Detetion of Denil of Servie ttks using AGURI Ryo Kizki Keio Univ. kizki@sf.wide.d.jp Kenjiro Cho SonyCSL kj@sl.sony.o.jp Osmu Nkmur Keio Univ. osmu@wide.d.jp Astrt Denil of Servie ttks is divided into two types, one is logi ttk nd the nother one is flooding ttk. Logi ttk exploits seurity holl of the softwre suh s operting system nd we server ugs, then uses system rsh or degrde in the performne. Logi ttk n e defended y upgrding softwre nd/or filtering prtiulr pket sequenes. Compring eh pkets of the flooding ttk nd the other norml ommunition trffis, the only differene is the numer of the pkets. Flooding ttk retes enormous mount of pkets. Therefore, to protet systems from flooding ttks, the sme method for logi ttks n not e used. During the network opertions, flooding ttk is usully deteted y using trffi monitoring tools suh s MRTG. However those tools will not detet the ttk utomtilly. In this pper, the method for utomti detetion of the flooding ttks is desried. For the monitoring tools, AGURI, tht we hve developed, is used. Using the trffi pttern ggregtion method, AGURI n monitor the trffis in long term nd detet flooding ttks. 1 Introdution Internet is the pket swithing network, shring the every resoures suh s the ndwidth of the links nd router s proessing unit. Resoure mngement should e done y every end node. For exmple, ongestion ontrols n e done only y end nodes. Denil of Servie ttks, espeilly flooding ttk, is ill ehvior on the end node. However urrent Internet does not hve ny mehnisms to ontrol this ill ehvior. During the network opertions, it is very importnt to detet the flooding ttks s soon s possile. After deteting the flooding ttks, opertors n tke severl tions suh s filtering the pkets from ill ehving hosts nd disovering the ttker. Denil of Servie ttks is divided into two types[1], one is logi ttk nd the nother one is flooding ttk. Logi ttk exploits seurity holl of the softwre suh s operting system nd we server ugs, then uses system rsh or degrde in the performne. Logi ttk n e defended y upgrding softwre nd/or filtering prtiulr pket sequenes. Compring eh pkets of the flooding ttk nd the other norml ommunition trffis, the only differene is the numer of the pkets. Flooding ttk retes enormous mount of pkets. Therefore, to protet systems from flooding ttks, the sme method for logik ttks n not e used. During the network opertions, flooding ttk is usully deteted y using trffi monitoring tools suh s MRTG[2]. However those tools will not detet the ttk utomtilly. In this pper, the method for utomtilly deteting the flooding ttks is desried. AGURI[3], tht we hve developed, is used s monitoring tool. Using the trffi pttern ggregtion method, AGURI n monitor the trffis in long term nd detets flooding ttks. 2 Trffi monitoring for flooding ttks There re severl types of flooding ttks. 1. the lrge numer of the ytes 2. the lrge numer of the pkets 3. pkets with ill ehvior protools suh s syn ttk The trffi with the lrge numer of the ytes for the single destintion degrdes the performne of the end system nd the routers tht swithing this trffi. And reent routers inur more dmges y reieving the lrge numer of pkets rther thn ytes. Tht trffi n e monitored y using SNMP[4]. MRTG is good grphi interfe for the deteting the unusul trffi. But it is not suffiient for deteting the flooding ttks. There is limittion of gthering the informtion using SNMP. The numer of the ytes nd the pkets for the eh interfe on the routers n e olleted. However the numer of the yte nd the pkets to the single hosts n not e olleted. If the ndwidth of the link ws oupied in generl ondition, prtiulr 1
ttks ould not e detet y using SNMP/MRTG monitoring, euse totl ndwidth of the link is not hnged. For deteting the flooding ttks, we should know the norml onditions of the networks. It needs for lrge numer of the trffi dt. SNMP is simple mehnisms for olleting the dt from the routers nd swithes. It is needed for ggregtion mehnisms for storing the dt. NeTrMet nd FlowSn whih re flow sed monitoring tools n monitor speifi type of the trffi, suh s numer of ytes nd pkets in long term on HTTP, FTP, IPv6 et. However these tools require the fixed rule sets. So those tools n not detet unexpeted trffi pttern. 3 AGURI AGURI is n ggregtion sed trffi profiler trgeted for long term mesuring. AGURI dpts itself to sptil trffi distriution y ggregting smll volume flows into its root. AGURI does not need pre-defined rule set nd is ple of deteting n unexpeted inrese of unknown pket ptterns or flooding ttks. Figure 1 shows the onept of ggregtion: smll entries re ggregted into its root. It is the si lgorithm of AGURI s ggregtion tht monitoring every pkets nd, t the end, ggregting entries whose ounter vlue is less thn n ggregtion threshold. 10.1.1/24 10.0/16 10.1.2/21 0.0.0.0 0.0.0.0 192.168/16 192.168.4.24 vlue is less thn n ggregtion threshold. For exmple, the filled dot 10.1.2/21 shows set of ggregted entries whose ounter vlue is less thn n ggregtion threshold nd whose IP ddress is inluded in ddress lok 10.1.2/21. Figure 2 shows n exmple of guri s summry output. A summry onsists of heder prt nd ody prt. The heder prt desries version, strt-time of profiling, end-time of profiling nd verge-rte of ll trffi. The heder prt strts with %. The ody prt ontins 4 profile types: 1. soure ip ddress 2. destintion ip ddress 3. soure protool 4. destintion protool %%!AGURI-1.0 %%StrtTime: Thu Mr 01 00:00:00 2001 (2001/03/01 00:00:00) %%EndTime: Sun Apr 01 00:00:00 2001 (2001/04/01 00:00:00) %AvgRte: 14.91Mps [sr ddress] 4992392109177 (100.00%) 0.0.0.0/0 87902964189 (1.76%/100.00%) 0.0.0.0/1 206637364377 (4.14%/14.78%) 0.0.0.0/2 205796877844 (4.12%/7.12%) 60.0.0.0/6 97928228974 (1.96%/3.00%) 62.52.0.0/16 51875058871 (1.04%/1.04%) 64.0.0.0/8 100831910967 (2.02%/3.51%) 64.0.0.0/9 74610984109 (1.49%/1.49%) 128.0.0.0/2 142349668983 (2.85%/13.33%) 128.0.0.0/3 197067746696 (3.95%/10.48%) 128.0.0.0/5 202911635757 (4.06%/5.45%) 133.0.0.0/8 69142535628 (1.38%/1.38%) 150.65.136.91 54123094932 (1.08%) 192.0.0.0/4 212653628837 (4.26%/38.41%) 192.0.0.0/6 88855538654 (1.78%/1.78%) 202.0.0.0/7 235853368912 (4.72%/14.70%) 202.0.0.0/9 117196493427 (2.35%/6.77%) 202.12.27.33 160473669718 (3.21%) 202.30.143.128/25 60239291958 (1.21%/1.21%) 203.178.143.127 94031811680 (1.88%) 204.0.0.0/6 228960094456 (4.59%/17.68%) 204.0.0.0/8 125458765333 (2.51%/7.58%) 204.123.7.2 87103414877 (1.74%) 204.152.184.75 165733431144 (3.32%) 206.0.0.0/7 164036959478 (3.29%/5.51%) 206.128.0.0/9 53526598302 (1.07%/1.07%) 207.0.0.0/8 57628266965 (1.15%/1.15%) 208.0.0.0/4 282590640975 (5.66%/31.72%) 208.0.0.0/6 116047154301 (2.32%/22.20%) 209.0.0.0/8 140888988219 (2.82%/11.78%) 209.1.225.217 238192306019 (4.77%) 209.1.225.218 209160635530 (4.19%) 210.0.0.0/7 154008321340 (3.08%/3.08%) 216.0.0.0/9 192899750315 (3.86%/3.86%) %LRU hits: 86.82% (1021/1176) 10.0/16 192.168/16 Figure 2: Exmple of AGURI summry output 10.1.1/24 10.1.2/21 192.168.4.24 Figure 1: ggregtion onept In figure 1, eh irle shows enteries nd its ounter volue is indited y its size. Eh filled dot shows sets of ggregted entries whose ounter In the ddress profile, eh row shows n ddress entry nd is indented y the prefix length.the first olumn shows the ddress nd the prefix length of the entries. The seond olumn shows the ulmultive yte ounts. The third olumn shows the perentges of the entry nd its sutrees. Using AGURI s sript, we n rhive summries with minimum disk spe. This enles long term mesurements. Thus, AGURI hieves long term trffi monitoring nd deteting hrteristi flows without pre 2
defined rule set. 4 Design For detetion of flooding ttks, this pper defines originl prmeter Devition(D) etween hrteristi of pket-ptten in long-term nd urrent hrteristi. If the prmeter D is high, we n guess urrent pket-pttern is unusul. Bsed on the ide, following 2 shemes re needed. long-term trffi rhiving nd urrent trffi monitoring method of lulting Devition(D) 4.1 long-term trffi monitoring We use AGURI to rhive hrteristi of trffi in long term. AGURI uses trffi profiling tehnique in whih reords re mintined in prefix sed tree ompt summry whih is produed y erntries. Figure3 shows tree struture of rhiving summries. In figure3, AGURI generte hourly summry A y ggregting minutes summries 1-12. We n see vrious summries of time sle grnulrity. distne T1 Figure 4: Bsi model +(T 1[] T 2[]) 2 + (T 1[] T 2[]) 2 In this luls, T1[] is n expression of n verge throughput rte of node in T1. Defining node,,,...i,...,this luls led us to strt following luls. D = Σ(T 1[i] T 2[i]) 2 However, on rel trffi pttern using AGURI, few nodes re loted s sme position. We hve to onsider smeness of nodes in whih ggregted different depth. Figure 5 shows exmple whih nodes ggregted in tree struture with different depth. distne T2 yer month dy hour A T1 T2 Figure 5: Tree-struture of rel trffi minute 1 2 3 4 5 6 7 8 9 101112 Figure 3: rhiving struture of AGURI 4.2 Clultion of Devition This pper defines originl prmeter Devition(D) etween hrteristi of pket pttern in long term nd urrent hrteristi. Figure 4 shows si exmple to lultion of Devition. In Figure 4, T1 is trffi summry tree in long term nd T2 is urrent trffi summry tree. Distne is different node depth in tree struture., nd re expressions of node in the tree struure. In this si model: ll nodes re loted s sme position nd hve different vlue, Devition(D) n e lulted y the following luls. D = (T 1[] T 2[]) 2 If we hd fored to djust si model to this tree struture, there hd hd no reltions etween T1[] nd T2[], T1[] nd T2[]. However, it is nturlly expeted tht T1[] ontins T2[] nd T1[] is element of T2[]. Thus, we hve to onsider reltions etween T1[] nd T2[], T1[] nd T2[]. Figure 6 shows virtul rekdown ide to ompre different ggregted nodes in depth. T1 T2 Figure 6: Virul rekdown of ggregted node 3
Bsed on the virtul rekdown method, it hppen to reursive rekdown, using this method oth T1 to T2 nd T2 to T1 t the sme time. Therefore, we go through 2 phses. In first phse, reking down T2 sed on T1 tree struture.[d1] Seond phse is the other.[d2] Devition(D) n e lulted y following luls. D = Σ(T 1[i] T 2 [i]) 2 + Σ(T 1 [i] T 2[i]) 2 2 With the use of virtul rekdown ggregted node lgorithm, we n lulte Devition(D) from different ggregted nodes in tree struture.! # $ $ $ $ $ $ $ $ $! # $ $ $ $ $ $ Figure 8: Chrteristi of smple trffi t 14th Ot. 5 Evlution 5.1 Infomtion of smple dt We hve done smple evlution using 1 month long trffi dt from the WIDE Internet[5] kone. This trffi dt is tken from trns pifi link, whih ontins flooding ttks. Figure 7 shows monthly trffi pttern. This monthly smple dt ontins some flooding ttks. Espeily, in this evlution we hd foused t 14th Otoer.! #! # $ $ $ $ $ $ %! $ $ $ $ $ $ Figure 9: Chrteristi of smple trffi t 13:00-15:00 in 14th Ot. # # # # # # Figure 7: month # # # # # # # # # # # # # # # Chrteristi of smple trffi in Figure 8 shows 24 hours trffi pttern t 14th Otoer. This figure shows tht there ws flooding ttk ginst router1 nd router2. Figure 9 shows 2 hours trffi pttern t 13:00-15:00 14th Otoer. In Figure 9, router1 nd router2 re expression of eh routers interfe. These figures show detiled informtion whih is sed y flooding ttks. We n see tht flooding ttks strts t 13:16 nd ends t 14:36 towrd router1 nd router2. 1) Devition ompred with urrent 30 dys 2) Devition ompred with urrent 24 hours 3) Devition ompred with urrent 1 hours 4) Devition ompred with urrent 5 minutes Evluting flooding ttk detetion with Devition, we hd prepred 4 types of prmeters. In following 4 figures, Devitions re lulted sed on etween urrent 2 minutes trffi dte nd eh length of term. 1) Time series plot of Devition etween urrent 2 minutes nd urrent 30 dys (Figure 10) 5.2 Time grnultion We hve lulted the Devition of the urrent 2 minutes with 4 types of prmeters. Figure 10: Compred with 30 dys dt 4
! Figure10 shows tht Devition is strongly relted to trffi ptterns tht onsist of pkets towrd router1 nd router2. 2) Time series plot of Devition etween urrent 2 minutes nd urrent 24 hours (Figure 11)! Figure 13: Compred with 5minutes dt Figure 11: Compred with 24hours dt Figure11 shows tht Devition is relted to trffi ptterns tht onsist of pkets towrd router1 nd router2. However, the reltions re grdully going down y ontinuing flooding ttks. 3) Time series plot of Devition etween urrent 2 minutes nd urrent 1 hour (Figure 12) Figure 12: Compred with 1 hour dt Figure12 shows tht long term flooding ttks use Devition to e going down, euse flooding ttks trffi would e ontined 1 hour trffi. 4) Time series plot of Devition etween urrent 2 minutes nd urrent 5 minutes (Figure 13) Figure13 shows tht long term flooding ttks use Devition to e going down nd tht the levels of Devition re very low in long term flooding ttks. Moreover, when flooding ttks end, Devition inreses rpidly, euse trffi dt for urrent 5 minutes ws full of flooding-ttk pkets. In figure 10, 11, 12 nd 13, when hrteristi of urrent 2 minutes dt ppers similr to hrteristi of long term dt,the levels of Devition is low. At the sme time, while hrteristi of urrent 2 minutes dt does not hve similr to hrteristi of long term dt, the levels of Devition is high. As ove, the method of Devition n oviously detet strt point of flooding ttks in ny time sle. However, in se of flooding ttks whih ontinue for long time, levels of Devition depend on length of time to whih ompres trffi dt. 6 Conlusion The utomti deteting method of the flooding ttks without fixed rules is proposed. The si onept is how to detet unusul trffi ptterns with devition etween usul ptterns nd reent. The trffi monitoring tool AGURI tht hs een developed y our projet, is very useful to relize the hrteristis of the trffi pttern, euse AGURI n ggregte the trffi dt without disrding the trffi hrteristis. Algorithm of virtul rekdown ggregted node in the tree is very powerful to lulte devition of the trffis. In this pper, we provided the simple evlution of our method, using rel trffi dt whih tken form WIDE Internet kone. The flooding ttks n e deteted with ig devition vlue. More detiled evlution suh s proility on wrong detetion should e done in future reserh. Referenes [1] R.Needhm, Denil of Servie: An Exmple, Communitions of the ACM volume 37, Novemer 1994 [2] Oethker, Tois, MRTG - The Multi Router Trffi Grpher, USENIX System Administrtion Conferene, Deemer 1998 [3] Kenjiro Cho, Ryo Kizki, Akir Kto, AGURI: An Aggregtion-Bsed Trffi Profiler, QofIS2001, Septemer 2001 [4] J.Cse, M.Fedor, M.Shoffstll, K.Dvin, A Simple Network Mngemet Protool(SNMP), RFC1157, My 1990 [5] WIDE Projet,, http://www.wide.d.jp 5