fragment headers DOS (Denial of Service) attack, ICMPv6 spoof, tunneling, and ... Output âSyn Flood and Router Advertisement Atackâ. Else ... Flow TCP (SYN).
The Detection of DDOS Flooding Attack using Hybrid Analysis in IPv6 Networks G.B. Satrya, R.L. Chandra, and F.A. Yulianto Forensics and Security Laboratory, Telkom School of Computing, Telkom University, Bandung. Indonesia.
Outline i.
Introduction
ii.
Related Works
iii.
DOS & IDS Overview
iv.
Proposed Scheme
v.
Implementation & Evaluation
vi.
Conclusion
Introduction ▪ IPv6 is intended to replace the exhausted function of IPv4. ▪ Security problems from IPv4 that are still exist in IPv6. ▪ Some of security issues in IPv6 are reconnaissance attack, routing headers, fragment headers DOS (Denial of Service) attack, ICMPv6 spoof, tunneling, and dual stack weakness.
▪ One of the attack to be concerned for is DDOS (Distributed Denial of Service).
Related Works 1) Misuse of ICMPv6 and multicast IPv6 multicast only uses a simple authentication system, so it is difficult to restrict the users.
2) Network Reconnaissance Attacker can directly attack all DHCP servers at the same time by only sending a packet to the address
3) Fragmentation Attack IPv6’s minimum MTU (Maximum Transfer Unit) is 1280 bytes, and the fragments which is less than 1280 bytes will be dropped.
DOS Overview Denial of Service Attack
Network Device Level
OS Level
Application Level
Data Flood
Protocol Future Attack
▪ DOS (Denial of Service) and DDOS (Distributed Denial of Service) are flooding attacks used often to turn off a network.
▪ The difference between these attacks is merely related to their own number of attacks.
DDOS (Mechanisms of Defense Architecture) 1) Victim-end defense mechanism Detection engine needs to be used to detect network intrusion emerging at online and offline conditions.
2) Source-end defense mechanism It has a throttling component supporting to increase the rate limit on outgoing connections.
3) Intermediate network defense mechanism There are additional modules, such as observation from other routers which includes in this mechanism. The module is acquired to compare to the neighboring router traffic.
IDS on IPv6 (Overview) ▪ IDS (Intrusion Detection Systems) is a system run monitoring process events that occur on the network and is responsible for the security of a network [12].
▪ IDS has three main functions a)
including collecting information from the existing network streaming,
b)
analyzing the collected information,
c)
and responding to events that have been excluded from the previous analysis.
▪ However, there are only a little of IDS that supports DDOS detection on the overall IPv6 [7] : Source Address Analysis and Network Flow Analysis
Proposed Scheme ▪ To speed up the detection system, each signature attack found is limited by a threshold so that when a DDOS attack occur, packets received by the system will be amounted to millions. ▪ To overcome this problem, installing a threshold to the number of detected signatures has to be adopted.
▪ On prototype detection process, where the packet calculation per-client is conducted, the threshold of 3200 packets per second per client were installed to identify whether or not the network was in a crowded state. ▪ The threshold is obtained from high intensity client access to the server by accessing a website with great content and is reaching 3200 packets every 30 seconds.
Proposed Scheme (Decision Algorithm) Boolean BigPacket --> checkSumPacketperClient() Boolean IcmpPacket --> cekIcmpv6() Boolean SynAtk - cekSynFlood() Boolean AdvAtk - cekAdvAttack() If BigPacket = True If IcmpPacket = False and SynAtk = False and AdvAtk = False Output “Big Traffic”
Else if IcmpPacket = True and SynAtk = False and AdvAtk = False Output “Big Traffic” Else if IcmpPacket = True and SynAtk = False and AdvAtk = True Output “Router Advertisement Attack” Else if IcmpPacket = False and SynAtk = True and AdvAtk = False Output “Syn Flood Attack” Else if IcmpPacket = True and SynAtk = True and AdvAtk = True Output “Syn Flood and Router Advertisement Atack” Else Output “normal”
START
DDOS Hybrid Detection Algorithm
CAPTURE & READ PACKET
DATABASE
The process of engine detection are as follows: Number of Packets/Clients
1) Checking the number of packets per client, and comparing them to a predetermined threshold by trying to simulate a busy network. If the number of packets exceed the threshold, then the network traffic is on the status of being crowded. 2) Checking signature of DDOS attacks, such as SYN flood and the router advertisement attack. If they break the limit, it will be concluded as DDOS attacks.
Number of ICMPv6's Packets
Flow TCP (SYN)
Detection Engine Proposed System
DECISION ENGINE
yes
DDOS ?
details of the attack (starting time, ip attacker, the number of packets)
Flow Router Advertisement
no detailed state of the network (ip client, the number of packets)
Blacklist IP RECORD THE LOG
END
Scenario (Probabilities on Decision) Number of Packet/ client
Number of ICMPv6 packets
SYN flood signature
RA flood
Decision
0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1
0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1
0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
Normal Big packet RA flood Big packet SYN flood Big packet RA flood SYN Flood SYN dan RA Flood
Scenario (Examination)
Scenarios
No 1 2 3 4 5 6
Normal
Attacking Random
Dumping Data
Scenario Low access High access SYN Flood IPv6 Router Advertisement Attack SYN & RA Attack Legitimate user & Attacker
Analysis Data
Detection Cycle 0s
30 s
180 s
Result of All Scenarios Scenario 1 2 3 4 5 6
False Alarm (times) 0 0 1 1 0 3
Detection Accuracy (%) 100 100 95 95 100 85
The Average Speed of Detection (s) 32,882 166,664 53,974 38,097 49,371 97,377
When the network is under normal circumstances (scenario 1 and 2), the system prototype could determine the network status with 100% accuracy. However, when the network is in the crowded state (scenario 2), the detection rate will decrease by average time of 2 minutes 46 seconds. As the entire network is suspected by DDOS attack (scenario 3, 4 and 5), the accuracy will be slightly decreased to 95%. The detection process may take a short time by less than one minute. If the network is filled by legitimate packets and DDOS attacks (scenario 6), may appear decreasing accuracy to 85% and long-time detection process around 1 minute 37 seconds.
Conclusion & Future Works ▪ The two methods, source address analysis method and network flow analysis, on DDOS flooding attacks of IPv6 detection process can be conducted appropriately.
▪ Moreover, DDOS detection prototype can be employed on the networks with variety of conditions, such as normal circumstances, with low or high traffic, the network in the event of flooding attacks (SYN and RA), and the network with both of those criteria. ▪ Lastly, in the most complicated case, the prototype test results show that the detection prototype works well. ▪ In addition, enriching signature attacks by performing test of DDOS attack with more variety of attacks can be conducted, in order to increase the detection accuracy.
Thank You
The Detection of DDOS Flooding Attack using Hybrid Analysis in IPv6 Networks G.B. Satrya, R.L. Chandra, and F.A. Yulianto Forensics and Security Laboratory, Telkom School of Computing, Telkom University, Bandung. Indonesia.
