1 flooding 攻擊訊務的監測與阻絕 中央大學 電算中心 楊素秋 [email protected]
Post on 19-Dec-2015
262 views
TRANSCRIPT
2
大 綱
•1. 研究動機•2. 網路訊務量測•3.Flooding 攻擊訊務的監測•4. 攻擊訊務的自動阻絕與通告•5. 結論
3
1.研究動機•頻仍的網路攻擊事件
– Internet wide open 傳輸協定•Forged IP address•Forged application port•Forged protocol id.
4
• ICMP/UDP Flooding – Attackers can markedly increase the volume of attack traffic •congest regional networks•jam the network links throughout the transmission path
5
• TCP Attack– Denial of Service (DoS)
•attack on well-known services•providing the attacker with full remote access to the servers.
– Distributed Flooding Attack– overwhelm the transport routing resources.
6
2 網路訊務量測•攻擊訊務特徵
– Intensive traffic volume•ICMP Flooding (host-to-host)•PING Storm (N * host-to-host)
– Intensive connection•SYN Flooding
– host-to-M_hosts•DoS/DDoS
– N * (host-to- M_hosts)
7
– Forged transportation attributes•Spoofed Source IP address
– Smurf, DRDoS•採動態的 src_port, dst_port
– 躲避 firewall 及管理人員的過濾•動態的攻擊 /休眠時間
– Group Flooding Traffic•DDoS•DRDoS
8
• 網路轉送訊務 log – Tcpdump
•Snoop Broadcast packet header•LAN segment•Packet-based
– NetFlow•WAN Router 暫存 /加總過境封包 header 資訊 •Transport traffic log•Flow-based
9
– Tcpdump•典型區域網段廣播封包的監聽應用程式
– 網路用戶透過 tcpdump 監聽 LAN 傳送的封包 log•網管人員得以依據監聽封包紀錄
– end-to-end IP addresses, packet length, 及 socket ports
– 統計與分析連網的確切運務量與訊務特性 . •協助確認與排除網路問題
10
– Related works•Kushida T.
– 透過 Tcpdump 監聽 FDDI 網段 packet log– 量測網路的 TCP,UDP 訊務量與傳訊特性 .
•Thompson K.– 監聽與量測單一 ATM 連線承載– TCP 與 UDP 訊務– 熱門應用訊務
» FTP, WWW, DNS» RealPlayer
11
– Router NetFlow 轉送訊務紀錄•Source_IP.source port & destination_IP. destination port
•source & destination interface•protocol identifier•packet count / byte count
12
•常見的訊務監測– Top-N 傳訊 host Traffic
•Source IP : 輸出訊務 list•Dest. IP : 輸入訊務 list
– Top-N 傳訊 host Traffic•www, eDonkey/eMule,
–篩選 /追蹤網路訊務特質•Source/Dest IP address•Application port
13
• This work – measures the top-N traffic volume of ICMP/UDP communication partners• by accumulating the flow count, packet count and byte count
• with the index of the source and destination IP addresses.
– Monitoring/Detecting the extremely abnormal Flooding Traffic
– Automatically block the extremely attack traffic
14
3. Flooding 攻擊訊務的監測
• Flooding Attack 攻擊–採動態 source and dest. port 傳送鉅量封包
•耗損資料傳送沿徑網段 processing 資源•沿徑網段連線頻寬•Computing resource of the destination hosts
• Flooding Attack 訊務特質–快速耗損網路資源
•Intensive packet volume•Intensive flow count
15
•攻擊訊務量測 indexing– IP Communication Partners
•Source_IP > Destination_IP :: 1-to-1•Source_IP > A.B.#.#.(dest_port) :: 1-to-N
•讀取 Netflow log 檔– Indexing with Host pair
• (Not flow, Not session) –比對 protocol id. 累計各 IP pair 訊務
– icmp_flows[pairi], udp_flows[pairi]– icmp_packets[pairi], udp_packets[pairi] – icmp_bytes[pairi], udp_bytes[pairi]
16
–超高的 X-Attack 攻擊訊務數據•Monitoring ICMP/UDP Flooding Traffic
– 排序 /篩選 /顯示單日各小時的超高傳訊數據» netflow log 數» Packet_Size,» Packet 封包數 ,Bytes 總量
•超高攻擊訊務值– Obviously distinct from general traffic – icmp_packet[pairi] / hour– udp_packet[pairi] / hour
» Dozens of million packet (107)
17
•透過 Hypertext Preprocessor (PHP) scripting 網頁程式 –提供用戶隨時監測 X-Attack 攻擊訊務
•用戶輸入查詢日期 ,invoke PHP 程式讀取擊訊務數據顯示於網頁 .
–超量 ICMP/UDP 攻擊訊務數據 •Fig.1, Fig.2
18
19
20
21
• Streaming/Game UDP 訊務– 163.13.10.141<->61.171.38.242
•Counter_Strike servers – (27015/UDP service port) 的訊務
•平均封包大小約為 70 ~200 Bytes/Packet
– 218.146.254.203, 64.95.80.9 •MediaPlayer servers•每小時送出的數十 Mbytes 訊務•平均封包大小約為 1500 Bytes/Packet
22
– 203.242.146.143>203.72.179.12 TFtp flow•感染主機持續送出的 TFtp 封包 ,
– mean packet size 約為 544 Byte/Packet.•依據主機 IP位址篩選 netflow logs,
– 該主機同時對數部主機發出頻仍 SYN request» 的 httpd service port ( 80/TCP)» (packet size 為 48 Bytes),
•傳訊行為吻合 Nimda virus 攻擊特徵
23
24
25
4 Flooding Attack 訊務的自動阻絕與通告
• Attack host pair 間傳送的超量攻擊– packet 數與訊務量異常高於一般網路應用
• General udp_packet[pairi] – Little than 105 pkt per hour
• Attack traffic– Higher than 107 pkt per hour
• 群集式 Attack 攻擊– 結合數部具高連接頻寬的 IP 主機– 同時傳送超量無用封包往同一 victim 主機
26
•實作攻擊訊務的自動阻絕與通告–篩選高於 threshold 值之訊務紀錄
– icmp_packet[pairi]/ hour > 10,000,000– udp_packet[pairi]/ hour > 10,000,000
–自動連接區網 router•讀取每小時的 Top-N ICMP/UDP traffic records•自動設定 Access Control Lists (ACLs)
–限制檢測的攻擊主機傳訊
27
•攻擊事件的自動通告–自動連接 RWhois IP 管理資訊查詢伺服主機
•查詢攻擊 source IP 主機的管理 /用戶 mail address–將檢測的攻擊訊務數據 ,發信通知管理員 /用戶
•加速感染系統的修復 ,根本排除 X-Attack 攻擊起源•統計 UDP訊務的 Packet/Byte標準差
• X-Attack 攻擊 packet 數與訊務量異常高於一般網路應用
•累計的 ICMP/UDP host pairs 訊務標準差 list – 提供攻擊訊務的監測指標
28
npktudpmean
i
n
i
)pkt(pair_udp___ 1
, i = 0, 1, 2, ... , n
1
)__ktpair_udp_p()__(
21
n
pktudpmeanpktudpstd
n
ii
i
nbyteudpmean
i
n
i
)byte(pair_udp___ 1
, i = 0, 1, 2, ... , n
1
)__ytepair_udp_b()__(
21
n
byteudpmeanbyteudpstd
n
ii
i
29
30
31
32
Traffic Volume of ICMP/UDP X-Attack
0
200000
400000
600000
800000
Apr May Jun Jul Aug Sep
Month
Traff
. Vol
ume
(GBy
tes)
ICMP Flooding
UDP Flooding
Fig. 4 Traffic Volume of X-Attack ICMP/UDP Flooding
33
5. 結論• 依據攻擊訊務特徵實作監測網頁
– 提供用戶監測 /修護感染主機漏洞– 自動阻絕明顯的超量攻擊
• Attack 攻擊主機的通告 /回饋經驗• Windows 2000 without patch (dominant)• Linux web server• FreeBSD web server
• Blaster 攻擊主機的通告 /回饋經驗• Windows 2000 /XP•需完成 MS patches, Fix_Blast.exe, Fix_Welch.exe
34
•持續 well-know service 攻擊訊務監測– Abnormal SMTP Traffic (Spam)– Abormal P2P Attack Traffic
•透過務變量的 stochastic modeling–檢測更廣泛的 TCP 攻擊訊務特徵–協助辨識與阻絕 P2P 攻擊
• Reference Site– http://lisa.tyc.edu.tw
35
Thank You !