![]() ![]() The SASUKE system is currently undergoing prototype testing and demonstrations in the field with an eye toward implementation in a form that links up with DELTAA and SAMURAI. BGP route traffic analysis system (SASUKE). When a traffic change caused by an invalid or unexpected route change occurs, SASUKE issues an alert and prompts the operator to investigate the cause of the route fluctuation ( Fig. ![]() For this reason, when SASUKE detects fluctuations in BGP routes, it focuses on traffic changes for the top rank-N traffic volume and then analyzes the correlation between a traffic change and the BGP route change involved. ![]() Since the number of BGP routes in the Internet is huge, testing each and every route for legitimacy is unrealistic. It collects BGP route information by direct BGP peering with BGP routers and detects unexpected or invalid BGP route changes and route fluctuations that affect traffic by monitoring for and analyzing any correlations among the flow information collected from different routers. The SASUKE BGP route traffic analysis system is used to detect traffic changes caused by unexpected BGP route changes. Moreover, they might lead to traffic disruption or congestion on other backbone links. Unexpected or invalid BGP route changes, such as BGP-route-hijacking or misconfiguration, suddenly lead to traffic diversions. Technology to counter unexpected BGP route changes The KOROKU tool is currently undergoing prototype testing and demonstrations using actual equipment.įig. Such an attack can therefore be detected by monitoring and exhaustively analyzing sampled flow information ( Fig. In the case of a DNS cache poisoning attack, a large number of name-resolution response packets that do not match any queries arrive at the targeted DNS server. Such an attack can be detected using the KOROKU DNS-attack monitoring and analysis tool, which monitors and analyzes flow information exhaustively sampled from the traffic addressed to a certain DNS server. One type of DNS attack is the DNS cache poisoning attack, which inserts a DNS record pointing to a phishing site. Our aim at present is to implement DELTAA in a form that links up with SAMURAI ( Fig. Anomalous traffic identification by DELTAA. These functions enable an operator to understand the nature of a DDoS attack clearly and quickly.įig. This system is also equipped with functions for visualizing the attack traffic volume for each aggregated attack source, attack start time, etc. In this way, a very large number of attack sources can be identified in terms of a small number of subnetworks, enabling attack traffic to be easily filtered by a router’s ACL. This process involves precise calculations to avoid including legitimate users ( Fig. The DELTAA system recognizes hosts with sharp increases in traffic as attack sources and aggregates them into subnetworks. In such a situation, the DELTAA anomalous traffic identification system can be used. In some cases, however, there are many DDoS attack sources, which makes it difficult to set an ACL with the IP addresses of the packet-sending sources. This technology has been put to actual use by NTT Communications. These analyses enable the source of an attack on specific servers to be identified and attack traffic to be filtered through the use of a router’s access control list (ACL) or a Cisco Guard DDoS mitigation appliance. It uses sampled flow information to analyze specific attack patterns using a signature function and to analyze anomalous increases in traffic using a baseline detection function. The SAMURAI traffic analysis system is an example of NTT Group technology for defending against DDoS attacks. In this article, we introduce technologies for countermeasures to DDoS attacks, DNS attacks, and unexpected border gateway protocol (BGP) route changes and describe trends in the development of flow quality monitoring technologies. NTT Information Sharing Platform Laboratories is researching and developing network security technologies for monitoring and analyzing traffic in a multifaceted manner to defend against such a diversified array of attacks. Other examples include the cache poisoning attack, which tampers with the content of a domain name system (DNS) by providing it with a bogus IP address pointing to a phishing site, and the route hijacking attack, which disables access to a server by supplying bogus routing information. Distributed denial of service (DDoS) attacks have been known to bring down servers by flooding them with a huge volume of invalid packets. With attacks on the Internet becoming increasingly diverse, the development of countermeasures is an important issue. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |