Security-1

M171. Implementarea unei aplicatii de detectie si prevenire a anomaliilor de trafic

Detectarea si blocarea atacurilor Denial of Service si Distributed Denial of Service de tip flood.

Implementarea unei interfete pentru specificarea regurilor de detectie de catre utilizator.
Implementarea unei aplicatii sub forma unui modul de kernel de detecteaza atacuri de tip DOS.
Integrarea unui sistem adaptiv de detectie in functie de datele istorice colectate de aplicatie.

[1] Robert Love – Linux Kernel Development, 2nd edition, 2005, Novel Press.
[2] Klaus Wehrle, Frank Pahlke, Hartmut Ritter, Daniel Muller – Linux Networking Architecture – 2004, Prentice Hall
[3] Alessandro Rubini, Jonathan Corbet – Linux Device Drivers, 3nd edition – 2006, O’Reilly

• coordonator proiect: conf. dr. ing. Răzvan Rughinis
• echipa: TENEA Bogdan
• cunoştinţe necesare: programare în C, retelistică
• sală: EG106b
• program: 6 ore pe săptămînă, doua semestre

Inxpect: Application for Detecting and Preventing Network Traffic Annomalies

The level at which DoS and DDoS attacks can affect an organization is incontestable, especially on the IPv4 infrastructure – the Internet. This happens due to the fact that protocol design limitations make it impossible to certify the source of a Denial of Service flood attack. Due to this fact, attackers do not even have the concern of being caught, and even if catching an attacker was achieved, laws in this field are not very well developed. If network-based IDPS solutions that rely on signatures and stateful protocol analysis can be replaced by installing anti-virus software (which is essentially a host-based IDPS) on each computer in an organization, IDPS solutions based on network behavior analysis have no replacement and are crucial to every organization.

InXpect offers very good performance, due to the fact that it is implemented at kernel level and no overhead is added from switching to process context, or making system calls. SMP increases performance linearly with the number of processing cores made available with a minimum overhead, due to the fact that all locks protecting concurrently accessed data are implemented as spinlocks, and due to the fact that in most cases they will be acquired without busy-waiting being involved.

Costs are another strong point of InXpect as it runs on a Linux operating system, which is free software, and does not require dedicated hardware. The application could run on any system with a network card at both the Distribution Layer or at the Core of the Internet. The cost of building a system with five 10 Gigabit Ethernet cards and the processing power to analyze the traffic at full network card speed would be around 5000$, much lower than any dedicated solution offered by companies specializing in network security products, where the cost of a similar inspection throughput would be over half a million dollars.

A clear distinction must, however, be made between InXpect and the most solutions designed by major vendors: the proposed solution blocks the attack by denying access to the victim, effectively completing the Denial of Service Attack, whereas the vendor solutions claim to filter malicious traffic while allowing legitimate traffic to reach its destination. Nonetheless, the solution presented here is extremely useful to Internet Service Providers due to the fact that it allows them to protect their entire infrastructure, links with other providers, and clients that share the infrastructure with a client that is at some point the victim of a DoS flood attack.

Further work on the project could be directed to solving the stability issues and operational mentioned in the previous chapter, while further research could be directed into solving de design issues.