.......... 2 ANTI-DO S... 3 2.... 4... 5... 6 DO S... 7 DOS... 8 DDOS... 9... 2... 2... 4 ANTI-DO S... 6 ANTI-DOS... 6 ANTI-DOS... 6 ANTI-DOS... 2 3.... 27... 28... 29... 29... 30... 32... 32... 34
. 3 spoofg DoS DB IDS IDS DB 5 traffc patter A a, a2, Λ, a ) a ) s umber of δ packets a tme slot δ 2 ra,b) > 0.9
r A, B) s s s s out out a A) b B) 2 a A) b B ) 2 2 a AB > 2 Amplfre rate a AB N k N A k) B k)) k A k) 2 >0) Sca DB IDS IDS DB NIDS NMS NMS 2
Network A NIDS Network B data ACK/RST Network NMS Scaer Network X 2 At-DoS At-DoS At-DoS 3
2. 4
3 TOPIC 72.2.0.0/6 f 72.2.0.222 f 72.2.0.223 TAINS 72.20.0.0/6 sw2 CISCO 3500 72.20.2.222 tg Traffc geerator dc Data collector sr5 Sort & Router f Other Lab 72.20.5.0/24 f0 72.20.5.22 vc2 vctm sr3 dsm IDS Maager TOPIC 72.2.0.0/6 sw CISCO 3500 72.2.0.224 72.20.35.203 Sort & Router 72.20.34.203 f f2 segmet35 72.20.35.0/24 72.20.5.205 N/A f0 f0 N/A 72.20.35.205 f0 f0 FreeBSD Host 5 f f0 72.2.0.203 30.34.99.xx 72.2.0.22 segmet34 72.20.34.0/24 72.20.34.204 sr4 72.20.24.204 f0 Sort & Router f2 f 72.20.4.204 Other Lab 72.20.4.0/24 72.2.0.20 vc vctm f0 72.20.24.202 f sr Sort & Router segmet24 72.20.24.0/24 f0 sr2 Sort & Router W dows Host 3 gar2 72.20.4.22 72.20.4.222 72.23.0.20 f f0 72.2.0.202 72... SINET 72.23-3.0.0/6 72.20.2.202 f2 SINET 72.23-3.0.0/6 emoto Lab 72.20.2.0/24 W dows Host 4 Ed Host atk Attacker 20: TAINS 72.20.0.0./6 2: TOPIC 72.2.0.0/6 23-3 :SINET 72.23-3.0.0/6 0:TOPIC o rsinet 2:sdr2< -> 4:sdr4< -> 5:sr5 < -> 24:sdr2< ->sdr4 34:sr3 <->sdr4 35:sr3 <->sr5 f0 f 72.23.0.22 72.20.2.22 f0 72.20.2. 7 f2 30.34.99.58 eh Ed Host f0 30.34.99.59-200: 20-220: sr:20, sdr2:202, sr3:203, sdr4: 204, sr5:205) 22-254: 3 5
IP segmet IP 6
DoS DoS DDoS 4 00pps 000pps 0 4 DoS 7
8 DoS sw sr atk sr4 sr3 sr2 sr5 vc DoS 5 DoS 2 DoS 6 0.74832858977637 out out B b s A a s B b A a s s B A r 2 2 ) ) 0.74832858977637 ) ) ), 2 0.950635563445436 0.950635563445436 ) )) ) 2 N k N k AB k A k B k A a Amplfre rate
2 DoS DoS 6 DoS DDoS DDoS sr sw atk sr3 sr2 sr5 sr4 vc 7 DDoS 9
0 DDoS 8 3 A B C A-C B-C A+C -B 3 A C out out B b s A a s B b A a s s B A r 2 2 ) ) 0.7640243709723 ) ) ), out out C b s B a s C b B a s s C B r 2 2 ) ) 0.76436936962 ) ) ), A+B + + + out out C b s B A a s C b B A a s s C B A r 2 2 ) ) 0.9450977062854 ) ) ), DDoS
8 DDoS
9 Securty-aget Securty-aget NMS/Securty maager 9 0 Itraet backboe 0 HTTP 80 TCP SYN 589 TCP SYN 34 SYN/ACK TCP 2
80) 92 ACK/RST 26 ICMP Host Ureachable Prohbted by flterg 53 4 HTTP servce SCAN wth TCP-SYN probe Scaer -> Target probe packet) Protocol Flag Destato port [Hosts] TCP SYN 80 589 Target -> Scaer reacto packet) SYN/ACK 596 34 TCP ACK/RST 596 92 No respose 26 [Hosts] Number of alve hosts 52 Type Code Name [Packets] 3 Host ureachable 53 ICMP 3 2 Protocol ureachable 3 3 Port ureachable 2 3 3 Prohbted by flterg 4 2 DNS 53 UDP 2 DNS servce SCAN wth UDP probe Scaer -> Target probe packet) 3
Proto Destato port [Hosts] UDP wth ICMP ECHO) 53 550 Target -> Scaer reacto packet) ICMP Type Code Name [Packets] 3 2 Protocol ureachable 3 3 Port ureachable 08 No respose 36 [Hosts] 3 3 Prohbted by flterg 4 Number of alve hosts 49 3 Host ureachable 50 ACK/RST ICMP NMS/Maager IDS 4
Sca IDS IDS 2 0 9 8 7 6 5 4 3 2 NMS NIDS 09 sec) 43623 sec) NMS 0 0 2 0 3 0 4 0 5 0 6 Sca sec) 5
At-DoS At-DoS At-DoS DoS At-DoS 2 PC 2 WS 00Mbps 2 Etheret 2.4.2.. DoS Attacker Vald user Flter Target 4 3 3 At-DoS Attacker Su Su Mcrosystems) Ultra 4 296MHz 2 CPUs Ma Memory 2.5 GB HDD 250GB Vald user Su Su Mcrosystems) Ultra 4 296MHz CPU Ma Memory GB HDD 00GB Flter Itel Petum III Copperme) 852 MHz Ma Memory 256MB HDD 30GB Target Itel Petum III 500 MHz Ma Memory 256MB HDD 0GB 6
2.4.2.2. At-DoS 4 4 At-DoS Attacker OS: Solars 2.6 Vald user OS: Solars 2.6 Flter OS: OpeBSD 2.6 IP Flter 3.3.3 84) Target OS: Lux Deba) 2.4.2.3. 2 At-DoS 00Mbps 2 Etheret Attacker DoS Vald user Flter IP Flter Target DoS 7
2 At-DoS 8
2.4.2.4.. HTTPport 80) 2. IP fragmet 3. HTTP GET request 200 tcpdump 'tcp ad p[6:2] & 0xfff 0 ) ad p[40:4] 0x48545450) ad p[44:2] > 0x2f30 ad p[44:2] < 0x2f39 ad p[46:2] > 0x2e30 ad p[46:2] < 0x2e39 ad p[49:4] 0x32303020'; 600 00 500 000 600 block all pass quck proto tcp from 6.33.34.85/32 to ay port 80 pass quck proto tcp from 6.34..227/32 to ay port 80 pass quck proto tcp from 62.40.65.50/32 to ay port 80 pass quck proto tcp from 62.226.3.205/32 to ay port 80 pass quck proto tcp from 63.2.53.48/32 to ay port 80 pass quck proto tcp from 63.2.90.2/32 to ay port 80 2.4.2.5. 5 DoS PPSPacket per secod) DoS 5 At-DoS DoS k, 2k, 3k, 5k, 0k, 20k, 30k PPS 9
DoS 60byte 0msec 20
At-DoS 3 00 500 000 600 DoS DoS DoS 30Kpps 4.4Mbps) 5.22% 00 00% 00 3 At-DoS 2
2.4.3.. 00 00 0 3 At-DoS 22
2.4.3.2. 500 500 DoS 0Kpps 0 3 At-DoS DoS 20Kpps 23
2.4.3.3. 000 000 DoS 3Kpps 3 24
2.4.3.4. 600 000 DoS 2Kpps 3 25
26
3. 27
AS- D AS-2 as2-x x-d d-x x-as2 Smurf IX x-c a-x b-x x-b c-x C A x-a B 28
2000 2 3,540,695 6 OS 6 Total umber of SCAN packets 3540695 IDS04 - SCAN-NULL Sca 6 IDS05 - SCAN-Possble NMAP Fgerprt attempt 05 IDS44 - SCAN-FullXMASSca 32 IDS46 - SCAN-Cybercop OS Probe sf2 6 IDS27 - SCAN-FIN 47 IDS277 - NAMED Iquery Probe 935 IDS278 - SCAN -amed Verso probe 756 IDS29 - SCAN-Possble Queso Fgerprt attempt 544 IDS30 - SCAN - L3retrever HTTP Probe 69 IDS330 - SCAN-SAINT-FTPcheck 2 SCAN - Whsker Stealth - Mall log order access attempt 2 SCAN - Whsker Stealth Mode 4- HEAD 56 SCAN - Whsker Stealth- BgCof access attempt 3 SCAN - Whsker Stealth- IIS search97 access attempt 46 SCAN - Whsker Stealth- Order log access attempt 2 SCAN - Whsker Stealth- Shoppg cart access attempt 2 SCAN - Whsker Stealth- Start Stop Web access attempt 4 SCAN - Whsker Stealth- WS_FTP.INI access attempt 2 SCAN - Whsker Stealth- cfappma access attempt 2 SCAN - Whsker Stealth- mlog access attempt 2 SCAN - Whsker Stealth- mylog access attempt 2 SCAN-SYN FIN 348646 Ty Fragmets - Possble Hostle Actvty 4479 29
) 287 4 0 4 TOP0 TOP0 WWW 80 2 WWW Proxy 30
3 5
6 IP SRC SRC9) TCP ack/reset SRC2 SRC3 SRC5 SRC7 SRC8 500 20 SRC SRC6 SRC9 0 SRC 2500 SRC4 32
33 6
7 2 000pps DoS 340 7 DoS 34