Sonia Fahmy Ness Shroff - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Sonia Fahmy Ness Shroff

Description:

Integration of multiple third-party software components ... different types of third party detection and ... Difficulties in testing third party products ... – PowerPoint PPT presentation

Number of Views:82
Avg rating:3.0/5.0
Slides: 21
Provided by: csPu
Category:
Tags: fahmy | ness | shroff | sonia | third

less

Transcript and Presenter's Notes

Title: Sonia Fahmy Ness Shroff


1
Experiments with DDoS and Routing
  • Sonia Fahmy Ness Shroff
  • Students Roman Chertov Rupak Sanjel
  • Center for Education and Research in Information
    Assurance and Security (CERIAS)
  • Purdue University
  • October 25th, 2004

2
Objectives
  • Design, integrate, and deploy a methodology and
    tools for performing realistic and reproducible
    DDoS experiments
  • Tools to configure traffic and attacks
  • Tools for automation of experiments,
    measurements, and visualization of results
  • Integration of multiple third-party software
    components
  • Understand the testing requirements of different
    types of third party detection and defense
    mechanisms
  • Gain insight into the phenomenology of attacks
    including their first-order and their
    second-order effects, and impact on defenses

3
Accomplishments
  • Designed and implemented experimental tools
  • Scriptable event system to control and
    synchronize events at multiple nodes
  • Automated measurement tools, log processing
    tools, and plotting tools
  • Automated configuration of interactive and
    replayed background traffic, routing, attack
    parameters, and measurements
  • Generated requirements for DETER to easily
    support the testing of third party products
    (e.g., ManHunt, Sentivist)

4
Accomplishments (contd)
  • Analytical characterization, simulations, and
    experiments for low-rate TCP-targeted DDoS
    attacks
  • Preliminary analysis of BGP behavior during DDoS,
    and BGP impact on DDoS

5
TCP-Targeted Attacks
  • Varied Attack burst length l and sleep period
    T-l
  • A. Kuzmanovic and E. W. Knightly. Low-rate
    targeted denial of service attacks. SIGCOMM 2003.
  • M. Guirguis et al. Exploiting the transients of
    adaptation for RoQ attacks on Internet resources.
    ICNP 2004.
  • H. Sun et al. Defending against low-rate TCP
    attacks Dynamic detection and protection. ICNP
    2004.
  • Objective
  • Understand attack effectiveness (damage versus
    effort) in terms of application-level,
    transport-level, and network-level metrics at
    multiple nodes

l
l
Rate
T-l
R
Time
6
Topology
7
Throughput
8
Web Clients/Server
9
Attack Parameters vs. RTT
0.38 Mbps without an attack
0.75 Mbps without an attack
Client with 63 ms RTT to the server
10
Short RTT
1.00 Mbps without an attack
1.40 Mbps without an attack
Client with 12.6 ms RTT to the server
11
ttcp Experiments
Attack 100-1000 Unacked data during 5MB file
transfer (31.97 sec 160.16 KB/sec)
12
Emulation vs. Simulation
  • Effects of attack sleep period on the average
    congestion window of a single TCP (SACK) from
    TTCP tool
  • The attack flow is multiplexed with the data flow

13
Routing
  • Need to understand magnitude of potential
    problems, causes, and defenses

14
Scenario
  • At 222 sec, nodes 8, 11, and 14 attack node 9
    (zebra router running BGP) for 400 seconds.
  • No activity for 200 seconds. Allow all nodes to
    stabilize.
  • Nodes 8, 11, and 14 attack node 9 for 400 seconds
    again. Node 36 attacks node 10 (neighbor of node
    9) for 400 seconds.

15
BGP update messages
16
Keep-alives at node 9
17
(No Transcript)
18
Lessons Learned
  • Insights into sensitivity to emulation
    environment
  • Some effects we observe may not be observed on
    actual routers and vice versa (architecture and
    buffer sizes)
  • Emulab and DETER results significantly differ for
    the same test scenario (CPU speed)
  • Priority for routing packets in Cisco routers
  • Limit on the degree of router nodes, delays,
    bandwidths
  • Difficulties in testing third party products
  • Products (hardware or software) connect to hubs,
    switches, or routers
  • Layer 2/layer 3 emulation and automatic
    discovery/allocation can simplify DETER use for
    testing third party mechanisms
  • Due to licenses, we need to control machine
    selection in DETER
  • Windows XP is required to test some products,
    e.g., Sentivist administration interface
  • Difficult to evaluate performance when mechanism
    is a black box ? e.g., cannot mark attack traffic
    and must solely rely on knowledge of attack

19
Plans
  • Continue development of experiment automation and
    instrumentation/plotting tools and documentation
  • Design increasingly high fidelity experimental
    suites
  • Continue investigation of TCP-targeted DDoS
    attacks in more depth, and compare analytical and
    simulation results with DETER testbed results to
    identify artifacts

20
Plans (contd)
  • Investigate routing problems/attacks, and compare
    with DETER testbed results
  • Continue to collaborate with routing team and
    McAfee team to identify experimental scenarios
    and build tools for routing experiments
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Sonia Fahmy Ness Shroff" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!