From jonkman at jonkmans.com Tue Jul 28 16:52:10 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 28 Jul 2009 16:52:10 -0400 Subject: [Oisf-wg-portscan] OISF Portscan/DDoS Working Group Kickoff Message-ID: <4A6F64FA.8070504@jonkmans.com> Thanks to all for joining this working group. Your ideas and help are critical to this engine being a success!! This group has wiki space here for free use of all: http://doc.emergingthreats.net/bin/view/Main/PorstcanDDoSWG The goal of this working group is to make recommendations regarding two major subjects: * Is traditional portscan detection functionality useful enough to be reimplemented in the OISF engine? * If above true what methods might make this more effective than currently available? * Is a DDoS detection module feasible and necessary? (i.e. to detect both incoming and outgoing DDoS traffic using statistical and behavioral analysis) * If so how? This group should come to recommendations on these subject by August 12 2009. Breno Silva (breno.silva at gmail.com) is the group lead. He will be responsible for sparking and steering the discussion as well as summarizing the recommendations of the group. Thanks! Matt -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jules at visionintel.com Tue Jul 28 17:51:52 2009 From: jules at visionintel.com (Jules Pagna Disso) Date: Tue, 28 Jul 2009 22:51:52 +0100 Subject: [Oisf-wg-portscan] OISF Portscan/DDoS Working Group Kickoff In-Reply-To: <4A6F64FA.8070504@jonkmans.com> References: <4A6F64FA.8070504@jonkmans.com> Message-ID: <69544300907281451k20cc8e68u7a9d577cf8ee29c@mail.gmail.com> hi, regarding * Is a DDoS detection module feasible and necessary? (i.e. to detect both incoming and outgoing DDoS traffic using statistical and behavioral analysis) I would think that the first step is to have a comon definition of what need to be protected ( the difficult cases of DDOS). Going point by point we can then evaluate if the solution proposed would be good enough for a solid DDOS attack. My first view on that is DDOS engine is possible but would certaintly go far behond the keyword match. Jules 2009/7/28 Matt Jonkman > Thanks to all for joining this working group. Your ideas and help are > critical to this engine being a success!! > > This group has wiki space here for free use of all: > http://doc.emergingthreats.net/bin/view/Main/PorstcanDDoSWG > > The goal of this working group is to make recommendations regarding two > major subjects: > > * Is traditional portscan detection functionality useful enough to be > reimplemented in the OISF engine? > * If above true what methods might make this more effective than > currently available? > > > > > * If so how? > > This group should come to recommendations on these subject by August 12 > 2009. > > Breno Silva (breno.silva at gmail.com) is the group lead. He will be > responsible for sparking and steering the discussion as well as > summarizing the recommendations of the group. > > Thanks! > > Matt > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20090728/31b4e96f/attachment.html From jonkman at jonkmans.com Tue Jul 28 17:57:16 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Tue, 28 Jul 2009 17:57:16 -0400 Subject: [Oisf-wg-portscan] OISF Portscan/DDoS Working Group Kickoff In-Reply-To: <69544300907281451k20cc8e68u7a9d577cf8ee29c@mail.gmail.com> References: <4A6F64FA.8070504@jonkmans.com> <69544300907281451k20cc8e68u7a9d577cf8ee29c@mail.gmail.com> Message-ID: <4A6F743C.4090602@jonkmans.com> Jules Pagna Disso wrote: > * Is a DDoS detection module feasible and necessary? (i.e. to detect > both incoming and outgoing DDoS traffic using statistical and behavioral > analysis) > > I would think that the first step is to have a comon definition of what > need to be protected ( the difficult cases of DDOS). Going point by > point we can then evaluate if the solution proposed would be good enough > for a solid DDOS attack. Good question. I should elaborate some. The proposal that brought this up was to have a statistical based approach to detecting: 1. When you are under ddos attack. For example http inbound attacks, or icmp/udp saturation attacks. Statistically if the module could learn a baseline over 24 hours I'd guess this would be pretty easy to see a huge spike. But we'd want some way I think to compare and say we have a spike of exactly similar traffic 2. Detect outbound ddos traffic. Similar, but for nets that are less under control like a university. So similar statistics but from one source to one destination. Matt > > My first view on that is DDOS engine is possible but would certaintly go > far behond the keyword match. > > Jules > > 2009/7/28 Matt Jonkman > > > Thanks to all for joining this working group. Your ideas and help are > critical to this engine being a success!! > > This group has wiki space here for free use of all: > http://doc.emergingthreats.net/bin/view/Main/PorstcanDDoSWG > > The goal of this working group is to make recommendations regarding two > major subjects: > > * Is traditional portscan detection functionality useful enough to be > reimplemented in the OISF engine? > * If above true what methods might make this more effective than > currently available? > > > > > > > > * If so how? > > This group should come to recommendations on these subject by August 12 > 2009. > > Breno Silva (breno.silva at gmail.com ) > is the group lead. He will be > responsible for sparking and steering the discussion as well as > summarizing the recommendations of the group. > > Thanks! > > Matt > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From jules at visionintel.com Tue Jul 28 18:42:30 2009 From: jules at visionintel.com (Jules Pagna Disso) Date: Tue, 28 Jul 2009 23:42:30 +0100 Subject: [Oisf-wg-portscan] OISF Portscan/DDoS Working Group Kickoff In-Reply-To: <4A6F743C.4090602@jonkmans.com> References: <4A6F64FA.8070504@jonkmans.com> <69544300907281451k20cc8e68u7a9d577cf8ee29c@mail.gmail.com> <4A6F743C.4090602@jonkmans.com> Message-ID: <69544300907281542v46bd221cgebe783d3b690c9c8@mail.gmail.com> one of the problem that i see here is for example. .. the environment has been fairly quiet then suddently few people start downloading/uploading at 2mbps. usually it's few kbps when the network is quiet for individual PCs. How to differentiate that heavy suddent download to a DDOS attack? Jules 2009/7/28 Matt Jonkman > Jules Pagna Disso wrote: > > * Is a DDoS detection module feasible and necessary? (i.e. to detect > > both incoming and outgoing DDoS traffic using statistical and behavioral > > analysis) > > > > I would think that the first step is to have a comon definition of what > > need to be protected ( the difficult cases of DDOS). Going point by > > point we can then evaluate if the solution proposed would be good enough > > for a solid DDOS attack. > > Good question. I should elaborate some. The proposal that brought this > up was to have a statistical based approach to detecting: > > 1. When you are under ddos attack. For example http inbound attacks, or > icmp/udp saturation attacks. Statistically if the module could learn a > baseline over 24 hours I'd guess this would be pretty easy to see a huge > spike. But we'd want some way I think to compare and say we have a spike > of exactly similar traffic > > 2. Detect outbound ddos traffic. Similar, but for nets that are less > under control like a university. So similar statistics but from one > source to one destination. > > Matt > > > > > > My first view on that is DDOS engine is possible but would certaintly go > > far behond the keyword match. > > > > Jules > > > > 2009/7/28 Matt Jonkman jonkman at jonkmans.com>> > > > > Thanks to all for joining this working group. Your ideas and help are > > critical to this engine being a success!! > > > > This group has wiki space here for free use of all: > > http://doc.emergingthreats.net/bin/view/Main/PorstcanDDoSWG > > > > The goal of this working group is to make recommendations regarding > two > > major subjects: > > > > * Is traditional portscan detection functionality useful enough to > be > > reimplemented in the OISF engine? > > * If above true what methods might make this more effective than > > currently available? > > > > > > > > > > > > > > > > * If so how? > > > > This group should come to recommendations on these subject by August > 12 > > 2009. > > > > Breno Silva (breno.silva at gmail.com ) > > is the group lead. He will be > > responsible for sparking and steering the discussion as well as > > summarizing the recommendations of the group. > > > > Thanks! > > > > Matt > > > > -- > > -------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > -------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > > > _______________________________________________ > > Oisf-wg-portscan mailing list > > Oisf-wg-portscan at openinfosecfoundation.org > > > > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Oisf-wg-portscan mailing list > > Oisf-wg-portscan at openinfosecfoundation.org > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20090728/0daee856/attachment.html From breno.silva at gmail.com Tue Jul 28 21:23:06 2009 From: breno.silva at gmail.com (Breno Silva) Date: Tue, 28 Jul 2009 22:23:06 -0300 Subject: [Oisf-wg-portscan] OISF Portscan/DDoS Working Group Kickoff In-Reply-To: <65f41b5a0907281817uc5c448cr38ae2106655777d1@mail.gmail.com> References: <4A6F64FA.8070504@jonkmans.com> <69544300907281451k20cc8e68u7a9d577cf8ee29c@mail.gmail.com> <4A6F743C.4090602@jonkmans.com> <65f41b5a0907281817uc5c448cr38ae2106655777d1@mail.gmail.com> Message-ID: <65f41b5a0907281823l27dd25cavc6727f7c9028ac8f@mail.gmail.com> > > Hi Guys, > > Thanks Matt for your attention your attention. We know that DDoS is a > critical point for many of companies and this is a big challenge for us. > > I my point of view we can start studying methods like volume base > algorithm: > > - for_period_of_time > for_each_/32_or_/24_dest_addr > for_each_port_number_or_icmp_code_etc > baseline = t0_curr_pkts*W1 + > t1_pkts*W2 > > where W1+W2 = 100% > > With this method we can create a curve to describe the normal traffic and > we can define a an attack if: > > pkts_traffic > baseline*tolerance > > where tolerance is [1...inf] > > > We can work with another idea... entropy based algorithms using the packet > payload... however this method will just detect L7 DDoS attack. > > We can use kolmogorov entropy based or one of my algorithm called ma-rmse > > I can send you my paper for dicussion. > > Welcome aboard :) > > Cheers > > Breno > > > On Tue, Jul 28, 2009 at 6:57 PM, Matt Jonkman wrote: > >> Jules Pagna Disso wrote: >> > * Is a DDoS detection module feasible and necessary? (i.e. to detect >> > both incoming and outgoing DDoS traffic using statistical and behavioral >> > analysis) >> > >> > I would think that the first step is to have a comon definition of what >> > need to be protected ( the difficult cases of DDOS). Going point by >> > point we can then evaluate if the solution proposed would be good enough >> > for a solid DDOS attack. >> >> Good question. I should elaborate some. The proposal that brought this >> up was to have a statistical based approach to detecting: >> >> 1. When you are under ddos attack. For example http inbound attacks, or >> icmp/udp saturation attacks. Statistically if the module could learn a >> baseline over 24 hours I'd guess this would be pretty easy to see a huge >> spike. But we'd want some way I think to compare and say we have a spike >> of exactly similar traffic >> >> 2. Detect outbound ddos traffic. Similar, but for nets that are less >> under control like a university. So similar statistics but from one >> source to one destination. >> >> Matt >> >> >> > >> > My first view on that is DDOS engine is possible but would certaintly go >> > far behond the keyword match. >> > >> > Jules >> > >> > 2009/7/28 Matt Jonkman > jonkman at jonkmans.com>> >> > >> > Thanks to all for joining this working group. Your ideas and help >> are >> > critical to this engine being a success!! >> > >> > This group has wiki space here for free use of all: >> > http://doc.emergingthreats.net/bin/view/Main/PorstcanDDoSWG >> > >> > The goal of this working group is to make recommendations regarding >> two >> > major subjects: >> > >> > * Is traditional portscan detection functionality useful enough to >> be >> > reimplemented in the OISF engine? >> > * If above true what methods might make this more effective than >> > currently available? >> > >> > >> > >> > >> > >> > >> > >> > * If so how? >> > >> > This group should come to recommendations on these subject by August >> 12 >> > 2009. >> > >> > Breno Silva (breno.silva at gmail.com ) >> > is the group lead. He will be >> > responsible for sparking and steering the discussion as well as >> > summarizing the recommendations of the group. >> > >> > Thanks! >> > >> > Matt >> > >> > -- >> > -------------------------------------------- >> > Matthew Jonkman >> > Emerging Threats >> > Phone 765-429-0398 >> > Fax 312-264-0205 >> > http://www.emergingthreats.net >> > -------------------------------------------- >> > >> > PGP: http://www.jonkmans.com/mattjonkman.asc >> > >> > >> > >> > _______________________________________________ >> > Oisf-wg-portscan mailing list >> > Oisf-wg-portscan at openinfosecfoundation.org >> > >> > >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> > >> > >> > >> > ------------------------------------------------------------------------ >> > >> > _______________________________________________ >> > Oisf-wg-portscan mailing list >> > Oisf-wg-portscan at openinfosecfoundation.org >> > >> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan >> >> -- >> -------------------------------------------- >> Matthew Jonkman >> Emerging Threats >> Phone 765-429-0398 >> Fax 312-264-0205 >> http://www.emergingthreats.net >> -------------------------------------------- >> >> PGP: http://www.jonkmans.com/mattjonkman.asc >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20090728/d72d9e58/attachment-0001.html From breno.silva at gmail.com Tue Jul 28 21:17:46 2009 From: breno.silva at gmail.com (Breno Silva) Date: Tue, 28 Jul 2009 22:17:46 -0300 Subject: [Oisf-wg-portscan] OISF Portscan/DDoS Working Group Kickoff In-Reply-To: <4A6F743C.4090602@jonkmans.com> References: <4A6F64FA.8070504@jonkmans.com> <69544300907281451k20cc8e68u7a9d577cf8ee29c@mail.gmail.com> <4A6F743C.4090602@jonkmans.com> Message-ID: <65f41b5a0907281817uc5c448cr38ae2106655777d1@mail.gmail.com> Hi Guys, Thanks Matt for your attention your attention. We know that DDoS is a critical point for many of companies and this is a big challenge for us. I my point of view we can start studying methods like volume base algorithm: - for_period_of_time for_each_/32_or_/24_dest_addr for_each_port_number_or_icmp_code_etc baseline = t0_curr_pkts*W1 + t1_pkts*W2 where W1+W2 = 100% With this method we can create a curve to describe the normal traffic and we can define a an attack if: pkts_traffic > baseline*tolerance where tolerance is [1...inf] We can work with another idea... entropy based algorithms using the packet payload... however this method will just detect L7 DDoS attack. We can use kolmogorov entropy based or one of my algorithm called ma-rmse I can send you my paper for dicussion. Welcome aboard :) Cheers Breno On Tue, Jul 28, 2009 at 6:57 PM, Matt Jonkman wrote: > Jules Pagna Disso wrote: > > * Is a DDoS detection module feasible and necessary? (i.e. to detect > > both incoming and outgoing DDoS traffic using statistical and behavioral > > analysis) > > > > I would think that the first step is to have a comon definition of what > > need to be protected ( the difficult cases of DDOS). Going point by > > point we can then evaluate if the solution proposed would be good enough > > for a solid DDOS attack. > > Good question. I should elaborate some. The proposal that brought this > up was to have a statistical based approach to detecting: > > 1. When you are under ddos attack. For example http inbound attacks, or > icmp/udp saturation attacks. Statistically if the module could learn a > baseline over 24 hours I'd guess this would be pretty easy to see a huge > spike. But we'd want some way I think to compare and say we have a spike > of exactly similar traffic > > 2. Detect outbound ddos traffic. Similar, but for nets that are less > under control like a university. So similar statistics but from one > source to one destination. > > Matt > > > > > > My first view on that is DDOS engine is possible but would certaintly go > > far behond the keyword match. > > > > Jules > > > > 2009/7/28 Matt Jonkman jonkman at jonkmans.com>> > > > > Thanks to all for joining this working group. Your ideas and help are > > critical to this engine being a success!! > > > > This group has wiki space here for free use of all: > > http://doc.emergingthreats.net/bin/view/Main/PorstcanDDoSWG > > > > The goal of this working group is to make recommendations regarding > two > > major subjects: > > > > * Is traditional portscan detection functionality useful enough to > be > > reimplemented in the OISF engine? > > * If above true what methods might make this more effective than > > currently available? > > > > > > > > > > > > > > > > * If so how? > > > > This group should come to recommendations on these subject by August > 12 > > 2009. > > > > Breno Silva (breno.silva at gmail.com ) > > is the group lead. He will be > > responsible for sparking and steering the discussion as well as > > summarizing the recommendations of the group. > > > > Thanks! > > > > Matt > > > > -- > > -------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > -------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > > > _______________________________________________ > > Oisf-wg-portscan mailing list > > Oisf-wg-portscan at openinfosecfoundation.org > > > > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Oisf-wg-portscan mailing list > > Oisf-wg-portscan at openinfosecfoundation.org > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20090728/b30c50fd/attachment.html From jonkman at jonkmans.com Wed Jul 29 13:39:25 2009 From: jonkman at jonkmans.com (Matt Jonkman) Date: Wed, 29 Jul 2009 13:39:25 -0400 Subject: [Oisf-wg-portscan] OISF Portscan/DDoS Working Group Kickoff In-Reply-To: <69544300907281542v46bd221cgebe783d3b690c9c8@mail.gmail.com> References: <4A6F64FA.8070504@jonkmans.com> <69544300907281451k20cc8e68u7a9d577cf8ee29c@mail.gmail.com> <4A6F743C.4090602@jonkmans.com> <69544300907281542v46bd221cgebe783d3b690c9c8@mail.gmail.com> Message-ID: <4A70894D.4090303@jonkmans.com> Jules Pagna Disso wrote: > one of the problem that i see here is for example. .. > > the environment has been fairly quiet then suddently few people start > downloading/uploading at 2mbps. usually it's few kbps when the network > is quiet for individual PCs. How to differentiate that heavy suddent > download to a DDOS attack? True. We I think have to base the analysis not on bandwidth consumption but more on the frequency and size of connections, and on the variety of the sources of those connections. The most common forms of ddos that I am aware of (and have been subjected to over the years at emerging threats) are http get, udp, and icmp attacks. HTTP gets are just a get for / very frequently from a group of a few hundred sources. The goal here being to overwhelm the webserver not necessarily bandwidth saturation. These are very effective against non-load balanced stuff. UDP are bandwidth saturation. Max size udp packets to random or set ports from a lot of sources, but the source IPs are spoofed (hence why they use udp). These are a killer if the attacker has more bandwiidth than you. ICMP, same thing as the UDP. Max size packets, spoofed sources, bandwidth saturation. So for HTTP get's the statistical analysis can take into account the number of sources and the frequency of the same sources asking for the same page. That's a very clear indicator of a ddos. Something like 20 or 30 requests a second for / for minutes straight is pretty clear. For the others it's a bit more challenging, we have to profile all traffic and look for change. Any statisticians that can speak to that? Matt > > Jules > > 2009/7/28 Matt Jonkman > > > Jules Pagna Disso wrote: > > * Is a DDoS detection module feasible and necessary? (i.e. to detect > > both incoming and outgoing DDoS traffic using statistical and > behavioral > > analysis) > > > > I would think that the first step is to have a comon definition of > what > > need to be protected ( the difficult cases of DDOS). Going point by > > point we can then evaluate if the solution proposed would be good > enough > > for a solid DDOS attack. > > Good question. I should elaborate some. The proposal that brought this > up was to have a statistical based approach to detecting: > > 1. When you are under ddos attack. For example http inbound attacks, or > icmp/udp saturation attacks. Statistically if the module could learn a > baseline over 24 hours I'd guess this would be pretty easy to see a huge > spike. But we'd want some way I think to compare and say we have a spike > of exactly similar traffic > > 2. Detect outbound ddos traffic. Similar, but for nets that are less > under control like a university. So similar statistics but from one > source to one destination. > > Matt > > > > > > My first view on that is DDOS engine is possible but would > certaintly go > > far behond the keyword match. > > > > Jules > > > > 2009/7/28 Matt Jonkman >> > > > > Thanks to all for joining this working group. Your ideas and > help are > > critical to this engine being a success!! > > > > This group has wiki space here for free use of all: > > http://doc.emergingthreats.net/bin/view/Main/PorstcanDDoSWG > > > > The goal of this working group is to make recommendations > regarding two > > major subjects: > > > > * Is traditional portscan detection functionality useful > enough to be > > reimplemented in the OISF engine? > > * If above true what methods might make this more effective than > > currently available? > > > > > > > > > > > > > > > > * If so how? > > > > This group should come to recommendations on these subject by > August 12 > > 2009. > > > > Breno Silva (breno.silva at gmail.com > >) > > is the group lead. He will be > > responsible for sparking and steering the discussion as well as > > summarizing the recommendations of the group. > > > > Thanks! > > > > Matt > > > > -- > > -------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > -------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > > > _______________________________________________ > > Oisf-wg-portscan mailing list > > Oisf-wg-portscan at openinfosecfoundation.org > > >

> > > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Oisf-wg-portscan mailing list > > Oisf-wg-portscan at openinfosecfoundation.org > > > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan -- -------------------------------------------- Matthew Jonkman Emerging Threats Phone 765-429-0398 Fax 312-264-0205 http://www.emergingthreats.net -------------------------------------------- PGP: http://www.jonkmans.com/mattjonkman.asc From breno.silva at gmail.com Thu Jul 30 14:02:14 2009 From: breno.silva at gmail.com (Breno Silva) Date: Thu, 30 Jul 2009 15:02:14 -0300 Subject: [Oisf-wg-portscan] OISF Portscan/DDoS Working Group Kickoff In-Reply-To: <4A70894D.4090303@jonkmans.com> References: <4A6F64FA.8070504@jonkmans.com> <69544300907281451k20cc8e68u7a9d577cf8ee29c@mail.gmail.com> <4A6F743C.4090602@jonkmans.com> <69544300907281542v46bd221cgebe783d3b690c9c8@mail.gmail.com> <4A70894D.4090303@jonkmans.com> Message-ID: <65f41b5a0907301102p8e3ce3albb52572a7d8ff9df@mail.gmail.com> Hi all, Sending a paper. Could be an idea for us http://www.ucmss.com/cr/main/papersNew/papersAll/SAM4405.pdf Cheers Breno On Wed, Jul 29, 2009 at 2:39 PM, Matt Jonkman wrote: > Jules Pagna Disso wrote: > > one of the problem that i see here is for example. .. > > > > the environment has been fairly quiet then suddently few people start > > downloading/uploading at 2mbps. usually it's few kbps when the network > > is quiet for individual PCs. How to differentiate that heavy suddent > > download to a DDOS attack? > > True. We I think have to base the analysis not on bandwidth consumption > but more on the frequency and size of connections, and on the variety of > the sources of those connections. > > The most common forms of ddos that I am aware of (and have been > subjected to over the years at emerging threats) are http get, udp, and > icmp attacks. > > HTTP gets are just a get for / very frequently from a group of a few > hundred sources. The goal here being to overwhelm the webserver not > necessarily bandwidth saturation. These are very effective against > non-load balanced stuff. > > UDP are bandwidth saturation. Max size udp packets to random or set > ports from a lot of sources, but the source IPs are spoofed (hence why > they use udp). These are a killer if the attacker has more bandwiidth > than you. > > ICMP, same thing as the UDP. Max size packets, spoofed sources, > bandwidth saturation. > > So for HTTP get's the statistical analysis can take into account the > number of sources and the frequency of the same sources asking for the > same page. That's a very clear indicator of a ddos. Something like 20 or > 30 requests a second for / for minutes straight is pretty clear. > > For the others it's a bit more challenging, we have to profile all > traffic and look for change. Any statisticians that can speak to that? > > Matt > > > > > Jules > > > > 2009/7/28 Matt Jonkman jonkman at jonkmans.com>> > > > > Jules Pagna Disso wrote: > > > * Is a DDoS detection module feasible and necessary? (i.e. to > detect > > > both incoming and outgoing DDoS traffic using statistical and > > behavioral > > > analysis) > > > > > > I would think that the first step is to have a comon definition of > > what > > > need to be protected ( the difficult cases of DDOS). Going point by > > > point we can then evaluate if the solution proposed would be good > > enough > > > for a solid DDOS attack. > > > > Good question. I should elaborate some. The proposal that brought > this > > up was to have a statistical based approach to detecting: > > > > 1. When you are under ddos attack. For example http inbound attacks, > or > > icmp/udp saturation attacks. Statistically if the module could learn > a > > baseline over 24 hours I'd guess this would be pretty easy to see a > huge > > spike. But we'd want some way I think to compare and say we have a > spike > > of exactly similar traffic > > > > 2. Detect outbound ddos traffic. Similar, but for nets that are less > > under control like a university. So similar statistics but from one > > source to one destination. > > > > Matt > > > > > > > > > > My first view on that is DDOS engine is possible but would > > certaintly go > > > far behond the keyword match. > > > > > > Jules > > > > > > 2009/7/28 Matt Jonkman > > >> > > > > > > Thanks to all for joining this working group. Your ideas and > > help are > > > critical to this engine being a success!! > > > > > > This group has wiki space here for free use of all: > > > http://doc.emergingthreats.net/bin/view/Main/PorstcanDDoSWG > > > > > > The goal of this working group is to make recommendations > > regarding two > > > major subjects: > > > > > > * Is traditional portscan detection functionality useful > > enough to be > > > reimplemented in the OISF engine? > > > * If above true what methods might make this more effective > than > > > currently available? > > > > > > > > > > > > > > > > > > > > > > > > * If so how? > > > > > > This group should come to recommendations on these subject by > > August 12 > > > 2009. > > > > > > Breno Silva (breno.silva at gmail.com > > > >) > > > is the group lead. He will be > > > responsible for sparking and steering the discussion as well as > > > summarizing the recommendations of the group. > > > > > > Thanks! > > > > > > Matt > > > > > > -- > > > -------------------------------------------- > > > Matthew Jonkman > > > Emerging Threats > > > Phone 765-429-0398 > > > Fax 312-264-0205 > > > http://www.emergingthreats.net > > > -------------------------------------------- > > > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > > > > > > > _______________________________________________ > > > Oisf-wg-portscan mailing list > > > Oisf-wg-portscan at openinfosecfoundation.org > > > > > > > > > > > > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Oisf-wg-portscan mailing list > > > Oisf-wg-portscan at openinfosecfoundation.org > > > > > > > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > -- > > -------------------------------------------- > > Matthew Jonkman > > Emerging Threats > > Phone 765-429-0398 > > Fax 312-264-0205 > > http://www.emergingthreats.net > > -------------------------------------------- > > > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > > > > _______________________________________________ > > Oisf-wg-portscan mailing list > > Oisf-wg-portscan at openinfosecfoundation.org > > > > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > Oisf-wg-portscan mailing list > > Oisf-wg-portscan at openinfosecfoundation.org > > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > > -- > -------------------------------------------- > Matthew Jonkman > Emerging Threats > Phone 765-429-0398 > Fax 312-264-0205 > http://www.emergingthreats.net > -------------------------------------------- > > PGP: http://www.jonkmans.com/mattjonkman.asc > > > _______________________________________________ > Oisf-wg-portscan mailing list > Oisf-wg-portscan at openinfosecfoundation.org > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-wg-portscan > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20090730/b72bd68d/attachment.html From breno.silva at gmail.com Thu Jul 30 16:02:32 2009 From: breno.silva at gmail.com (Breno Silva) Date: Thu, 30 Jul 2009 17:02:32 -0300 Subject: [Oisf-wg-portscan] Idea for ddos engine Message-ID: <65f41b5a0907301302x5089fd7atf7d9c3bb8a6f954a@mail.gmail.com> Hi all, Sending an idea for ddos engine. http://www.ucmss.com/cr/main/papersNew/papersAll/SAM4405.pdf Thanks Breno -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openinfosecfoundation.org/pipermail/oisf-wg-portscan/attachments/20090730/f7753060/attachment.html