Real-time DDoS attack detection for Cisco IOS using NetFlow

Daniël van der Steeg, R.J. Hofstede, Anna Sperotto, Aiko Pras

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    8 Citations (Scopus)
    75 Downloads (Pure)

    Abstract

    Flow-based DDoS attack detection is typically performed by analysis applications that are installed on or close to a flow collector. Although this approach allows for easy deployment, it makes detection far from real-time and susceptible to DDoS attacks for the following reasons. First, the fact that the flow export process is timeout-based and that flow collectors typically provide data to analysis applications in chunks, can result in detection delays in the order of several minutes. Second, by the nature of flow export, attack traffic may be amplified by the flow export process if the original packets are small enough and are part of small flows. We have shown in a previous work how to perform DDoS attack detection on a flow exporter instead of a flow collector, i.e., close to the data source and in a real-time fashion, which however required access to a fully-extendible flow monitoring infrastructure. In this work, we investigate whether it is possible to operate the same detection system on a widely deployed networking platform: Cisco IOS. Since our ultimate goal is to identify besides the presence of an attack also attackers and targets, we rely on NetFlow. In this context, we present our DDoS attack detection prototype that has shown to generate a constant load on the underlying platform — even under attacks — underlining that DDoS attack detection can be performed on a Cisco Catalyst 6500 in production networks, if enough spare capacity is available.
    Original languageUndefined
    Title of host publicationProceedings of the 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM 2015)
    Place of PublicationUSA
    PublisherIEEE Communications Society
    Pages972-977
    Number of pages6
    ISBN (Print)978-3-901882-76-0
    DOIs
    Publication statusPublished - May 2015
    EventIFIP/IEEE International Symposium on Integrated Network Management 2015: Integrated Management in the Age of Big Data - Ottawa, Canada
    Duration: 11 May 201515 May 2015
    http://im2015.ieee-im.org/

    Publication series

    Name
    PublisherIEEE Communications Society

    Conference

    ConferenceIFIP/IEEE International Symposium on Integrated Network Management 2015
    Abbreviated titleIM 2015
    CountryCanada
    CityOttawa
    Period11/05/1515/05/15
    Internet address

    Keywords

    • EWI-26122
    • METIS-312659
    • IR-96981

    Cite this

    van der Steeg, D., Hofstede, R. J., Sperotto, A., & Pras, A. (2015). Real-time DDoS attack detection for Cisco IOS using NetFlow. In Proceedings of the 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM 2015) (pp. 972-977). USA: IEEE Communications Society. https://doi.org/10.1109/INM.2015.7140420
    van der Steeg, Daniël ; Hofstede, R.J. ; Sperotto, Anna ; Pras, Aiko. / Real-time DDoS attack detection for Cisco IOS using NetFlow. Proceedings of the 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM 2015). USA : IEEE Communications Society, 2015. pp. 972-977
    @inproceedings{91a89abdeee849c1aedc332b0bfd5af7,
    title = "Real-time DDoS attack detection for Cisco IOS using NetFlow",
    abstract = "Flow-based DDoS attack detection is typically performed by analysis applications that are installed on or close to a flow collector. Although this approach allows for easy deployment, it makes detection far from real-time and susceptible to DDoS attacks for the following reasons. First, the fact that the flow export process is timeout-based and that flow collectors typically provide data to analysis applications in chunks, can result in detection delays in the order of several minutes. Second, by the nature of flow export, attack traffic may be amplified by the flow export process if the original packets are small enough and are part of small flows. We have shown in a previous work how to perform DDoS attack detection on a flow exporter instead of a flow collector, i.e., close to the data source and in a real-time fashion, which however required access to a fully-extendible flow monitoring infrastructure. In this work, we investigate whether it is possible to operate the same detection system on a widely deployed networking platform: Cisco IOS. Since our ultimate goal is to identify besides the presence of an attack also attackers and targets, we rely on NetFlow. In this context, we present our DDoS attack detection prototype that has shown to generate a constant load on the underlying platform — even under attacks — underlining that DDoS attack detection can be performed on a Cisco Catalyst 6500 in production networks, if enough spare capacity is available.",
    keywords = "EWI-26122, METIS-312659, IR-96981",
    author = "{van der Steeg}, Dani{\"e}l and R.J. Hofstede and Anna Sperotto and Aiko Pras",
    note = "10.1109/INM.2015.7140420",
    year = "2015",
    month = "5",
    doi = "10.1109/INM.2015.7140420",
    language = "Undefined",
    isbn = "978-3-901882-76-0",
    publisher = "IEEE Communications Society",
    pages = "972--977",
    booktitle = "Proceedings of the 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM 2015)",
    address = "United States",

    }

    van der Steeg, D, Hofstede, RJ, Sperotto, A & Pras, A 2015, Real-time DDoS attack detection for Cisco IOS using NetFlow. in Proceedings of the 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM 2015). IEEE Communications Society, USA, pp. 972-977, IFIP/IEEE International Symposium on Integrated Network Management 2015, Ottawa, Canada, 11/05/15. https://doi.org/10.1109/INM.2015.7140420

    Real-time DDoS attack detection for Cisco IOS using NetFlow. / van der Steeg, Daniël; Hofstede, R.J.; Sperotto, Anna; Pras, Aiko.

    Proceedings of the 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM 2015). USA : IEEE Communications Society, 2015. p. 972-977.

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    TY - GEN

    T1 - Real-time DDoS attack detection for Cisco IOS using NetFlow

    AU - van der Steeg, Daniël

    AU - Hofstede, R.J.

    AU - Sperotto, Anna

    AU - Pras, Aiko

    N1 - 10.1109/INM.2015.7140420

    PY - 2015/5

    Y1 - 2015/5

    N2 - Flow-based DDoS attack detection is typically performed by analysis applications that are installed on or close to a flow collector. Although this approach allows for easy deployment, it makes detection far from real-time and susceptible to DDoS attacks for the following reasons. First, the fact that the flow export process is timeout-based and that flow collectors typically provide data to analysis applications in chunks, can result in detection delays in the order of several minutes. Second, by the nature of flow export, attack traffic may be amplified by the flow export process if the original packets are small enough and are part of small flows. We have shown in a previous work how to perform DDoS attack detection on a flow exporter instead of a flow collector, i.e., close to the data source and in a real-time fashion, which however required access to a fully-extendible flow monitoring infrastructure. In this work, we investigate whether it is possible to operate the same detection system on a widely deployed networking platform: Cisco IOS. Since our ultimate goal is to identify besides the presence of an attack also attackers and targets, we rely on NetFlow. In this context, we present our DDoS attack detection prototype that has shown to generate a constant load on the underlying platform — even under attacks — underlining that DDoS attack detection can be performed on a Cisco Catalyst 6500 in production networks, if enough spare capacity is available.

    AB - Flow-based DDoS attack detection is typically performed by analysis applications that are installed on or close to a flow collector. Although this approach allows for easy deployment, it makes detection far from real-time and susceptible to DDoS attacks for the following reasons. First, the fact that the flow export process is timeout-based and that flow collectors typically provide data to analysis applications in chunks, can result in detection delays in the order of several minutes. Second, by the nature of flow export, attack traffic may be amplified by the flow export process if the original packets are small enough and are part of small flows. We have shown in a previous work how to perform DDoS attack detection on a flow exporter instead of a flow collector, i.e., close to the data source and in a real-time fashion, which however required access to a fully-extendible flow monitoring infrastructure. In this work, we investigate whether it is possible to operate the same detection system on a widely deployed networking platform: Cisco IOS. Since our ultimate goal is to identify besides the presence of an attack also attackers and targets, we rely on NetFlow. In this context, we present our DDoS attack detection prototype that has shown to generate a constant load on the underlying platform — even under attacks — underlining that DDoS attack detection can be performed on a Cisco Catalyst 6500 in production networks, if enough spare capacity is available.

    KW - EWI-26122

    KW - METIS-312659

    KW - IR-96981

    U2 - 10.1109/INM.2015.7140420

    DO - 10.1109/INM.2015.7140420

    M3 - Conference contribution

    SN - 978-3-901882-76-0

    SP - 972

    EP - 977

    BT - Proceedings of the 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM 2015)

    PB - IEEE Communications Society

    CY - USA

    ER -

    van der Steeg D, Hofstede RJ, Sperotto A, Pras A. Real-time DDoS attack detection for Cisco IOS using NetFlow. In Proceedings of the 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM 2015). USA: IEEE Communications Society. 2015. p. 972-977 https://doi.org/10.1109/INM.2015.7140420