Real-time DDoS attack detection for Cisco IOS using NetFlow

Steeg, Daniel van der; Hofstede, Rick; Sperotto, Anna; Pras, Aiko

doi:10.1109/inm.2015.7140420

Cited by 10 publications

(5 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Flow-based network monitoring is today the most widespread technology, and Net-Flow [11][12][13] is a widely used tool in network measurement and analysis. It is now gradually evolving into one of the most important means of ensuring network cybersecurity.…”

Section: Introductionmentioning

confidence: 99%

Comparison of Hash Functions for Network Traffic Acquisition Using a Hardware-Accelerated Probe

et al. 2022

View full text Add to dashboard Cite

In this article we address the problem of efficient and secure monitoring of computer network traffic. We proposed, implemented, and tested a hardware-accelerated implementation of a network probe, using the DE5-Net FPGA development platform. We showed that even when using a cryptographic SHA-3 hash function, the probe uses less than 17% of the available FPGA resources, offering a throughput of over 20 Gbit/s. We have also researched the problem of choosing an optimal hash function to be used in a network probe for addressing network flows in a flow cache. In our work we compared five 32-bit hash functions, including two cryptographic ones: SHA-1 and SHA-3. We ran a series of experiments with various hash functions, using traffic replayed from the CICIDS 2017 dataset. We showed that SHA-1 and SHA-3 provide flow distributions as uniform as the ones offered by the modified Vermont hash function proposed in 2008 (i.e., with low means and standard deviations of the bucket occupation), yet assuring higher security against potential attacks on a network probe.

show abstract

Section: Introductionmentioning

confidence: 99%

Comparison of Hash Functions for Network Traffic Acquisition Using a Hardware-Accelerated Probe

et al. 2022

View full text Add to dashboard Cite

show abstract

“…Operators often also collect statistics about the tra c itself, usually using NetFlow/ [38,67,75]. These provide more detailed information about the ows crossing the network (e.g., layer-4 5-tuples, volumes in bytes and packet), and enable various management applications [52] (e.g., identifying major source/destination pairs [83], heavy-hitters [31], or detecting DDoS attacks [69,79]). Finally, operators monitor key performance metrics which are important for many end-to-end * O. Tilmans is supported by a grant from F.R.S.-FNRS FRIA applications, such as delays, packet losses, and retransmissions.…”

Section: Introductionmentioning

confidence: 99%

COP2: Continuously Observing Protocol Performance

Tilmans,

Bonaventure

2019

Preprint

View full text Add to dashboard Cite

As enterprises move to a cloud-rst approach, their network becomes crucial to their daily operations and has to be continuously monitored. Although passive monitoring can be convenient from a deployment viewpoint, inferring the state of each connection can cause them to miss important information (e.g., starvation). Furthermore, the increasing usage of fully encrypted protocols (e.g., encrypts headers), possibly over multiple paths (e.g.,), keeps diminishing the applicability of such techniques to future networks.We propose a new monitoring framework, Flowcorder, which leverages information already maintained by the endhosts and records Key Performance Indicators ( s) from their transport protocols. More speci cally, we present a generic approach which inserts lightweight e probes at runtime in the protocol implementations. These probes extract s from the per-connection states, and eventually export them over for analysis. We present an application of this technique to the Linux kernel stack and demonstrate its generality by extending it to support . Our performance evaluation con rms that its overhead is negligible. Finally, we present live measurements collected with Flowcorder in a campus network, highlighting some insights provided by our framework.Problem statement How can we support the legitimate need of ne grained performance information from enterprise network operators in presence of encrypted, multipath protocols? Key challenges Designing a monitoring framework that answers this question raises at least four challenges. First, this framework must accurately depict the performance experienced by the end-hosts. This limits the applicability of active measurements, as this might hide issues speci c to 1

show abstract

“…In a real network environment, Daniël van der Steeg and colleagues presented a prototype to detect these DDoS botnet attacks using NetFlow. 9 In addition to the aforementioned concerns, the large number of 5G subscribers' UEs with high mobility skills will require researchers //or who?// to adapt the existing detection and reaction algorithms to face botnets. 10 When bots move, the detection and reaction capabilities also have to be moved, "following" the bots, to continue performing their procedures accordingly.…”

mentioning

confidence: 99%

Dynamic Reconfiguration in 5G Mobile Networks to Proactively Detect and Mitigate Botnets

Pérez

Celdrán

Ippoliti

et al. 2017

IEEE Internet Comput.

View full text Add to dashboard Cite

Botnets are one of the most powerful cyberthreats affecting continuity and delivery of existing network services. Detecting and mitigating attacks promoted by botnets become a greater challenge with the advent of 5G networks, as the number of connected devices with high mobility capabilities, the volume of exchange data, and the transmission rates increase significantly. Here, a 5G-oriented solution is proposed for proactively detecting and mitigating botnets in a highly dynamic 5G network. 5G subscribers' mobility requires dynamic network reconfiguration, which is handled by combining software-defined network and network function virtualization techniques.

show abstract

Real-time DDoS attack detection for Cisco IOS using NetFlow

Cited by 10 publications

References 6 publications

Comparison of Hash Functions for Network Traffic Acquisition Using a Hardware-Accelerated Probe

Comparison of Hash Functions for Network Traffic Acquisition Using a Hardware-Accelerated Probe

COP2: Continuously Observing Protocol Performance

Dynamic Reconfiguration in 5G Mobile Networks to Proactively Detect and Mitigate Botnets

Contact Info

Product

Resources

About