D4
/
architecture
mirror of https://github.com/D4-project/architecture
2
0
Fork 0
Code Issues Releases Wiki Activity
architecture/docs/workshop/1-passsive-ddos/d4-passive-ddos.tex

144 lines
4.1 KiB
TeX
Raw Blame History

% Full instructions available at:
% https://github.com/elauksap/focus-beamertheme
\documentclass{beamer}
\usetheme[numbering=progressbar]{focus}
\usepackage{tikz}
\usetikzlibrary{positioning}
\usetikzlibrary{shapes,arrows}
\usepackage{transparent}
\usepackage{fancyvrb}
\usepackage{listings}
\definecolor{main}{RGB}{47, 161, 219}
%\definecolor{textcolor}{RGB}{128, 128, 128}
\definecolor{background}{RGB}{240, 247, 255}
\definecolor{textcolor}{RGB}{85, 87, 83}
\title{D4 Project}
\subtitle{Passive DDoS identification techniques}
\author{Team CIRCL}
\titlegraphic{\includegraphics[scale=0.20]{d4-logo.pdf}}
\institute{Team CIRCL \\ \url{https://www.d4-project.org/}}
\date{20190923}
\begin{document}
\begin{frame}
\maketitle
\end{frame}
\begin{frame}
\frametitle{Observing SYN floods attacks in backscatter traffic}
Attack description
\begin{tikzpicture}{scale=0.4}
\node[rectangle,draw,fill=red!80] (a) at (0,0) {Attacker};
\node[anchor=west] at (0.93,0.25) {Spoofed requests $H_{0},H_{1},H_{2},H_{3},...$};
\node [rectangle,draw,fill=blue!25,anchor=east] at (8,0) (v) {Victim};
\draw [->](a) --(v);
\foreach \x in {0,1,2,3} {
\node [rectangle,draw,fill=green!25,anchor=east] at (\x*2+1,-2) {$H_{\x}$};
%Horizontal lines
\draw (\x*2+1, -\x*0.25-0.5)--(7.0+\x*.25,-\x*0.25-0.5);
%Links to the victim
\draw (7.0+\x*.25,-\x*0.25-0.5) -- (7.0+\x*.25,-0.25);
%Links to hosts
\draw[->] (\x*2+1, -\x*0.25-0.5)--(\x*2+1,-1.70);
}
\end{tikzpicture}
\begin{center}
\begin{tabular}{|l|}
\hline
Connections\\
\hline
$H_{0}$\\
\hline
$H_{1}$\\
\hline
$H_{2}$\\
\hline
$H_{3}$\\
\hline
\end{tabular}
\end{center}
\begin{center}
Fill up state connection state table of the victim
\end{center}
\end{frame}
\begin{frame}
\frametitle{How does backscatter look like?}
\input{tcpout.tex}
\begin{center}
\alert{What are the typical characteristics?}
\end{center}
\end{frame}
\begin{frame}
\frametitle{What can be derived from backscatter traffic?}
\begin{itemize}
\item External point of view on ongoing denial of service attacks
\item Confirm if there is a DDOS attack
\item Recover time line of attacked targets
\item Confirm which services (DNS, webserver, $\dots$)
\item Infrastructure changes
\item Assess the state of an infrastructure under denial of service attack
\begin{itemize}
\item Detect failure/addition of intermediate network equipments, firewalls, proxy servers etc
\item Detect DDoS mitigation devices
\end{itemize}
\item Create probabilistic models of denial of service attacks
\end{itemize}
\end{frame}
\begin{frame}
\frametitle{Confirm if there is a DDOS attack}
\begin{block}{Problem}
\begin{itemize}
\item Distinguish between compromised infrastructure and backscatter
\item Look at TCP flags $\to$ filter out single SYN flags
\item Focus on ACK, SYN/ACK, ...
\item Do not limit to SYN/ACK or ACK $\to$ ECE (ECN Echo)\footnote{\url{https://tools.ietf.org/html/rfc3168}}
\end{itemize}
\end{block}
\input{flags.tex}
\end{frame}
\begin{frame}
\frametitle{Backscatter traffic evolution}
\begin{center}
\scalebox{0.9}{\input{bsvol.tex}}
\end{center}
\end{frame}
\begin{frame}
\frametitle{IP distribution sending backscatter traffic}
\begin{center}
\scalebox{0.9}{\input{uips.tex}}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Observing SYN floods attacks in backscatter traffic}
Plotting TCP acknowledgement numbers
\begin{center}
\scalebox{0.7}{\input{backscatter.tex}}
\end{center}
\end{frame}
\begin{frame}
\frametitle{Get in touch if you want to join the project, host a sensor or contribute}
\begin{itemize}
\item Collaboration can include research partnership, sharing of collected streams or improving the software.
\item Contact: info@circl.lu
\item \url{https://github.com/D4-Project} - \url{https://twitter.com/d4_project}
\end{itemize}
\end{frame}
\end{document}
Reference in New Issue View Git Blame Copy Permalink