Your SlideShare is downloading. ×

Tbhf

400

Published on

Threshold Based HTTP Filter

Threshold Based HTTP Filter

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
400
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. “THRESHOLD BASED KERNEL LEVEL HTTP FILTER (TBHF)” for DDoS Mitigation by MOHAMED IBRAHIM AK 82008132041 LIJO GEORGE 82008132515 Dept. of CSE TEC, TrichyINTERNEL GUIDE EXTERNAL GUIDEMr. A. NARENTHIRA KUMAR Dr. S. SELVAKUMARAsst. Professor ProfessorDept. of CSE Dept. of CSETEC, Trichy NIT, Trichy
  • 2. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  ReferencesSlide 2 Dept. of CSE, TEC. 3 April 2012
  • 3. Abstract  Application layer attack  Client Side Scripting  High rate flooding attack  No manifestation  Data on the flow analysis  Threshold based Decision Support System  Vulnerability Status: Effective – Real timeSlide 3 Dept. of CSE, TEC. 3 April 2012
  • 4. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  References Dept. of CSE, TEC. 3 April 2012
  • 5. DDoS attack - Actors  Individuals  Julian Assange - Wikileaks  Blackhat underground community  ‘Anonymous’, ‘Lords of Dharmaraja’  Government sponsored  China - GhostNet  Israel - StuxnetSlide 4 Dept. of CSE, TEC. 3 April 2012
  • 6. DDoS attack - Scenario  Coordinated attack on a given target system through many compromised systems. Attacker Medium … M1 M2 M3 Mn Compromised Systems C C C … C C … C TargetSlide 5 Dept. of CSE, TEC. 3 April 2012
  • 7. DDoS attack - AnalysisSlide 6 Dept. of CSE, TEC. 3 April 2012
  • 8. DDoS attack - Timeline  July 2011  Live Journal Hit by Massive Cyber Attack  March 2011 (Korean Websites)  40 websites under DDoS attack  February 2011 (Total Choice Hosting Network)  7,00,000 packets per second  600 Mbps  January 2011  FBI executed 40 search warrants for DDoS attacks  Low Orbit Ion Cannon toolSlide 7 Dept. of CSE, TEC. 3 April 2012
  • 9. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  References Dept. of CSE, TEC. 3 April 2012
  • 10. Existing System  Predominately in Server side  Page access behaviour  Captcha  Black list  Signature based detectionSlide 8 Dept. of CSE, TEC. 3 April 2012
  • 11. Proposed System  Client side  Threshold based  Real time  Monitoring  Detection  Prevention  Detects zero-day vulnerabilitySlide 9 Dept. of CSE, TEC. 3 April 2012
  • 12. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  References Dept. of CSE, TEC. 3 April 2012
  • 13. Algorithm 1. Capture traffic: a. Filter outbound TCP packets b. Filter HTTP packets c. if(packet type == “GET”) Action == inspect; d. else Action == allow; 2. Extract parameters: a. remote IP b. TimeSlide 10 Dept. of CSE, TEC. 3 April 2012
  • 14. Algorithm Contd… //r.addr1, r.addr2, …, r.addri -> remote IP //T1, T2, …, Ti -> packet time // ∆t -> Time stamp 3. Inspect: a. If(r. addri not in array) addr[i] = r.addri; t[i] = Ti; b. else if (r. addri in array && (T(i+1) – Ti)<=∆t) r.count[i]++; c. Else Reset r.count[];Slide 11 Dept. of CSE, TEC. 3 April 2012
  • 15. Algorithm Contd… //N -> Threshold value 4. Decision Making: a. If(r.count[i] >= N) Action = allow packet; b. else Action = drop packet;Slide 12 Dept. of CSE, TEC. 3 April 2012
  • 16. Software Requirements  Attacker end  PHP (Front end)  MySQL (Back end)  WampServer 2.2a  Analysis  Wireshark  Prevention  Windows Filtering Platform (WFP)Slide 13 Dept. of CSE, TEC. 3 April 2012
  • 17. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  References Dept. of CSE, TEC. 3 April 2012
  • 18. Modules Capture Traffic • Filter • Out Bound • TCP Packet • HTTP Packet • HTTP ‘ GET ‘ Packet Extract Parameters • IP • Time of packet Arrival Inspect • TBHF policy Decision Making • Dropped or AllowedSlide 14 Dept. of CSE, TEC. 3 April 2012
  • 19. Modules – Capture Traffic  Filter  Outbound packets  TCP packets  HTTP packets  HTTP GET packetsSlide 15 Dept. of CSE, TEC. 3 April 2012
  • 20. Modules – Extract Parameters  Scan  HTTP GET packets  Extract  Remote IP  Arrival time  Store  UINT32 arraySlide 16 Dept. of CSE, TEC. 3 April 2012
  • 21. Modules – Inspect, Decision Making  Inspect  Time stamp  Remote IP  IP count  Decision Making  ThresholdSlide 17 Dept. of CSE, TEC. 3 April 2012
  • 22. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  References Dept. of CSE, TEC. 3 April 2012
  • 23. Positioning of TBHF in kernel spaceSlide 18 Dept. of CSE, TEC. 3 April 2012
  • 24. ImplementationSlide 19 Dept. of CSE, TEC. 3 April 2012
  • 25. Life Cycle Capturing Packet Filtering Inference Outbound Packet TBHF Filtering TCP Inspection Driver Packets Extract Time Filtering HTTP of ‘ GET ‘ Packet Packet Extract ‘ IP ‘ InfoSlide 20 Dept. of CSE, TEC. 3 April 2012
  • 26. Filter performanceSlide 21 Dept. of CSE, TEC. 3 April 2012
  • 27. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  References Dept. of CSE, TEC. 3 April 2012
  • 28. Technology  Windows Filtering Platform (WFP)  Supports from Longhorn  Manipulate packet at OSI layersSlide 22 Dept. of CSE, TEC. 3 April 2012
  • 29. Conclusion  Deployed in kernel level  Priority to overwrite packets  Real time prevention  DDoS participation is prevented  Future Enhancement  Mobile platformsSlide 23 Dept. of CSE, TEC. 3 April 2012
  • 30. References  Ying Xuan, Incheol Shin, My T. Thai, and Taieb Znati, “Detecting Application Denial-of-Service Attacks: A Group-Testing-Based Approach” IEEE Transactions on Parallel and Distributed Systems, Vol. 21, No. 8, pp. 1203-1216, August 2010.  Takeshi Yatagai, Takamasa Isohara, and Iwao Sasase, “Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behaviour”, IEEE Conference on Communications, Computers and Signal Processing, August 2007  http://msdn.microsoft.com/en- us/library/windows/desktop/aa366510%28v=vs.85 %29.aspxSlide 24 Dept. of CSE, TEC. 3 April 2012
  • 31. ThankYou!!! Dept. of CSE, TEC. 3 April 2012

×