SCE11-0315
- 1. Final Year Project Oral Presentation
- 4. Latest Trends - Increasing Botnet Activity Increase 57% - Attack bandwidth (from 70 to 110 Mbps) 1800% - Packet-per-second volume Decrease 20.9% - Attack duration (from 43 to 34 hours) http://www.techspot.com/news/47582-kaspersky-ddos-attacks-57-more-powerful-in-h2-2011-russia-tops-list.html http://www.theregister.co.uk/2012/02/08/ddos_attack_trends/
- 5. Latest Trends - Sectors 26% 21% 15% 15% 6% 6% 3% 2% 2% 4% Online shopping Trading sites Gaming sites Banks Other business-related sites Blogs and forums Adult content sites Mass media Government sites Other
- 6. Create an efficient solution compared to bandwidth-overprovisioning Motivation
- 7. Initial Ideas, Design Plan, Main Implementation
- 8. Mitigation Initial Ideas – Three-pronged approach (1) Neutralization Attack Absorbs the impact of the attack (Intelligent Swarm layer)
- 9. Mitigation Initial Ideas – Three-pronged approach (1) Neutralization Attack Absorbs the impact of the attack (Intelligent Swarm layer) Detection and ban suspected attacks (CAPTCHA, firewall, detection methods)
- 10. Mitigation Initial Ideas – Three-pronged approach (1) Neutralization Attack Shut down source of attack (Counter-DDoS) Absorbs the impact of the attack (Intelligent Swarm layer) Detection and ban suspected attacks (CAPTCHA, firewall, detection methods)
- 11. Mitigation Initial Ideas – Three-pronged approach (1) Neutralization Attack Absorbs the impact of the attack (Intelligent Swarm layer) Detection and ban suspected attacks (CAPTCHA, firewall, detection methods) Shut down source of attack (Counter-DDoS)
- 12. Initial Ideas – Three-pronged approach (1) Attack Shut down source of attack (Counter-DDoS) 1) Need to reorganize swarm layer to create ‘flanking team’ for counter-DDoS 2) Tracing Command & Control server IP with fast-fluxing technology 3) Retaliation by attacker 1) Need to reorganize swarm layer to create ‘flanking team’ for counter-DDoS 2) Tracing Command & Control server IP with fast-fluxing technology
- 13. Initial Ideas – Three-pronged approach (2) Attack Shut down source of attack (Counter-DDoS)(Detect anomalous traffic and send reports to relevant authorities) 1) Assume node within swarm layer is compromised and sending out packet flood 2) Classify probability of suspected IP as C&C server using algorithms 3) Suspect list sent to authorities
- 14. Initial Ideas – Three-pronged approach (2) 5 LOIC x IRC / Twitter
- 15. Initial Ideas – Three-pronged approach (2) Demo Collection
- 16. Initial Ideas – Three-pronged approach (2) LOIC with Hivemind mode (IRC)
- 17. Initial Ideas – Three-pronged approach (2) LOIC with Hivemind mode (Twitter)
- 18. Design Plan – Bandwidth Threshold Detection QuantityCommunication Compromised Internal Node Other internal or external nodes Threshold = 250%
- 19. Estimated Net Traffic Graph 0 5 10 15 20 25 8:00 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00 23:00 0:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 Upper Threshold Normal Traffic (thousands) (Time of day) Design Plan – Bandwidth Threshold Detection
- 20. Main Implementation – Bandwidth Threshold Detection Detection using Wireshark: 1) HTTP floods 2) SYN floods 3) UDP floods 4) ICMP floods HTTP GET - HTTP Response SYN ACK - SYN Percentage difference between nominal and current log file
- 21. Main Implementation – Bandwidth Threshold Detection Filters: HTTP GET Response - (ip.src == 192.168.0.0/16 and http.request) HTTP Response - (ip.dst== 192.168.0.0/16 and http.response) SYN ACK- (tcp.flags.syn == 1 and tcp.flags.ack == 1 and ip.dst == 192.168.0.0/16) SYN - (tcp.flags.syn == 1 and tcp.flags.ack == 0 and ip.src == 192.168.0.0/16) UDP - (udp) ICMP - (icmp)
- 22. Main Implementation – Bandwidth Threshold Detection 1) Wireshark > Statistics > IO Graphs After logging:
- 23. Main Implementation – Bandwidth Threshold Detection Note: - HTTP and SYN •Contains 2 rules •‘HTTP GET Request’ exactly before ‘HTTP Response’, etc. 2) Input rules
- 24. Main Implementation – Bandwidth Threshold Detection 3) ‘Copy’ 4) Open text editor 5) ‘Paste’ and save as a .csv file
- 25. Main Implementation – Bandwidth Threshold Detection Outflow.java basic flowchart Read in arguments Check argument validity Read in nominal and current log files Compare data Output results
- 26. Main Implementation – Bandwidth Threshold Detection Sample output
- 27. Functionality Testing, Result Summary, Analysis, Limitations
- 28. 1) FileNotFound Exception 2) ArrayIndexOutOfBounds Exception 3) Invalid Arguments Functionality Testing Change to invalid filename Remove column of data Entered invalid arguments
- 29. •18 normal traffic logs •2 malicious traffic logs •88.89% accuracy Result Summary
- 30. 88.89% accuracy relatively effective in detecting anomalous traffic Suitable to integrate with: 1) Intelligent Swarm Network 2) Firewall 3) CAPTCHA 4) Other detection algorithms Analysis
- 31. 1) Compromised node 2) Perfect Nominal traffic log file Limitations – Assumptions
- 32. 1) Manual log collection 2) Analysis after logging Limitations – Response Time
- 33. 1) Irregular sample and capture time size 2) Small pulses of DDoS attacks may not be captured with high threshold Limitations – Logic Limitations
- 35. Integration of: 1) Intelligent Swarm Network 2) Firewall 3) CAPTCHA 4) ‘Outflow.java’ Allows efficient three-pronged approach in detecting and mitigating botnets Three-pronged approach