Network attack detection at flow level
NNetwork attack detection at flow level
Aleksey A. Galtsev (cid:63) and Andrei M. Sukhov
Samara State Aerospace University, Moskovskoe sh., 34, Samara, 443086, Russia; e-mails: [email protected] , [email protected] Abstract.
In this paper, we propose a new method for detecting unau-thorized network intrusions, based on a traffic flow model and CiscoNetFlow protocol application. The method developed allows us not onlyto detect the most common types of network attack (DDoS and portscanning), but also to make a list of trespassers’ IP-addresses. There-fore, this method can be applied in intrusion detection systems, and inthose systems which lock these IP-addresses.
Keywords:
DDoS attack, flow traffic model, Cisco NetFlow
Currently, Internet information resources are actively growing, penetrating manyspheres of social life. Information technologies are being introduced not only intoprivate enterprises, but also in the provision of public services. With each passingday, more and more confidential transactions are carried out via the Internet.In connection with these trends, the question of computer networks security isstarkly raised. Attackers have developed and actively use many types of net-work intrusion [1,2,3,4], most of which can be prevented by standard methodsof protection.This article focuses on detecting and preventing network attacks of two typesthat are impossible to prevent by the standard settings of information resourcesoftware. This are ”Distributed Denial of Service” attacks (DDoS attacks) [4,5]and port scanning, that are used to find bottlenecks in network informationsystems. In recent years the rate of end-user connections to the Internet hasincreased sharply, which has given rise to an increase in the number and intensityof attacks such as DDoS. These attacks are highly damaging to the informationservice, and at the same time simple in their execution. Port scanning is usedby hackers to conduct ”network intelligence”. In this article we would like topropose a new method of detecting DDoS attacks and port scanning, based onthe Cisco NetFlow protocol [7,8].NetFlow is a network protocol developed by Cisco Systems for collecting IPtraffic information. NetFlow has become an industry standard for traffic monitor-ing and is supported by platforms other than Cisco IOS (Internetwork OperatingSystem) and NXOS (Nexus Operating System) [9]. (cid:63) corresponding author a r X i v : . [ c s . CR ] A p r Aleksey A. Galtsev and Andrei M. Sukhov
A network flow has been defined in many ways. The traditional Cisco defini-tion is to use a 7-tuple key, where a flow is defined as a unidirectional sequenceof packets sharing all of the following 7 values: – Source IP address – Destination IP address – Source port for UDP or TCP, 0 for other protocols – Destination port for UDP or TCP, type and code for ICMP, or 0 for otherprotocols – IP protocol – Ingress interface (SNMP ifIndex) – IP Type of ServiceThe proposed method for detecting network attacks based on the traffic flowmodel is described in [10]. Traffic models shows that two parameters, the loadof the channel and the number of active flows in it, must be used for a fullrepresentation of the network state. In this paper, the criteria of abnormal net-work conditions, which can determine the start of the attack, were formulated.A more detailed model is described in Section 2. The values of these parameterscan be measured using the NetFlow protocol, implemented on Cisco routers.In [11] and [12], the authors suggested that the traffic flow model can be usedfor network security problems, in particular to detect network attacks such asDDoS, port scanning and network worms. Also in [13] and [14], an attempt wasmade to use the NetFlow protocol to detect DoS attacks such as Smurf andworms W32.Blaster Worm and Red Worm.The aim of this work is to show that the NetFlow protocol can be used forthe detection of DDoS attacks and port scanning, and to formulate an algorithmto identify IP-addresses from which the attack is carried out. This algorithmenables to the creation of ”black lists” of addresses that should be blocked toprevent the attack. This article is organised as follows: – Section 2 - describes the flow traffic model, on which a method for detectingnetwork attacks has been built – Section 3 - experiment to study the various attacks – Section 4 - the definition of the detection algorithm under consideration – Section 5 - describes the Research Center of DDoS attacks at the SamaraState Aerospace University
In this paper, we would like to propose a method of diagnosing the backbone linksand testing it on existing networks. This method is based on a traffic model [10],according to which the number of active flows can be considered as an importantcharacteristic of the real network state. Two variables, the number of activeflows and the utilisation of the channel, best describe the current network state.Analysis of all data on the network, represented by individual points on the plane etwork attack detection at flow level 3 with axes, which are plotted the number of active flows and utilization of thenetwork, allows to the definition of three areas that correspond to qualitativelydifferent states of the network.It has been previously shown [10] that the first part of the curve formedfrom average values of the data produces a straight line, which ends with aninflection point. The straight line corresponds to the part of the network that ischaracterised by a minimal loss of IP-packets, less than a half of one percent. Thebent part of the curve corresponds to an overloaded network, and is characterisedby a significant packet loss of up to 5%, which reduces the effective size of thetransferred segment of the TCP/IP. The third, nearly horizontal, portion of thecurve corresponds to a completely unusable network with significant packet lossof over 5%.The distribution of total load tends to a normal (Gaussian) distribution, sincethe total load of the studied channel is the result of multiplexing a large numberof flows that are independent of each other. The theoretical model allows us toestimate the confidence interval for the working area of the curve: B ( t ) = b ( N + kA ( (cid:15) ) √ N ) (1)Here A ( (cid:15) ) is the normal quantile function. Equation 1 indicates that the realstate of the network, described by the number of active flows N and the flow datarate B ( t ), will be outside these limits in only 100% × (cid:15) of the total observationtime.The traffic model presented here allows the formulation of a simple criterionfor finding anomalous network states: if several consecutive measurements gobeyond the confidence interval of (cid:15) =0.05, we can confidently consider problemson the network. If we collect the data every 5 minutes, then the statistics of afew hours will make it possible to determine all the parameters of equation 1with reasonable accuracy.Presumably, the network state will be out of the confidence interval duringthe progress of a network attack. During port scanning, the number of activeflows will increase with a nearly constant load, as the data transmitted is onlylimited to establish the connection and to close it. The channel load as well asthe flow number should sharply increase during the progress of DDoS attacks.In order to prove these hypotheses it was decided to conduct two experimentswith network scanning and with a DDoS attack. In order to clarify the details of unauthorized intrusion, it was decided to performexperiments that emulated attempted attacks. Experiments were carried out onthe network of the Samara State Aerospace University (SSAU).Remote machines were used as the source of the attack which were locatedin an external network. The utility Nmap was applied for port scanning, whichwas ordered to carry out a full scan of all hosts on the network.
Aleksey A. Galtsev and Andrei M. Sukhov
A Web server was selected as the target during the progress of the DDoSattack. A few computers located in the external network were the sources ofthe attack. In the first part of the experiment the attacking computers sentping requests simultaneously within half an hour. In the second part of theexperiment the target computers were attacked (DDoS attack) with the helpof a specialised program, LOIC. The Web server was attacked with the use ofdifferent types of traffic (HTTP, UDP, TCP) over an hour. Data were collectedfrom all experiments, which are then analysed to identify patterns of differenttypes of attacks.
Fig. 1.
The experimental scheme
Flow data, that are the basis for the analysis, were collected from the bound-ary router Cisco 6509 of the SSAU network. NetFlow collector nfdump [15] wasused to gather data from the router. NetFlow export data is taken for analysisat regular intervals of five minutes. A file with the parameters of all the flowsrecorded on the router is formed every five minutes. The parameters are listedin the introduction, and include the beginning of the stream, the duration of thestream, the data transfer protocol, source address and port, destination addressand port, the number of transmitted packets, and the amount of transferred datain bytes.The analysis of data collected during network scanning has revealed a sharpincrease in the number of active flows for almost the same amount of traffictransferred (see Figure 2). Each scanning computer generated of the order of10-20 thousand of very short flows (up to 50 bytes) within 5 minutes. In thetesting period the total number of active flows on a router that is generated byall sources is about 50-60 thousand.Figure 2 shows a graph of the network states, the X-axis displays the numberof completed flows N, the Y-axis displays the total load in Megabits per second(Mbps). Each point on the graph reflects the network state of the precedingfive-minute interval, showing the dependence of the average channel load onthe number of active flows. The points correspond to the normal network stateand the triangles describe the state of the network, registered during a portscanning. Segments are depicted on the graph’s parallel vertical axis and showthe confidence intervals for the average load calculated for five flow intervals(20000-30000, 30000-40000, 40000-50000, 50000-60000, 60000-70000). etwork attack detection at flow level 5
Fig. 2.
Port scanning
As a result of the experiment with the ping requests, it was found that everyattacking computer accounts for a very long flow of ICMP traffic, if we sendrequests through a single port. The data has been subsequently written into anfdump file after the attack is finished, making it difficult to detect. It shouldbe noted that one active ICMP flow to identify the occurrence of a failure in theinformation system is clearly inadequate; the number must extend to the tensof thousands of requests.
Fig. 3.
DDoS attack Aleksey A. Galtsev and Andrei M. Sukhov
The analysis of modelling the DDoS attack by the LOIC utility also showeda sharp increase in the number of active flows, along with an increase in thetraffic. The utility sends data in parallel to different ports of the target, therebycreating a large number of short flows for up to a minute (see Figure 3). Thetriangles show the network states recorded during the attack.Thus, it becomes apparent that the NetFlow protocol may not only revealthe start of the attack, but also determine its type. A detailed description ofattack detecting algorithms and work to create secure hosting services may befound in the following sections.
Our studies have revealed patterns, based on the NetFlow data, that allow theIP addresses of the computers with which conducted DDoS attacks and portscans to be determined. Based on these patterns we developed an algorithm forattack detection. Before formulating the algorithm we will specify the format forrecording flow data: – Date and time of flow – Duration of flow (in seconds, up to thousandths) – Transfer protocol – IP address and source port – IP address and destination port – The number of transmitted packets – The number of bytes transferredThe algorithm developed for the detection of attacks such as DDoS and portscanning is:1. Find IP-addresses of sources that generate a large number of flows.(a) If the size of these flows is very short, up to 50 bytes, it is most likelyport scanning.(b) If the duration of the flows is greater then this IP-address might becarrying out DoS attacks.2. Find IP-addresses of sources that generate very long streams (lasting morethan 5 minutes). The IP-address assignment can be carried out DoS attackin this case.If many IP-addresses from which a potential DoS attack are found, we mayclassify this attack as DDoS.In order to prevent any network attack, early detection is important to enablesteps to be taken to neutralise it. NetFlow data comes from the router from timeto time, depending on the settings. At the same time, a balance between thefrequency of collection of flow statistics and the time needed for processing isalso needed. Therefore it was decided to establish the frequency of querying theNetFlow data to once a minute.It should be noted that the NetFlow statistics provide information on flowsthat are already completed. Since the flow is considered as active for a certaintime after its completion, completed flows also need to be considered active. etwork attack detection at flow level 7
We have developed practical algorithms that are implemented as a script inPerl. The script has been installed on the protected server. NetFlow data comesto the server running the NetFlow nfdump collector from the boundary router(BGP) on the SSAU network every minute. The script receives a file with dataon entering flows. These data are processed by a script in accordance with theattack detecting algorithm described in the previous section. A list of suspiciousIP addresses, from which an attack may be carried out, are produced as theoutput of the script.The processing time of the NetFlow data is very small (tens of a millisecond),whereas the intrusion detection addresses will be equal to the period of the exportdata from the router, i.e. one minute.Suspicious IP addresses are entered into the database and all traffic fromthose addresses are blocked by an iptables firewall [16] for 5 minutes. Iptables isinstalled on the protected server, i.e. only the server is protected, not the wholenetwork. If necessary, the protection can be extended to a whole SSAU network,blocking suspicious IP address on the boundary router. In the coming year weplan to explore the possibilities of using the NetFlow protocol for the detectionof DDoS attacks, for a combination of several basic types of attacks.The problem of preventing DDoS attacks, as well as unauthorized networkintrusion; do not lose their sharpness, so SSAU created the Centre for the Studyof Network Attacks. The main purpose of the new centre is to develop new tech-niques to detect and prevent various types of unauthorized network intrusion.Hosting that is protected from DDoS attack has been created inside one segmentof the university network. The method of protection is based on the method pre-sented in this article. The server that is running the NetFlow collector receivesNetFlow data from the boundary router of university network. This data is thenprocessed to produce a ”black list” of addresses that are blocked by an iptablesfirewall.
In this paper, the detection of attacks such as DDoS and port scans using aflow traffic model was proposed, based on receiving data according to the CiscoNetFlow protocol from the border routers. An experiment to test this model andcreate prevention algorithms has been described. The experimental results haveconfirmed that the proposed flow traffic model can be used effectively to detectthese attacks.An algorithm for detecting suspicious IP addresses that can go attack wassuggested. These addresses can be used in intrusion prevention systems in orderto block them. Also, the algorithm for the detection of suspicious addresses wasimplemented as a script that works in conjunction with a firewall iptables. Thissystem of detecting and preventing attacks such as DDoS and port scanningwas installed on the SSAU host network. In the future we plan to continue
Aleksey A. Galtsev and Andrei M. Sukhov studying the possibility of using the NetFlow protocol to detect various types ofunauthorized network intrusion. It is also planned to create a network protectionsystem directly on the SSAU network boundary router using Cisco IOS features.