DISTRIBUTED tcpdump CAPABILITY FOR LINUX - PowerPoint PPT Presentation

1 / 10
About This Presentation
Title:

DISTRIBUTED tcpdump CAPABILITY FOR LINUX

Description:

Project Goals PROBLEM DEFINITION & SCOPE A network-based intrusion detection system (IDS) might be able to detect an attack instance ... – PowerPoint PPT presentation

Number of Views:100
Avg rating:3.0/5.0
Slides: 11
Provided by: labu424
Category:

less

Transcript and Presenter's Notes

Title: DISTRIBUTED tcpdump CAPABILITY FOR LINUX


1
Research Paper
DISTRIBUTED tcpdump CAPABILITY FOR LINUX
EJAZ AHMED SYEDDr. JIM MARTIN
Internet Research Group. Department Of Computer
Science Clemson University.
2
Project Goals
  • Design and implement a tool that does distributed
    tcpdump capability for Linux.
  • Basic Operation Description
  • A client sends a command to a server instructing
    the server to do particular tcpdump commands. At
    the server, there needs to be a way for the
    tcpdump data to be sent back to the client.
  • Significance
  • A generic building block that can be deployed
    in a highly distributed manner for Distributed
    Denial Of Service (DDoS) and Intrusion Detection
    (ID).
  • Work is closely related to the frame work
    developed for
    intrusion detection.

3
PROBLEM DEFINITION SCOPE
  • Distributed Denial of Service and Intrusion
    Detection System (IDS)
  • A denial-of-service attack is
    characterized by an explicit attempt by attackers
    to prevent legitimate users of a service from
    using that service.Examples include
  • attempts to flood a network, thereby preventing
    legitimate network traffic.
  • attempts to disrupt connections between two
    machines, thereby preventing access to a service.
  • attempts to disrupt service to a specific system
    or person.
  • Note Other types of attacks may include a denial
    of service as a component, but the
    denial of service may be part of a larger attack.


  • ... contd

4

PROBLEM DEFINITION SCOPE
A network-based intrusion detection system (IDS)
might be able to detect an attack instance
(either an attack packet or a sequence of attack
packets) by automatically extracting and
analyzing the attack signatures from a collection
of incoming and outgoing data packets. However,
because of the Source accountability problem of
todays Internet, an IDS generally cannot tell
where the attack packets were originated. Recent
attention Many DDoS (Distributed Denial Of
Service) attacks have affected web sites such as
Yahoo! E-Bay, CNN among many others, utilizing IP
source address spoofing.
5

Nomenclature The Plain DDoS Model
DDoS Attack Infrastructure Hackers from their
own community and they share resources among
themselves. When one Internet host is
compromised (a resource for the hackers), the
host identity and the key to access this host is
announced to all the hackers. Gradually,
compromised hosts are organized and connected
together as a DDoS attack infrastructure. In this
host infrastructure, some hosts play the role of
masters, while others are slaves. Attacker A
15-YEAR-OLD MONTREAL boy with the alleged
Internet codename of Mafia boy was the attacker
who launched the attacks that briefly immobilized
and brought down Internet giants eBay,
Amazon.com, Yahoo.com, and ETrade back in
February through the plain DDoS attack
infrastructure. www.itworld.com
community. Must be a Gryffindor wizard !!
6
The plain DDOS Model 1999-2000
Ref On Design and Evaluation of
Intention-Driven ICMP Traceback. UCLA
7
Tool Functionality
  • How to detect the distributed attack ??
  • Signatures represent the attacks in a generic
    way.
  • A signature is a distributed event pattern that
    represents a distributed attack.
  • Generate log files required for further
    processing.
  • Specify what information is needed.
  • Identify the attack from specific signature
    flow.
  • Trace bandwidth consumed by the following flow
    description xxx the data sent back is simple
    byte count per second. Alert the client when
    data specific to flow xxx is observed send back
    an alert message.Alert the client when you see
    this particular flow signature.

8
IMPLEMENTATION ARCHITECTURE
  • Pseudo Signatures
  • Generate specific command oriented tcpdump log
    files for processing. CMD tcpdump_command,
    param_String, START, STOP, probing_frequency,
    file log_file
  • CMD any tcpdump command . File log
    file generated with the resultant tcpdump data.
  • Generate list of offending flows
  • CMD ID_Non_tcp_friendly_flows, START, STOP,
    probing_frequency, file list_file
  • Identify specific offending flows
  • CMD search_for_this_flow, reporting_mode,
    probing_frequency, file search_stats
  • Search_for_this_flow based on for example ,
    address, port, protocol Reporting_mode
    First occurrence of specific flow, Bandwidth gt
    TCP_Friendly.

9
CARDS Architecture
Fig The CARDS architecture
Ref Design and Implementation of A
Decentralized Prototype System for Detecting
Distributed Attacks. Dr. Ning, Dr. Sushil, Dr.
Sean, North Carolina State University.
10
Extensions
  • Provide hooks for some other extended tcpdump
    commands.
  • Provide a Interactive Java GUI interface for the
    Client.
  • Think !!!!
  • NOTE Cpsc881 Students - Fall03 May
    Implement security feature to this application.
    !??!
Write a Comment
User Comments (0)
About PowerShow.com