1

Flooding 攻擊訊務的監測與阻絕

中央大學 電算中心 楊素秋

center7@cc.ncu.edu.tw

2

大 綱

•1. 研究動機•2. 網路訊務量測•3.Flooding 攻擊訊務的監測•4. 攻擊訊務的自動阻絕與通告•5. 結論

3

1.研究動機•頻仍的網路攻擊事件

– Internet wide open 傳輸協定•Forged IP address•Forged application port•Forged protocol id.

4

• ICMP/UDP Flooding – Attackers can markedly increase the volume of attack traffic •congest regional networks•jam the network links throughout the transmission path

5

• TCP Attack– Denial of Service (DoS)

•attack on well-known services•providing the attacker with full remote access to the servers.

– Distributed Flooding Attack– overwhelm the transport routing resources.

6

2 網路訊務量測•攻擊訊務特徵

– Intensive traffic volume•ICMP Flooding (host-to-host)•PING Storm (N * host-to-host)

– Intensive connection•SYN Flooding

– host-to-M_hosts•DoS/DDoS

– N * (host-to- M_hosts)

7

– Forged transportation attributes•Spoofed Source IP address

– Smurf, DRDoS•採動態的 src_port, dst_port

– 躲避 firewall 及管理人員的過濾•動態的攻擊 /休眠時間

– Group Flooding Traffic•DDoS•DRDoS

8

• 網路轉送訊務 log – Tcpdump

•Snoop Broadcast packet header•LAN segment•Packet-based

– NetFlow•WAN Router 暫存 /加總過境封包 header 資訊 •Transport traffic log•Flow-based

9

– Tcpdump•典型區域網段廣播封包的監聽應用程式

– 網路用戶透過 tcpdump 監聽 LAN 傳送的封包 log•網管人員得以依據監聽封包紀錄

– end-to-end IP addresses, packet length, 及 socket ports

– 統計與分析連網的確切運務量與訊務特性 . •協助確認與排除網路問題

10

– Related works•Kushida T.

– 透過 Tcpdump 監聽 FDDI 網段 packet log– 量測網路的 TCP,UDP 訊務量與傳訊特性 .

•Thompson K.– 監聽與量測單一 ATM 連線承載– TCP 與 UDP 訊務– 熱門應用訊務

» FTP, WWW, DNS» RealPlayer

11

– Router NetFlow 轉送訊務紀錄•Source_IP.source port & destination_IP. destination port

•source & destination interface•protocol identifier•packet count / byte count

12

•常見的訊務監測– Top-N 傳訊 host Traffic

•Source IP : 輸出訊務 list•Dest. IP : 輸入訊務 list

– Top-N 傳訊 host Traffic•www, eDonkey/eMule,

–篩選 /追蹤網路訊務特質•Source/Dest IP address•Application port

13

• This work – measures the top-N traffic volume of ICMP/UDP communication partners• by accumulating the flow count, packet count and byte count

• with the index of the source and destination IP addresses.

– Monitoring/Detecting the extremely abnormal Flooding Traffic

– Automatically block the extremely attack traffic

14

3. Flooding 攻擊訊務的監測

• Flooding Attack 攻擊–採動態 source and dest. port 傳送鉅量封包

•耗損資料傳送沿徑網段 processing 資源•沿徑網段連線頻寬•Computing resource of the destination hosts

• Flooding Attack 訊務特質–快速耗損網路資源

•Intensive packet volume•Intensive flow count

15

•攻擊訊務量測 indexing– IP Communication Partners

•Source_IP > Destination_IP :: 1-to-1•Source_IP > A.B.#.#.(dest_port) :: 1-to-N

•讀取 Netflow log 檔– Indexing with Host pair

• (Not flow, Not session) –比對 protocol id. 累計各 IP pair 訊務

– icmp_flows[pairi], udp_flows[pairi]– icmp_packets[pairi], udp_packets[pairi] – icmp_bytes[pairi], udp_bytes[pairi]

16

–超高的 X-Attack 攻擊訊務數據•Monitoring ICMP/UDP Flooding Traffic

– 排序 /篩選 /顯示單日各小時的超高傳訊數據» netflow log 數» Packet_Size,» Packet 封包數 ,Bytes 總量

•超高攻擊訊務值– Obviously distinct from general traffic – icmp_packet[pairi] / hour– udp_packet[pairi] / hour

» Dozens of million packet (107)

17

•透過 Hypertext Preprocessor (PHP) scripting 網頁程式 –提供用戶隨時監測 X-Attack 攻擊訊務

•用戶輸入查詢日期 ,invoke PHP 程式讀取擊訊務數據顯示於網頁 .

–超量 ICMP/UDP 攻擊訊務數據 •Fig.1, Fig.2

18

19

20

21

• Streaming/Game UDP 訊務– 163.13.10.141<->61.171.38.242

•Counter_Strike servers – (27015/UDP service port) 的訊務

•平均封包大小約為 70 ~200 Bytes/Packet

– 218.146.254.203, 64.95.80.9 •MediaPlayer 　 servers•每小時送出的數十 Mbytes 訊務•平均封包大小約為 1500 Bytes/Packet

22

– 203.242.146.143>203.72.179.12 TFtp flow•感染主機持續送出的 TFtp 封包 ,

– mean packet size 約為 544 Byte/Packet.•依據主機 IP位址篩選 netflow logs,

– 該主機同時對數部主機發出頻仍 SYN request» 的 httpd service port ( 80/TCP)» (packet size 為 48 Bytes),

•傳訊行為吻合 Nimda virus 攻擊特徵

23

24

25

4 Flooding Attack 訊務的自動阻絕與通告

• Attack host pair 間傳送的超量攻擊– packet 數與訊務量異常高於一般網路應用

• General udp_packet[pairi] – Little than 105 pkt per hour

• Attack traffic– Higher than 107 pkt per hour

• 群集式 Attack 攻擊– 結合數部具高連接頻寬的 IP 主機– 同時傳送超量無用封包往同一 victim 主機

26

•實作攻擊訊務的自動阻絕與通告–篩選高於 threshold 值之訊務紀錄

– icmp_packet[pairi]/ hour > 10,000,000– udp_packet[pairi]/ hour > 10,000,000

–自動連接區網 router•讀取每小時的 Top-N ICMP/UDP traffic records•自動設定 Access Control Lists (ACLs)

–限制檢測的攻擊主機傳訊

27

•攻擊事件的自動通告–自動連接 RWhois IP 管理資訊查詢伺服主機

•查詢攻擊 source IP 主機的管理 /用戶 mail address–將檢測的攻擊訊務數據 ,發信通知管理員 /用戶

•加速感染系統的修復 ,根本排除 X-Attack 攻擊起源•統計 UDP訊務的 Packet/Byte標準差

• X-Attack 攻擊 packet 數與訊務量異常高於一般網路應用

•累計的 ICMP/UDP host pairs 訊務標準差 list – 提供攻擊訊務的監測指標

28

npktudpmean

i

n

i

)pkt(pair_udp___ 1

, i = 0, 1, 2, ... , n

1

)__ktpair_udp_p()__(

21

n

pktudpmeanpktudpstd

n

ii

i

nbyteudpmean

i

n

i

)byte(pair_udp___ 1

, i = 0, 1, 2, ... , n

1

)__ytepair_udp_b()__(

21

n

byteudpmeanbyteudpstd

n

ii

i

29

30

31

32

Traffic Volume of ICMP/UDP X-Attack

0

200000

400000

600000

800000

Apr May Jun Jul Aug Sep

Month

Traff

. Vol

ume

(GBy

tes)

ICMP Flooding

UDP Flooding

Fig. 4 Traffic Volume of X-Attack ICMP/UDP Flooding

33

5. 結論• 依據攻擊訊務特徵實作監測網頁

– 提供用戶監測 /修護感染主機漏洞– 自動阻絕明顯的超量攻擊

• Attack 攻擊主機的通告 /回饋經驗• Windows 2000 without patch (dominant)• Linux web server• FreeBSD web server

• Blaster 攻擊主機的通告 /回饋經驗• Windows 2000 /XP•需完成 MS patches, Fix_Blast.exe, Fix_Welch.exe

34

•持續 well-know service 攻擊訊務監測– Abnormal SMTP Traffic (Spam)– Abormal P2P Attack Traffic

•透過務變量的 stochastic modeling–檢測更廣泛的 TCP 攻擊訊務特徵–協助辨識與阻絕 P2P 攻擊

• Reference Site– http://lisa.tyc.edu.tw

35

Thank You !