DISTRIBUTED tcpdump CAPABILITY FOR LINUX

Research Paper

EJAZ AHMED SYEDDr. JIM MARTIN

Internet Research Group. Department Of Computer Science – Clemson University.

Design and implement a tool that does distributed tcpdump capability for Linux.

Basic Operation Description:

A client sends a command to a server instructing the server to do particular tcpdump commands. At the server, there needs to be a way for the tcpdump data to be sent back to the client.

Significance:

• A generic building block that can be deployed in a highly distributed manner for Distributed Denial Of Service (DDoS) and Intrusion Detection (ID).

• Work is closely related to the frame work developed for intrusion detection.

Project Goals

PROBLEM DEFINITION & SCOPE

Distributed Denial of Service and Intrusion Detection System (IDS)

A “denial-of-service” attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service.Examples include:

attempts to “flood” a network, thereby preventing legitimate network traffic.

attempts to disrupt connections between two machines, thereby preventing access to a service.

attempts to disrupt service to a specific system or person.

Note: Other types of attacks may include a denial of service as a component, but the denial of service may be part of a larger attack.

... contd

PROBLEM DEFINITION & SCOPE

A network-based intrusion detection system (IDS) might be able to detect an attack instance (either an attack packet or a sequence of attack packets) by automatically extracting and analyzing the attack signatures from a collection of incoming and outgoing data packets. However, because of the Source accountability problem of today’s Internet, an IDS generally cannot tell where the attack packets were originated.

Recent attention : Many DDoS (Distributed Denial Of Service) attacks have affected web sites such as Yahoo! E-Bay, CNN among many others, utilizing IP source address spoofing.

Nomenclature – The Plain DDoS Model

DDoS Attack Infrastructure : Hackers from their own community and they share resources among themselves. When one Internet host is compromised (a resource for the hackers), the host identity and the key to access this host is announced to all the hackers. Gradually, compromised hosts are organized and connected together as a DDoS attack infrastructure. In this host infrastructure, some hosts play the role of masters, while others are slaves.

Attacker: A 15-YEAR-OLD MONTREAL boy with the alleged Internet codename of Mafia boy was the attacker who launched the attacks that briefly immobilized and brought down Internet giants eBay, Amazon.com, Yahoo.com, and ETrade back in February through the plain DDoS attack infrastructure. [ www.itworld.com ] community.Must be a “Gryffindor wizard” !!

The plain DDOS Model [1999-2000]

Ref : On Design and Evaluation of “Intention-Driven” ICMP Traceback. UCLA

Tool Functionality

How to detect the distributed attack ??

Signatures represent the attacks in a generic way.

A signature is a distributed event pattern that represents a distributed attack.

• Generate log files required for further processing.

• Specify what information is needed.

• Identify the attack from specific signature flow.

Trace bandwidth consumed by the following flow description xxx: the data sent back is simple byte count per second. Alert the client when data specific to flow xxx is observed : send back an alert message.Alert the client when you see this particular flow signature.

IMPLEMENTATION ARCHITECTURE

Pseudo Signatures:

•Generate specific command – oriented tcpdump log files for processing.[ CMD : tcpdump_command, param_String, START, STOP, probing_frequency, file *log_file ]

CMD : any tcpdump command . File : log file generated with the resultant tcpdump data.

•Generate list of offending flows[ CMD : ID_Non_tcp_friendly_flows, START, STOP, probing_frequency, file *list_file ]

• Identify specific offending flows[ CMD : search_for_this_flow, reporting_mode, probing_frequency, file *search_stats ]

Search_for_this_flow : based on for example , { address, port, protocol } Reporting_mode : First occurrence of specific flow, Bandwidth > TCP_Friendly.

CARDS Architecture

Fig : The CARDS architecture

Ref : Design and Implementation of A Decentralized Prototype System for Detecting Distributed Attacks. [Dr. Ning, Dr. Sushil, Dr. Sean, North Carolina State University. ]

Extensions

• Provide hooks for some other extended tcpdump commands.

• Provide a Interactive Java GUI interface for the Client.

• Think !!!!

NOTE : [ Cpsc881 Students - Fall’03 ]May Implement security feature to this application. !??!