Your SlideShare is downloading. ×
Mitigating Active Attacks Towards Client Networks Using the Bitmap Filter
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Mitigating Active Attacks Towards Client Networks Using the Bitmap Filter

417
views

Published on

With the emergence of active worms, the targets of attacks have been moved from well-known Internet servers to generic Internet hosts, and since the rate at which patches can be applied is always much …

With the emergence of active worms, the targets of attacks have been moved from well-known Internet servers to generic Internet hosts, and since the rate at which patches can be applied is always much slower than the spread of a worm, an Internet worm can usually attack or infect millions of hosts in a short time. It is difficult to eliminate Internet attacks globally; thus, protecting client networks from being attacked or infected is a relatively critical issue.

In this paper, we propose a method that protects client networks from being attacked by people who try to scan, attack, or infect hosts in local networks via unpatched vulnerabilities. Based on the symmetry of network traffic in both temporal and spatial domains, a bitmap filter is installed at the entry point of a client network to filter out possible attack traffic. Our evaluation shows that with a small amount of memory (less than 1 megabyte), more than 95% of attack traffic can be filtered out in a small- or medium-scale client network.

Published in: Technology, News & Politics

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
417
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Mitigating Active Attacks Towards Client Networks Using the Bitmap Filter Chun-Ying Huang Kuan-Ta Chen Chin-Laung Lei Distributed Computing and Network Security Lab Department of Electrical Engineering National Taiwan University June 26, 2006 C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 1/31
  • 2. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 2/31
  • 3. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 3/31
  • 4. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
  • 5. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. Motivations The popularity of Internet worms moves the victims. Most defense mechanisms are required to deploy globally. How does an ISP prevent customers/clients from attacks? C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
  • 6. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Active Attacks Definition An active attack is behavior that deliberately scans, probes, or intrudes on certain hosts or networks with malicious intent. Motivations The popularity of Internet worms moves the victims. Most defense mechanisms are required to deploy globally. How does an ISP prevent customers/clients from attacks? Construct an efficient stateful packet inspection (SPI) filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
  • 7. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection Attacker A Client C SPI Filter Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
  • 8. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 .... .... .... .... Attacker A Request: C:1234 S:80 Client C SPI Filter Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
  • 9. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 .... .... .... .... Attacker A Request: C:1234 S:80 Client C SPI Filter R e s S:80 p on s e : C :1 23 4 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
  • 10. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection State Table Src Src-Port Dst Dst-Port .. .. .. .. C 1234 S 80 C : 1: 67 .... .... .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p on s e : C :1 23 4 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
  • 11. Outline Introduction The Bitmap Filter Definitions and Motivations Evaluations Stateful Packet Inspection Discussions Conclusion Stateful Packet Inspection (cont’d) The Problem The linearly increased costs on both storage spaces and computations. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 6/31
  • 12. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 7/31
  • 13. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Client Network Traffic Characteristics Observations 1 Connection/Session lifetime 2 Out-In packet delay C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 8/31
  • 14. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Client Network Traffic Characteristics Observations 1 Connection/Session lifetime 2 Out-In packet delay Data source: aggregated six class-C campus client networks A 6-hour TCP and UDP packet trace. Collected between 10AM and 4PM in a weekday. 96.25% are TCP packets; and 3.75% are UDP packets. Average packet rate: 24.63K packets per second. Average bandwidth utilization: 138.55 Mbps. Average packet size: 720 bytes. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 8/31
  • 15. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Connection/Session Lifetime Definition Given a TCP connection, measure the time between the last TCP-SYN and the first TCP-FIN packet. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 9/31
  • 16. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Connection/Session Lifetime Definition a. Connection Lifetime Given a TCP connection, measure the time between the last TCP-SYN 1e+06 319 99% connections are shorter than and the first TCP-FIN packet. 515 seconds Number of connections 1e+04 Result summary 1e+02 90%: < 76 seconds. 95%: < 6 minutes. 1e+00 99%: < 515 seconds. 76 515 0 2000 4000 6000 8000 10000 Lifetime is short. Lifetime (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 9/31
  • 17. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Out-In Packet Delay Definition of the Out-In Packet Delay A connection contains several outgoing and incoming packets. We measure the elapsed time between the outgoing packet and the successive incoming packets in each connection. Outgoing Packets A B C D Incoming Packets 1 2 3 4 5 6 LAN A-1 A-2 B-4 B-5 D-6 WAN A-3 C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 10/31
  • 18. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Out-In Packet Delay (cont’d) Result summary Observed port-reuse effect. 99% < 2.8 seconds, implies that Internet traffic is bi-directional and has high locality in the temporal domain. b. Out−In Packet Delay c. Out−In Packet Delay (CDF) 1.00 1e+08 99% out−in packet delays are shorter than 2.8 seconds 1e+06 0.95 Packet Count 60 95% out−in packet delays Peaks are interleaved with are shorter than 30 CDF 1e+04 120 intervals of roughly 30 or 60 seconds 0.8 seconds 100 160 220 290 350 420 480 540 0.90 150 190 1e+02 1e+00 0.85 0 100 200 300 400 500 600 0 5 10 15 20 Delay (in seconds) Delay (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 11/31
  • 19. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Construct the Bitmap Filter With the previous observations: 1 Connection/Session lifetime is short. 2 Out-in packet delays are short. 3 Internet traffic is bi-directional. A stateful packet inspection (SPI) filter can be modified. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 12/31
  • 20. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion A Na¨ Method to Modify an SPI Filter ıve Expire connection state information with timers. State Table Connection Info. Timer .. .. C:1234 S:80 10 C : 1: 67 .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p o n s e : C :1 234 Server S C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 13/31
  • 21. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion A Na¨ Method to Modify an SPI Filter ıve Expire connection state information with timers. State Table Connection Info. Timer .. .. C:1234 S:80 10 C : 1: 67 .... .... # 45 k Attacker A 8 0 ta c A : A t 2 : 7 8 k# :5 6 ta c C Request: A t 4 3 C:1234 S:80 X :1 2 Client C SPI Filter R e s S:80 p o n s e : C :1 234 Server S However: Still linear complexities on storages and computations. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 13/31
  • 22. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
  • 23. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. Definition A bitmap filter is a composition of k bloom filters of equal size N (=2n -bit), denoted as a {k × N}-bitmap filter. The i th bloom filter is denoted as bit-vector [i] in the algorithms. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
  • 24. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Improved Performance: Using the Bitmap Filter Reduce storages/computations complexities to constant. 1 2 3 ... k Definition H1(t) 1 1 1 ... 1 A bitmap filter is a composition of k H2(t) bloom filters of equal size N ... (=2n -bit), denoted as a Hm(t) 2n bits {k × N}-bitmap filter. n-bit 1 1 1 ... 1 The i th bloom filter is denoted as 1 1 1 ... 1 bit-vector [i] in the algorithms. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
  • 25. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms Initialization A {k × N}-bitmap filter is initialized to all bits zero. All the k bloom filters are configured to share the same m hash functions. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 26. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms Initialization A {k × N}-bitmap filter is initialized to all bits zero. All the k bloom filters are configured to share the same m hash functions. The concept: Time-rotated bloom filters C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 27. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 1 2 3 ... K ... ... ... current eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 28. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 At time = t0 + ∆t 1 2 3 ... K 1 2 3 ... K ... ... ... ... ... ... current current eldest eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 29. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms The concept: Time-rotated bloom filters At time = t0 At time = t0 + ∆t At time = t0 + 2∆t 1 2 3 ... K 1 2 3 ... K 1 2 3 ... K ... ... ... ... ... ... ... ... ... current current current eldest eldest eldest C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
  • 30. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms (cont’d) Algorithm I: Periodically reset the eldest bloom filter Rotate one time unit, then reset the eldest bloom filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 16/31
  • 31. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms (cont’d) Algorithm I: Periodically reset the eldest bloom filter Rotate one time unit, then reset the eldest bloom filter. Algorithm II: Test and set the bloom filters Outgoing packets: Mark all corresponding bits on all bloom filters. Incoming packets: Reject if not all corresponding bits are marked on the current bloom filter. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 16/31
  • 32. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk, a snapshot of the current bitmap status. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
  • 33. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+∆t, all columns are reduced by 1. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
  • 34. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+2∆t, all columns are reduced by 1, again. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
  • 35. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion The Algorithms: Illustrated The two algorithms implement the same concept as the modified SPI filter presented before. At time = tk+2∆t, with an occurrence of a new connection. 8 7 6 5 4 ... 3 2 1 2n bits C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
  • 36. Outline Introduction Client Network Traffic Characteristics The Bitmap Filter Construct the Bitmap Filter Evaluations Parameter Decisions Discussions Conclusion Parameter Decisions Parameter List Name Meaning Te The expired time of a state. ∆t The time unit to rotate the bitmap. k The number of used bloom filters. N The size of each bloom filter. The real size is 2n -bit. m The number of used hash functions for the bloom filters. Guidelines 1 Recall the observed port-reuse effect. Te should not be too large. 2 ∆t should be set properly. Small ∆t increases system loads; large ∆t reduces system granularity (and precision). 3 Te k is roughly ∆t . 4 N and m depends on the scale of the network and the required precision. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 18/31
  • 37. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 19/31
  • 38. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Positives and False Negatives Definition False positive: Normal behavior is rejected. False negative: Attacks are accepted. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 20/31
  • 39. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Positives and False Negatives Definition False positive: Normal behavior is rejected. False negative: Attacks are accepted. False positives Since the lifetime of a state is Te seconds, a false positive occurs only when the out-in packet delay is longer than Te seconds. As the statistics show, when Te is greater than 2.8 seconds, the false positive rates should be lower than 1%. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 20/31
  • 40. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion False Negatives Estimating on False Negative Rates 1 Given the expected max number of active connections c in Te and the bitmap size N, the false negative rate can be estimated by N p ≤ exp(− ). (1) e·c 2 In contrast, given N and a tolerable maximum value of p, the expected max number of active connections c should satisfy N c≤− . (2) e ln p C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 21/31
  • 41. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Examples For a small- or medium-scale network A bitmap filter is constructed using the following configuration Parameters: k = 4, ∆t = 5, (Te = 20), m = 3 k×2n Required memory space: 8 = 512 K bytes. Given the tolerable penetration probability of 10%, 5%, and 1%, the bitmap filter provides capacity of 167K, 125K, and 83K active connections in Te , respectively. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 22/31
  • 42. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Examples For a small- or medium-scale network A bitmap filter is constructed using the following configuration Parameters: k = 4, ∆t = 5, (Te = 20), m = 3 k×2n Required memory space: 8 = 512 K bytes. Given the tolerable penetration probability of 10%, 5%, and 1%, the bitmap filter provides capacity of 167K, 125K, and 83K active connections in Te , respectively. Compare with the campus network traffic Only 15K active connections within a Te of 20 seconds. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 22/31
  • 43. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Performance Summary Packet Processing: For an outgoing packet: O(m) hashes +O(m × k) marks. For an incoming packet: O(m) hashes +O(m) checks. Bitmap Rotation: Reset a bit vector: constant according to the given bitmap size. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 23/31
  • 44. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Performance Summary Packet Processing: For an outgoing packet: O(m) hashes +O(m × k) marks. For an incoming packet: O(m) hashes +O(m) checks. Bitmap Rotation: Reset a bit vector: constant according to the given bitmap size. Since the bitmap is designed to have fixed size and continuous memory space and the components used in the algorithms are easy to implement as hardware, these algorithms can be completely implemented as a hardware easily. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 23/31
  • 45. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Compare with Similar Implementations Hash + link-list AVL-tree Bitmap filter (Linux) Storage space - Complexity O(n) O(n) O(c) Storage space - Handle 2.55M active 77M bytes 77M bytes 8M bytes connections Computation Complexity - Insert a new state O(1) O(log n) O(1) Computation Complexity - Search for a state O(n) O(log n) O(1) Computation Complexity - Garbage collection O(n) O(n) O(c) Hardware acceleration Possible Expensive Cheap C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 24/31
  • 46. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation I: Drop Rate Comparison Compare the drop rate of BF and SPI-filter Environments Implement an SPI filter (expire idle state after 240 seconds). The bitmap filter: n = 20, k = 4, ∆t = 5, Te = 20 (512K bytes). Drop rates measure in a 5-second time unit. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 25/31
  • 47. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation I: Drop Rate Comparison Compare the drop rate of BF and SPI-filter Environments 3.5 Implement an SPI filter (expire idle Drop rate of the bitmap filter (%) 3.0 state after 240 seconds). 2.5 The bitmap filter: n = 20, k = 4, 2.0 ∆t = 5, Te = 20 (512K bytes). 1.5 Drop rates measure in a 5-second time unit. 1.0 1.0 1.5 2.0 2.5 3.0 Drop rate of the SPI filter (%) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 25/31
  • 48. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation II: Filter Rate Environments The same bitmap filter used in simulation I. Attack rate: spoofed addresses, 500K packets per second. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 26/31
  • 49. Outline Introduction False Positives and False Negatives The Bitmap Filter Performance Evaluations Simulation Discussions Conclusion Simulation II: Filter Rate Environments The same bitmap filter used in simulation I. Attack rate: spoofed addresses, 500K packets per second. a. Filter Performance b. Attack Filtering Rate 100.01 4e+05 Filtering rate (%) Packet Count 99.99 2e+05 99.97 0e+00 99.95 0 5000 10000 15000 20000 12000 14000 16000 18000 20000 22000 Time (in seconds) Time (in seconds) C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 26/31
  • 50. Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 27/31
  • 51. Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
  • 52. Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. 2 Attack from Insiders An inside attacker may quickly increase the bitmap utilization when attacking outsiders. It hence increase the false negative rate. An administrator may increase n or Te to tolerate such attacks. However, it would be better to identify and eliminate inside attackers. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
  • 53. Outline Introduction The Bitmap Filter Summary Evaluations Discussions Conclusion Summary of Discussions 1 The Compatibility The bitmap filter is compatible with all single connection applications. For multiple connection applications, the bitmap filter is also compatible with hole-punching like NAT-traversal solutions. 2 Attack from Insiders An inside attacker may quickly increase the bitmap utilization when attacking outsiders. It hence increase the false negative rate. An administrator may increase n or Te to tolerate such attacks. However, it would be better to identify and eliminate inside attackers. 3 Adaptive Packet Dropping For bandwidth attacks only, the bitmap filter may consider to adopt adaptive packet dropping to increase the compatibility. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
  • 54. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Outline 1 Introduction 2 The Bitmap Filter 3 Evaluations 4 Discussions 5 Conclusion C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 29/31
  • 55. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Conclusion We propose the bitmap filter, an alternative implementation to replace the stateful packet inspection (SPI) filter, to stop malicious traffic for client networks. The bitmap filter successful reduces the complexities of both storage and computation to constants. Analyses and simulations show that with limited resources, the bitmap filter can filter 90% even 99% attack traffic. C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 30/31
  • 56. Outline Introduction The Bitmap Filter Evaluations Discussions Conclusion Thanks for your attention. Comments or questions? C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 31/31