Attacks on the Internet are becoming a bigger problem since more users, companies and even complete societies rely on the correct functioning of the Internet. Some examples of these attacks are Denial of Service attacks or Port Scans. Most network operators deploy Network Intrusion Detection Systems to identify attacks and protect their selves against those attacks. Existing packet based inspection monitoring systems do not scale well with Gbps speed network technology. To overcome this problem, it is possible to use aggregated traffic information, like flow data as it is done in this thesis. A tool, based on packet symmetry, was developed to detect attacks in UDP traffic. This tool was validated against a reference set. With the correct functioning tool, we were able to find three DoS attacks and numerous scans and other background noise in the data sets. In this thesis, we show that, even for large Gbps networks, the symmetry in UDP packets using flow data is a good metric to detect attacks using UDP. Especially flooding attacks are easily detected. The analysis of two real high-speed networks with Gbps links, the University of Twente and SURFnet, supports this statement.
[1]
Stefan Savage,et al.
Inside the Slammer Worm
,
2003,
IEEE Secur. Priv..
[2]
Stefan Savage,et al.
Inferring Internet denial-of-service activity
,
2001,
TOCS.
[3]
Hervé Debar.
An Introduction to Intrusion-Detection Systems
,
2000
.
[4]
Jelena Mirkovic,et al.
Attacking DDoS at the source
,
2002,
10th IEEE International Conference on Network Protocols, 2002. Proceedings..
[5]
J. Crowcroft,et al.
Using Packet Symmetry to Curtail Malicious Traffic
,
2005
.
[6]
G. Manimaran,et al.
Internet infrastructure security: a taxonomy
,
2002,
IEEE Netw..