SlideShare ist ein Scribd-Unternehmen logo
1 von 31
“THRESHOLD BASED KERNEL LEVEL
         HTTP FILTER (TBHF)”
          for DDoS Mitigation
                             by
            MOHAMED IBRAHIM AK         82008132041
            LIJO GEORGE          82008132515
                        Dept. of CSE
                        TEC, Trichy

INTERNEL GUIDE                             EXTERNAL GUIDE
Mr. A. NARENTHIRA KUMAR                    Dr. S. SELVAKUMAR
Asst. Professor                             Professor
Dept. of CSE                               Dept. of CSE
TEC, Trichy                                NIT, Trichy
OUTLINE
           Abstract
           Insight into DDoS attack
           Existing and Proposed system
           Algorithm
           Modules
           TBHF Driver
           Technology
           Conclusion
           References

Slide 2                   Dept. of CSE, TEC.   3 April 2012
Abstract
           Application layer attack

           Client Side Scripting

           High rate flooding attack

           No manifestation

           Data on the flow analysis

           Threshold based Decision Support System

           Vulnerability Status: Effective – Real time


Slide 3                     Dept. of CSE, TEC.            3 April 2012
OUTLINE
   Abstract
   Insight into DDoS attack
   Existing and Proposed system
   Algorithm
   Modules
   TBHF Driver
   Technology
   Conclusion
   References

                  Dept. of CSE, TEC.   3 April 2012
DDoS attack - Actors
           Individuals

             Julian Assange - Wikileaks

           Blackhat underground community

             ‘Anonymous’, ‘Lords of Dharmaraja’

           Government sponsored

             China - GhostNet

             Israel - Stuxnet



Slide 4                    Dept. of CSE, TEC.      3 April 2012
DDoS attack - Scenario
           Coordinated attack on a given target system

           through many compromised systems.

                                  Attacker

           Medium
                                                      …
                    M1       M2            M3                 Mn
      Compromised
      Systems
              C          C    C    …              C       C   …    C



                                         Target

Slide 5                      Dept. of CSE, TEC.                    3 April 2012
DDoS attack - Analysis




Slide 6       Dept. of CSE, TEC.   3 April 2012
DDoS attack - Timeline
           July 2011
             Live Journal Hit by Massive Cyber Attack
           March 2011 (Korean Websites)
             40 websites under DDoS attack
           February 2011 (Total Choice Hosting Network)
             7,00,000 packets per second
             600 Mbps
           January 2011
             FBI executed 40 search warrants for DDoS attacks
               Low Orbit Ion Cannon tool



Slide 7                     Dept. of CSE, TEC.           3 April 2012
OUTLINE
   Abstract
   Insight into DDoS attack
   Existing and Proposed system
   Algorithm
   Modules
   TBHF Driver
   Technology
   Conclusion
   References

                  Dept. of CSE, TEC.   3 April 2012
Existing System
           Predominately in Server side

           Page access behaviour

           Captcha

           Black list

           Signature based detection




Slide 8                   Dept. of CSE, TEC.   3 April 2012
Proposed System
           Client side

           Threshold based

           Real time

             Monitoring

             Detection

             Prevention

           Detects zero-day vulnerability


Slide 9                    Dept. of CSE, TEC.   3 April 2012
OUTLINE
   Abstract
   Insight into DDoS attack
   Existing and Proposed system
   Algorithm
   Modules
   TBHF Driver
   Technology
   Conclusion
   References

                  Dept. of CSE, TEC.   3 April 2012
Algorithm
           1. Capture traffic:
            a.   Filter outbound TCP packets
            b.   Filter HTTP packets
            c.   if(packet type == “GET”)
                        Action == inspect;
            d.   else
                        Action == allow;
           2. Extract parameters:
            a.   remote IP
            b.   Time

Slide 10                         Dept. of CSE, TEC.   3 April 2012
Algorithm Contd…
           //r.addr1, r.addr2, …, r.addri -> remote IP
           //T1, T2, …, Ti -> packet time
           // ∆t -> Time stamp
           3. Inspect:
            a.   If(r. addri not in array)
                   addr[i] = r.addri;
                   t[i] = Ti;
            b.   else if (r. addri in array && (T(i+1) – Ti)<=∆t)
                   r.count[i]++;
            c.   Else
                   Reset r.count[];

Slide 11                           Dept. of CSE, TEC.           3 April 2012
Algorithm Contd…
           //N -> Threshold value
           4. Decision Making:
            a.   If(r.count[i] >= N)
                   Action = allow packet;
            b.   else
                   Action = drop packet;




Slide 12                       Dept. of CSE, TEC.   3 April 2012
Software Requirements
            Attacker end

              PHP (Front end)

              MySQL (Back end)

              WampServer 2.2a

            Analysis

              Wireshark

            Prevention

              Windows Filtering Platform (WFP)



Slide 13                     Dept. of CSE, TEC.   3 April 2012
OUTLINE
   Abstract
   Insight into DDoS attack
   Existing and Proposed system
   Algorithm
   Modules
   TBHF Driver
   Technology
   Conclusion
   References

                  Dept. of CSE, TEC.   3 April 2012
Modules

                   Capture Traffic
                   • Filter
                     • Out Bound
                       • TCP Packet
                         • HTTP Packet
                           • HTTP ‘ GET ‘ Packet


                   Extract Parameters
                   • IP
                   • Time of packet Arrival


                   Inspect
                   • TBHF policy


                   Decision Making
                   • Dropped or Allowed




Slide 14    Dept. of CSE, TEC.                     3 April 2012
Modules – Capture Traffic
            Filter

              Outbound packets

              TCP packets

              HTTP packets

              HTTP GET packets




Slide 15                      Dept. of CSE, TEC.   3 April 2012
Modules – Extract Parameters
            Scan

              HTTP GET packets

            Extract

              Remote IP

              Arrival time

            Store

              UINT32 array


Slide 16                      Dept. of CSE, TEC.   3 April 2012
Modules – Inspect, Decision
  Making
            Inspect

              Time stamp

              Remote IP

              IP count

            Decision Making

              Threshold




Slide 17                    Dept. of CSE, TEC.   3 April 2012
OUTLINE
   Abstract
   Insight into DDoS attack
   Existing and Proposed system
   Algorithm
   Modules
   TBHF Driver
   Technology
   Conclusion
   References

                  Dept. of CSE, TEC.   3 April 2012
Positioning of TBHF in kernel
  space




Slide 18       Dept. of CSE, TEC.   3 April 2012
Implementation




Slide 19      Dept. of CSE, TEC.   3 April 2012
Life Cycle
                                            Capturing
                                             Packet


                                                            Filtering
                        Inference                          Outbound
                                                            Packet




                                           TBHF
                                                                    Filtering TCP
           Inspection
                                           Driver                      Packets




                    Extract Time
                                                         Filtering HTTP
                         of
                                                         ‘ GET ‘ Packet
                      Packet


                                             Extract
                                              ‘ IP ‘
                                              Info


Slide 20                            Dept. of CSE, TEC.                              3 April 2012
Filter performance




Slide 21       Dept. of CSE, TEC.   3 April 2012
OUTLINE
   Abstract
   Insight into DDoS attack
   Existing and Proposed system
   Algorithm
   Modules
   TBHF Driver
   Technology
   Conclusion
   References

                  Dept. of CSE, TEC.   3 April 2012
Technology
            Windows Filtering Platform (WFP)

              Supports from Longhorn

              Manipulate packet at OSI layers




Slide 22                     Dept. of CSE, TEC.   3 April 2012
Conclusion
            Deployed in kernel level

            Priority to overwrite packets

            Real time prevention

            DDoS participation is prevented

            Future Enhancement

              Mobile platforms




Slide 23                     Dept. of CSE, TEC.   3 April 2012
References
            Ying Xuan, Incheol Shin, My T. Thai, and Taieb
             Znati, “Detecting Application Denial-of-Service
             Attacks: A Group-Testing-Based Approach”
             IEEE Transactions on Parallel and Distributed
             Systems, Vol. 21, No. 8, pp. 1203-1216, August
             2010.
            Takeshi Yatagai, Takamasa Isohara, and Iwao
             Sasase, “Detection of HTTP-GET flood Attack
             Based on Analysis of Page Access Behaviour”,
             IEEE Conference on Communications, Computers
             and Signal Processing, August 2007
            http://msdn.microsoft.com/en-
             us/library/windows/desktop/aa366510%28v=vs.85
             %29.aspx

Slide 24                   Dept. of CSE, TEC.         3 April 2012
Thank
You!!!



   Dept. of CSE, TEC.   3 April 2012

Weitere ähnliche Inhalte

Andere mochten auch

Presentation of "On the effectiveness of route-based packet filtering for dis...
Presentation of "On the effectiveness of route-based packet filtering for dis...Presentation of "On the effectiveness of route-based packet filtering for dis...
Presentation of "On the effectiveness of route-based packet filtering for dis...Jammy Wang
 
Trabajo no. 2
Trabajo no. 2Trabajo no. 2
Trabajo no. 2Uniandes
 
Mas based framework to protect cloud computing against ddos attack
Mas based framework to protect cloud computing against ddos attackMas based framework to protect cloud computing against ddos attack
Mas based framework to protect cloud computing against ddos attackeSAT Journals
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and RiskSukbum Hong
 
From Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesFrom Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesPichaya Morimoto
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...APNIC
 
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013Amazon Web Services
 
Butterworth filter design
Butterworth filter designButterworth filter design
Butterworth filter designSushant Shankar
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)btpsec
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS AttacksAmazon Web Services
 
Search Engines Presentation
Search Engines PresentationSearch Engines Presentation
Search Engines PresentationJSCHO9
 
FireWall
FireWallFireWall
FireWallrubal_9
 

Andere mochten auch (20)

Presentation of "On the effectiveness of route-based packet filtering for dis...
Presentation of "On the effectiveness of route-based packet filtering for dis...Presentation of "On the effectiveness of route-based packet filtering for dis...
Presentation of "On the effectiveness of route-based packet filtering for dis...
 
Trabajo no. 2
Trabajo no. 2Trabajo no. 2
Trabajo no. 2
 
Mas based framework to protect cloud computing against ddos attack
Mas based framework to protect cloud computing against ddos attackMas based framework to protect cloud computing against ddos attack
Mas based framework to protect cloud computing against ddos attack
 
D do s
D do sD do s
D do s
 
E0162736
E0162736E0162736
E0162736
 
Firewall & its Services
Firewall & its ServicesFirewall & its Services
Firewall & its Services
 
DNS DDoS Attack and Risk
DNS DDoS Attack and RiskDNS DDoS Attack and Risk
DNS DDoS Attack and Risk
 
From Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutesFrom Web Vulnerability to Exploit in 15 minutes
From Web Vulnerability to Exploit in 15 minutes
 
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
Water Torture: A Slow Drip DNS DDoS Attack on QTNet by Kei Nishida [APRICOT 2...
 
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
DDoS Resiliency with Amazon Web Services (SEC305) | AWS re:Invent 2013
 
DoS or DDoS attack
DoS or DDoS attackDoS or DDoS attack
DoS or DDoS attack
 
Butterworth filter design
Butterworth filter designButterworth filter design
Butterworth filter design
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Cloud Computing Security Issues
Cloud Computing Security Issues Cloud Computing Security Issues
Cloud Computing Security Issues
 
(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks(SEC306) Defending Against DDoS Attacks
(SEC306) Defending Against DDoS Attacks
 
Denial of Service Attacks
Denial of Service AttacksDenial of Service Attacks
Denial of Service Attacks
 
DDoS Attacks
DDoS AttacksDDoS Attacks
DDoS Attacks
 
Search Engines Presentation
Search Engines PresentationSearch Engines Presentation
Search Engines Presentation
 
Packet sniffers
Packet sniffersPacket sniffers
Packet sniffers
 
FireWall
FireWallFireWall
FireWall
 

Ähnlich wie Tbhf

An Efficient Framework for Detection & Classification of IoT BotNet.pptx
An Efficient Framework for Detection & Classification of IoT BotNet.pptxAn Efficient Framework for Detection & Classification of IoT BotNet.pptx
An Efficient Framework for Detection & Classification of IoT BotNet.pptxSandeep Maurya
 
DotDotPwn v3.0 [GuadalajaraCON 2012]
DotDotPwn v3.0 [GuadalajaraCON 2012]DotDotPwn v3.0 [GuadalajaraCON 2012]
DotDotPwn v3.0 [GuadalajaraCON 2012]Websec México, S.C.
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualizationamiable_indian
 
DDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised AlgorithmsDDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised Algorithmsijfls
 
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSDDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSijfls
 
Genetic Algorithm based Layered Detection and Defense of HTTP Botnet
Genetic Algorithm based Layered Detection and Defense of HTTP BotnetGenetic Algorithm based Layered Detection and Defense of HTTP Botnet
Genetic Algorithm based Layered Detection and Defense of HTTP BotnetIDES Editor
 
Ntp in Amplification Inferno
Ntp in Amplification InfernoNtp in Amplification Inferno
Ntp in Amplification InfernoSriram Krishnan
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Anomaly Detection at Scale
Anomaly Detection at ScaleAnomaly Detection at Scale
Anomaly Detection at ScaleJeff Henrikson
 
1.Architecture
1.Architecture1.Architecture
1.Architecturephanleson
 
I034_I041_I052_DDOS Attacks_Presentation.pdf
I034_I041_I052_DDOS Attacks_Presentation.pdfI034_I041_I052_DDOS Attacks_Presentation.pdf
I034_I041_I052_DDOS Attacks_Presentation.pdfDevesh Pawar
 
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...IRJET Journal
 
Proactive ops for container orchestration environments
Proactive ops for container orchestration environmentsProactive ops for container orchestration environments
Proactive ops for container orchestration environmentsDocker, Inc.
 
D03601023026
D03601023026D03601023026
D03601023026theijes
 
Botnet detection by Imitation method
Botnet detection  by Imitation methodBotnet detection  by Imitation method
Botnet detection by Imitation methodAcad
 

Ähnlich wie Tbhf (20)

An Efficient Framework for Detection & Classification of IoT BotNet.pptx
An Efficient Framework for Detection & Classification of IoT BotNet.pptxAn Efficient Framework for Detection & Classification of IoT BotNet.pptx
An Efficient Framework for Detection & Classification of IoT BotNet.pptx
 
Guadalajara con 2012
Guadalajara con 2012Guadalajara con 2012
Guadalajara con 2012
 
DotDotPwn v3.0 [GuadalajaraCON 2012]
DotDotPwn v3.0 [GuadalajaraCON 2012]DotDotPwn v3.0 [GuadalajaraCON 2012]
DotDotPwn v3.0 [GuadalajaraCON 2012]
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
DDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised AlgorithmsDDoS Attack Detection on Internet o Things using Unsupervised Algorithms
DDoS Attack Detection on Internet o Things using Unsupervised Algorithms
 
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMSDDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
DDOS ATTACK DETECTION ON INTERNET OF THINGS USING UNSUPERVISED ALGORITHMS
 
Genetic Algorithm based Layered Detection and Defense of HTTP Botnet
Genetic Algorithm based Layered Detection and Defense of HTTP BotnetGenetic Algorithm based Layered Detection and Defense of HTTP Botnet
Genetic Algorithm based Layered Detection and Defense of HTTP Botnet
 
Ntp in Amplification Inferno
Ntp in Amplification InfernoNtp in Amplification Inferno
Ntp in Amplification Inferno
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
Anomaly Detection at Scale
Anomaly Detection at ScaleAnomaly Detection at Scale
Anomaly Detection at Scale
 
1.Architecture
1.Architecture1.Architecture
1.Architecture
 
I034_I041_I052_DDOS Attacks_Presentation.pdf
I034_I041_I052_DDOS Attacks_Presentation.pdfI034_I041_I052_DDOS Attacks_Presentation.pdf
I034_I041_I052_DDOS Attacks_Presentation.pdf
 
L1803046876
L1803046876L1803046876
L1803046876
 
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
Machine Learning Techniques Used for the Detection and Analysis of Modern Typ...
 
690 698
690 698690 698
690 698
 
Proactive ops for container orchestration environments
Proactive ops for container orchestration environmentsProactive ops for container orchestration environments
Proactive ops for container orchestration environments
 
Packet sniffing
Packet sniffingPacket sniffing
Packet sniffing
 
MIB Test Environment
MIB Test EnvironmentMIB Test Environment
MIB Test Environment
 
D03601023026
D03601023026D03601023026
D03601023026
 
Botnet detection by Imitation method
Botnet detection  by Imitation methodBotnet detection  by Imitation method
Botnet detection by Imitation method
 

Tbhf

  • 1. “THRESHOLD BASED KERNEL LEVEL HTTP FILTER (TBHF)” for DDoS Mitigation by MOHAMED IBRAHIM AK 82008132041 LIJO GEORGE 82008132515 Dept. of CSE TEC, Trichy INTERNEL GUIDE EXTERNAL GUIDE Mr. A. NARENTHIRA KUMAR Dr. S. SELVAKUMAR Asst. Professor Professor Dept. of CSE Dept. of CSE TEC, Trichy NIT, Trichy
  • 2. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  References Slide 2 Dept. of CSE, TEC. 3 April 2012
  • 3. Abstract  Application layer attack  Client Side Scripting  High rate flooding attack  No manifestation  Data on the flow analysis  Threshold based Decision Support System  Vulnerability Status: Effective – Real time Slide 3 Dept. of CSE, TEC. 3 April 2012
  • 4. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  References Dept. of CSE, TEC. 3 April 2012
  • 5. DDoS attack - Actors  Individuals  Julian Assange - Wikileaks  Blackhat underground community  ‘Anonymous’, ‘Lords of Dharmaraja’  Government sponsored  China - GhostNet  Israel - Stuxnet Slide 4 Dept. of CSE, TEC. 3 April 2012
  • 6. DDoS attack - Scenario  Coordinated attack on a given target system through many compromised systems. Attacker Medium … M1 M2 M3 Mn Compromised Systems C C C … C C … C Target Slide 5 Dept. of CSE, TEC. 3 April 2012
  • 7. DDoS attack - Analysis Slide 6 Dept. of CSE, TEC. 3 April 2012
  • 8. DDoS attack - Timeline  July 2011  Live Journal Hit by Massive Cyber Attack  March 2011 (Korean Websites)  40 websites under DDoS attack  February 2011 (Total Choice Hosting Network)  7,00,000 packets per second  600 Mbps  January 2011  FBI executed 40 search warrants for DDoS attacks  Low Orbit Ion Cannon tool Slide 7 Dept. of CSE, TEC. 3 April 2012
  • 9. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  References Dept. of CSE, TEC. 3 April 2012
  • 10. Existing System  Predominately in Server side  Page access behaviour  Captcha  Black list  Signature based detection Slide 8 Dept. of CSE, TEC. 3 April 2012
  • 11. Proposed System  Client side  Threshold based  Real time  Monitoring  Detection  Prevention  Detects zero-day vulnerability Slide 9 Dept. of CSE, TEC. 3 April 2012
  • 12. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  References Dept. of CSE, TEC. 3 April 2012
  • 13. Algorithm 1. Capture traffic: a. Filter outbound TCP packets b. Filter HTTP packets c. if(packet type == “GET”) Action == inspect; d. else Action == allow; 2. Extract parameters: a. remote IP b. Time Slide 10 Dept. of CSE, TEC. 3 April 2012
  • 14. Algorithm Contd… //r.addr1, r.addr2, …, r.addri -> remote IP //T1, T2, …, Ti -> packet time // ∆t -> Time stamp 3. Inspect: a. If(r. addri not in array) addr[i] = r.addri; t[i] = Ti; b. else if (r. addri in array && (T(i+1) – Ti)<=∆t) r.count[i]++; c. Else Reset r.count[]; Slide 11 Dept. of CSE, TEC. 3 April 2012
  • 15. Algorithm Contd… //N -> Threshold value 4. Decision Making: a. If(r.count[i] >= N) Action = allow packet; b. else Action = drop packet; Slide 12 Dept. of CSE, TEC. 3 April 2012
  • 16. Software Requirements  Attacker end  PHP (Front end)  MySQL (Back end)  WampServer 2.2a  Analysis  Wireshark  Prevention  Windows Filtering Platform (WFP) Slide 13 Dept. of CSE, TEC. 3 April 2012
  • 17. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  References Dept. of CSE, TEC. 3 April 2012
  • 18. Modules Capture Traffic • Filter • Out Bound • TCP Packet • HTTP Packet • HTTP ‘ GET ‘ Packet Extract Parameters • IP • Time of packet Arrival Inspect • TBHF policy Decision Making • Dropped or Allowed Slide 14 Dept. of CSE, TEC. 3 April 2012
  • 19. Modules – Capture Traffic  Filter  Outbound packets  TCP packets  HTTP packets  HTTP GET packets Slide 15 Dept. of CSE, TEC. 3 April 2012
  • 20. Modules – Extract Parameters  Scan  HTTP GET packets  Extract  Remote IP  Arrival time  Store  UINT32 array Slide 16 Dept. of CSE, TEC. 3 April 2012
  • 21. Modules – Inspect, Decision Making  Inspect  Time stamp  Remote IP  IP count  Decision Making  Threshold Slide 17 Dept. of CSE, TEC. 3 April 2012
  • 22. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  References Dept. of CSE, TEC. 3 April 2012
  • 23. Positioning of TBHF in kernel space Slide 18 Dept. of CSE, TEC. 3 April 2012
  • 24. Implementation Slide 19 Dept. of CSE, TEC. 3 April 2012
  • 25. Life Cycle Capturing Packet Filtering Inference Outbound Packet TBHF Filtering TCP Inspection Driver Packets Extract Time Filtering HTTP of ‘ GET ‘ Packet Packet Extract ‘ IP ‘ Info Slide 20 Dept. of CSE, TEC. 3 April 2012
  • 26. Filter performance Slide 21 Dept. of CSE, TEC. 3 April 2012
  • 27. OUTLINE  Abstract  Insight into DDoS attack  Existing and Proposed system  Algorithm  Modules  TBHF Driver  Technology  Conclusion  References Dept. of CSE, TEC. 3 April 2012
  • 28. Technology  Windows Filtering Platform (WFP)  Supports from Longhorn  Manipulate packet at OSI layers Slide 22 Dept. of CSE, TEC. 3 April 2012
  • 29. Conclusion  Deployed in kernel level  Priority to overwrite packets  Real time prevention  DDoS participation is prevented  Future Enhancement  Mobile platforms Slide 23 Dept. of CSE, TEC. 3 April 2012
  • 30. References  Ying Xuan, Incheol Shin, My T. Thai, and Taieb Znati, “Detecting Application Denial-of-Service Attacks: A Group-Testing-Based Approach” IEEE Transactions on Parallel and Distributed Systems, Vol. 21, No. 8, pp. 1203-1216, August 2010.  Takeshi Yatagai, Takamasa Isohara, and Iwao Sasase, “Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behaviour”, IEEE Conference on Communications, Computers and Signal Processing, August 2007  http://msdn.microsoft.com/en- us/library/windows/desktop/aa366510%28v=vs.85 %29.aspx Slide 24 Dept. of CSE, TEC. 3 April 2012
  • 31. Thank You!!! Dept. of CSE, TEC. 3 April 2012