of Illinois at Urbana-Champaign. October 25th, 2011

OpenFlow DDoS Mitigation

CSE Computer Security (Fall 2006)

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

EXPERIMENTAL STUDY OF FLOOD TYPE DISTRIBUTED DENIAL-OF- SERVICE ATTACK IN SOFTWARE DEFINED NETWORKING (SDN) BASED ON FLOW BEHAVIORS

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Analysis of Attacks and Defense Mechanisms for QoS Signaling Protocols in MANETs

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Configuring Storm Control

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

An Empirical Study of Behavioral Characteristics of Spammers: Findings and Implications

Unsupervised Clustering of Web Sessions to Detect Malicious and Non-malicious Website Users

Correlation Based Approach with a Sliding Window Model to Detect and Mitigate Ddos Attacks

NETWORK SECURITY. Ch. 3: Network Attacks

Flow Control Packet Marking Scheme: to identify the sources of Distributed Denial of Service Attacks

XOR.DDoS Attack Analysis Report

Routing Security DDoS and Route Hijacks. Merike Kaeo CEO, Double Shot Security

Chapter 10: Denial-of-Services

Cloudflare Advanced DDoS Protection

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

Imperva Incapsula Product Overview

Distributed Denial of Service (DDoS)

Mobile LOIC Counter Measures

HP High-End Firewalls

Our Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Next Week. Network Security (and related topics) Project 3 Q/A. Agenda. My definition of network security. Network Security.

A WEB BASED APPROACH TO DETECT MIMICKING ATTACKS IN HOMOGENEOUS ENVIRONMENT

Network Security. Evil ICMP, Careless TCP & Boring Security Analyses. Mohamed Sabt Univ Rennes, CNRS, IRISA Thursday, October 4th, 2018

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

DDoS PREVENTION TECHNIQUE

Attack Prevention Technology White Paper

Configuring Firewall TCP SYN Cookie

Configuring attack detection and prevention 1

Modelling Web-server Flash Events

CSC 6575: Internet Security Fall Attacks on Different OSI Layer Protocols OSI Layer Basic Attacks at Lower Layers

deseo: Combating Search-Result Poisoning Yu USF

CSE 565 Computer Security Fall 2018

The Interactive Guide to Protecting Your Election Website

Introduction to Cisco ASA Firewall Services

Tracking Global Threats with the Internet Motion Sensor

Germán Llort

Network Security (and related topics)

Contents. Denial-of-Service Attacks. Flooding Attacks. Distributed Denial-of Service Attacks. Reflector Against Denial-of-Service Attacks

Cisco IOS Login Enhancements-Login Block

HP High-End Firewalls

On Demand secure routing protocol resilient to Byzantine failures

dfence: Transparent Network- based Denial of Service Mitigation

LatLong: Diagnosing Wide-Area Latency Changes for CDNs

EE 122: Network Security

Fast and Evasive Attacks: Highlighting the Challenges Ahead

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

Site-1. Site-2. L3VPN Route-target and route-distinguisher Part I:

Towards Traffic Anomaly Detection via Reinforcement Learning and Data Flow

Data Communication. Chapter # 5: Networking Threats. By: William Stalling

Firewalls, Tunnels, and Network Intrusion Detection

Lecture 12. Application Layer. Application Layer 1

CS244a: An Introduction to Computer Networks

Lecture 6: Worms, Viruses and DoS attacks. II. Relationships between Biological diseases and Computers Viruses/Worms

ddos-guard.net Protecting your business DDoS-GUARD: Distributed protection against distributed attacks

Network Awareness and Network Security

CSE 565 Computer Security Fall 2018

Denial of Service. Eduardo Cardoso Abreu - Federico Matteo Bencic - Pavel Alexeenko -

Building a Self-Adaptive Content Distribution Network Gawesh Jawaheer Department of Computing, Imperial College London

Distinguishing between FE and DDoS Using Randomness Check

IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management

To Study and Explain the Different DDOS Attacks In MANET

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

1. Which network design consideration would be more important to a large corporation than to a small business?

A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Dynamics of Hot-Potato Routing in IP Networks

Configuring attack detection and prevention 1

Network Security. Thierry Sans

Opportunities for Exploiting Social Awareness in Overlay Networks. Bruce Maggs Duke University Akamai Technologies

9. Security. Safeguard Engine. Safeguard Engine Settings

Multivariate Correlation Analysis based detection of DOS with Tracebacking

RAPTOR: Routing Attacks on Privacy in Tor. Yixin Sun. Princeton University. Acknowledgment for Slides. Joint work with

Table of Contents 1 PIM Configuration 1-1

Transcription:

Characterization and Implications of Flash Crowds and DoS attacks on websites Dixit Verma Department of Electrical & Computer Engineering Missouri University of Science and Technology dv6cb@mst.edu 9 Feb 2017

Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 2

Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 3

Introduction Flash crowds and DoS attacks often overload web sites to a point when their services are degraded or disrupted entirely Flash events are created by unusual but legitimate traffic e.g.? DoS attacks contain malicious requests with the intention of disrupting normal operation of the site 9 Feb 2017 Presentation Overview 4

Introduction Sometimes the occurrence of events is known in advance An on-line play-along website for a popular TV program may receive more visitors during a broadcast URL s advertised during an event (football games) e.g.? but that s not the case always Due to the September 2011 terrorist attack, cnn.com observed dramatic increase in requests 9 Feb 2017 Presentation Overview 5

Introduction DoS attacks contain malicious requests with the intention of disrupting normal operation of the site e.g. TCP SYN, http flooding Attackers generally use multiple compromised hosts Effects on a website: Website unable to server the legitimate users In most cases the server crashes or the website has to be taken offline 9 Feb 2017 Presentation Overview 6

Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 7

Characteristics Traffic Patterns Let s us know how much resources are needed Helps articulate when the server is overwhelmed and defensive measures are required Client Characteristics Can help in distinguishing legitimate and malicious users Client clustering : aggregate clients into groups belonging to a same administrative domain Uses a set of network prefixes obtained from BGP tables 9 Feb 2017 Presentation Overview 8

Characteristics File Reference Additional differentiator to rule out suspicious activities Aggregation of reference patterns of users and client clusters 9 Feb 2017 Presentation Overview 9

Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 10

Analysis of Flash Events HTTP traces from two events were analysed One from a popular TV show (Play-along) and another from Chilean election site at the time of presidential election 9 Feb 2017 Presentation Overview 11

Analysis of Flash Events Traffic Volume: The below table summarizes the number of request, documents and clients found in the traces 9 Feb 2017 Presentation Overview 12

Analysis of Flash Events Characterizing Clients The below figure shows the number of distinct clients and client clusters accessing the site in 10 sec interval change 9 Feb 2017 Presentation Overview 13

Analysis of Flash Events The spikes in request volumes during an flash event correspond closely with the number of clients accessing the site 9 Feb 2017 Presentation Overview 14

Analysis of Flash Events Characterizing File Reference For the two traces, over 60% of the documents were accessed during the flash events 9 Feb 2017 Presentation Overview 15

Analysis of Flash Events The figure plots the cumulative fraction of the requests for the documents listing most popular first Less than 10% of the most popular documents account for more than 90% of requests Intelligent caching of these documents can solve the Flash Event problem 9 Feb 2017 Presentation Overview 16

Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 17

Analysis of DoS Attacks Password cracking and DoS attacks are considered similar as the end goal is to discard these requests Two log files were analyzed, esg and ol recorded more than 1 million request within 60 days 9 Feb 2017 Presentation Overview 18

Analysis of DoS Attacks The figure shows request rates in password cracking DoS attacks to esg and ol 9 Feb 2017 Presentation Overview 19

Analysis of DoS Attacks 401 requests are considered as password cracking attempts 9 Feb 2017 Presentation Overview 20

Analysis of DoS Attacks In figure each peak was made by the same IP address sending 600-1000 requests per second Increase in request rate occurs due to increase in per-client request rate Increase in number of new client clusters not seen by site before the attack but found during the attack For esg trace 0.6% of the clusters seen during the attack were old clusters and for ol they were 0.1% 9 Feb 2017 Presentation Overview 21

Code Red Trace Researchers studied trace of Code Red where log file recorded access from infected computers Attack started with few requests with a surge of requests later as new clusters join the attack Different from flash events as FE s do not have increase in new cluster arrivals 9 Feb 2017 Presentation Overview 22

Code Red Trace 9 Feb 2017 Presentation Overview 23

Code Red Trace Requests per client Cluster distribution of requests 9 Feb 2017 Presentation Overview 24

Flash events vs DoS attacks Characteristic Flash Events DoS Attacks Traffic Volume No. of clients and their distribution Cluster overlap Both have a noticeable increase in terms of number of requests. The length peaks can be large or small depending on the episode. Caused mostly by an increase in number of users accessing the website. Significant overlap between clusters a site sees before and during FE. Caused either by an increase in no. of clients or per client requests. Cluster overlap is very small. Per client Per client request rates are Some DoS attacks involve a few Request rates lower as number of clients emitting very high request legitimate clients access the rates and some involve large Web Site. amount of clients generating a low request rate. But per client request rate remains abnormal. 9 Feb 2017 Presentation Overview 25

Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 26

Server Strategy Differentiate between malicious and normal requests Monitor the clients and their request rate Periodic clustering over the client set accumulated in past without DoS or FE s. When performance degrades, discard packets from clients not belonging to old clusters 9 Feb 2017 Presentation Overview 27

Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 28

Conclusion Flash crowd and DoS may exhibit similar traffic pattern but can be differentiated by Per client request rates Cluster overlap These metrics can help distinguish legitimate traffic from malicious traffic which can be blocked accordingly 9 Feb 2017 Presentation Overview 29

References Jaeyeon Jung, Balachander Krishnamurthy, and Michael Rabinovich, Flash Crowds and Denial of Service attacks: Characterization and implications for CDN s and Web Sites in Proceedings of the ACM WWW, Honolulu, HI, May 2002, pp. 293 304. http://www.webopedia.com/term/c/cdn.html Nishi-Waseda, Shinjuku-ku, Methods of Distinguishing Flash Crowds from Spoofed DoS Attacks, Next Generation Internet Networks, 3rd EuroNGI Conference https://en.wikipedia.org/wiki/code_red_(computer_worm)#cite_note- 5 9 Feb 2017 Presentation Overview 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback