1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff...
-
date post
19-Dec-2015 -
Category
Documents
-
view
216 -
download
0
Transcript of 1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff...
1
Experiments and Tools for Experiments and Tools for DDoS AttacksDDoS Attacks
Roman Chertov, Sonia Fahmy, Rupak Sanjel, Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness ShroffNess Shroff
Center for Education and Research in Center for Education and Research in Information Assurance and Security (CERIAS)Information Assurance and Security (CERIAS)
Purdue UniversityPurdue University
October 25October 25thth, 2004, 2004
2
Objectives Design, integrate, and deploy a methodology and
tools for performing realistic and reproducible DDoS experiments: Tools to configure traffic and attacks Tools for automation of experiments, measurements, and
visualization of results Integration of multiple third-party software components
Understand the testing requirements of different types of third party detection and defense mechanisms
Gain insight into the phenomenology of attacks including their first-order and their second-order effects, and impact on defenses
3
Accomplishments
Designed and implemented experimental tools: Scriptable event system to control and synchronize
events at multiple nodes Automated measurement tools, log processing tools,
and plotting tools Automated configuration of interactive and replayed
background traffic, routing, attack parameters, and measurements
Generated requirements for DETER to easily support the testing of third party products (e.g., ManHunt, Sentivist)
4
Accomplishments (cont’d)
Analytical characterization, simulations, and experiments for low-rate TCP-targeted DDoS attacks
Preliminary analysis of BGP behavior during DDoS, and BGP impact on DDoS
5
Demonstration Topology
6
Scriptable Event System
Having more than a few computers proves a real challenge to handle in a fast and reasonable manner.
Must have a central way to delegate arbitrary tasks to experimental nodes.
Event completion notification is required to trigger further events in the experiment.
7
Routing
DeterLab experiments can be used with static or OSPF routing; however, there is no support of BGP, RIP, ISIS etc
eBGP and iBGP routing can be accomplished with Quagga routing daemons
Initialization scripts coupled with the central control make it easy to restart all of the routers in experiment to get a clean starting point.
8
Measurement
Measurement of systems statistics at different points in the network can yield an understanding of what events are occurring in the entire network.
A tool based on a 1sec timer records CPU, PPSin, PPSout, BPSin, BPSout, RTO, Memory. The collected logs can be aggregated and used to produce graphs via a collection of scripts.
Future scripts will have an ability to correlate events between system measurements/ routing log files
9
Measurement (cont’d)
10
Challenges in Testing Third-Party Mechanisms
ManHunt license is IP/MAC specific Control of machine selection in DETER
Administration software: some products for Windows XP only, e.g., Sentivist. Luckily command line interface provided in this case.
Some mechanisms require their hardware to be installed (sensors/authentication).
Certain features of mechanisms like traceback/pushback are dependant on interaction with the network devices (routers/switches)
11
Challenges (cont’d)How to install sensors?
Current solution: hardware bridging: cannot install more than one sensor serious problem since prior research has shown the limited effectiveness of single point sensing
Future solution: software bridging
12
Challenges (cont’d)
Sentivist Sensor distributed as bootable CD-ROM Is it possible to “boot” a machine from an ISO image? Perhaps using FreeBSD network install (Sentivist
Sensor built on FreeBSD), but no administrative privilege to do so
Otherwise, need someone to insert CD-ROM in drive Sentivist Sensor installation requires interaction:
Must establish serial console connection to machine: COM1 or COM2, no COM1 on DETER IBM machines
Else need someone to use a monitor and keyboard
13
Plans Continue development of experiment automation
and instrumentation/plotting tools and documentation
Design increasingly high fidelity experimental suites
Continue investigation of TCP-targeted DDoS attacks in more depth, and compare analytical and simulation results with DETER testbed results to identify artifacts
14
Plans (cont’d)
Investigate routing problems/attacks, and compare with DETER testbed results
Continue to collaborate with routing team and McAfee team to identify experimental scenarios and build tools for routing experiments