Transcript
Page 1: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

Thomas Lukaseder, Jessika Fiedler,Frank Kargl

June 27th, 2018

Performance Evaluation inHigh-Speed Networks by theExample of IDS

Page 2: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

2 Performance Evaluation in High-Speed Networks by the Example of IDS

bwNET100G+

Page 3: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

3 Performance Evaluation in High-Speed Networks by the Example of IDS

bwNET100G+ – Ulm: Security Concepts

Security of and through SDNSecurity issues of SDN networks – how can SDN Networks beattacked?How can SDN be used to secure a network?

Mitigation of DDoS AttacksDetection of attacks within the network through traffic analysisand potential victim surveillance.DDoS attack vs. flash crowd effect.Identification of attackers – how can attackers bedifferentiated from benign clients?

Intrusion Detection Systems in high-throughput Networks.

Page 4: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

4 Performance Evaluation in High-Speed Networks by the Example of IDS

bwNET100G+ – Ulm: Security Concepts

Security of and through SDNSecurity issues of SDN networks – how can SDN Networks beattacked?How can SDN be used to secure a network?

Mitigation of DDoS AttacksDetection of attacks within the network through traffic analysisand potential victim surveillance.DDoS attack vs. flash crowd effect.Identification of attackers – how can attackers bedifferentiated from benign clients?

Intrusion Detection Systems in high-throughput Networks.

Page 5: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

5 Performance Evaluation in High-Speed Networks by the Example of IDS

Motivation

Ever increasing bandwidth requirements whilecomputational power increases slower.

IDS necessary to detect attackers in the network. Perimetersecurity in form of firewalls can only protect against someattacks.

Budget constrains: is a cheap solution viable?

Page 6: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

6 Performance Evaluation in High-Speed Networks by the Example of IDS

Motivation – Cheap solution?

No licensing costs: Open Source IDS.

Affordable Hardware.

Page 7: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

7 Performance Evaluation in High-Speed Networks by the Example of IDS

Setup – Hardware

IDSSender

Receiver

home networkexternal network

Page 8: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

8 Performance Evaluation in High-Speed Networks by the Example of IDS

Setup – Hardware

Page 9: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

9 Performance Evaluation in High-Speed Networks by the Example of IDS

Setup – Hardware

4 CPU cores with 3.1 GHz, 6 GB of memory

10 Gbps SFP+ connection

Page 10: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

10 Performance Evaluation in High-Speed Networks by the Example of IDS

Setup – Software

Snort Suricata

Page 11: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

11 Performance Evaluation in High-Speed Networks by the Example of IDS

Snort

First introduced 1998 by Martin Roesch.

Developed by Sourcefire.

Sourcefire was bought by Cisco in 2013.

3 modes: sniffer, packet logger, IDS.

Current stable version single threaded.

Page 12: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

12 Performance Evaluation in High-Speed Networks by the Example of IDS

Suricata

Developed by the Open Information Security Foundation.

First Beta in 2009.

First stable release in 2010.

Multi-threaded.

Features GPU-Acceleration.

Page 13: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

13 Performance Evaluation in High-Speed Networks by the Example of IDS

Setup – Software: Attacks

Benign traffic: iperf3

Attack type Tool usedsuccessful SSH brute force Metasploit frameworkunsuccessful SSH brute force Metasploit frameworkTCP connect flood npingTCP SYN flood hping3UDP flood hping3SYN scan nmap -sSSYN OS-scan nmap -sS -OUDP scan nmap -sUUser enumeration nmap

Page 14: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

14 Performance Evaluation in High-Speed Networks by the Example of IDS

Attack Traffic Generation Scheme

Page 15: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

15 Performance Evaluation in High-Speed Networks by the Example of IDS

Setup – Software: Rule Selection

Suricata accepts rule sets written in Snort’s config fileformat.

The Snort community offers a community rule set.

Small changes to ensure detection of our attacks.

Identical rule sets for both IDS.

Page 16: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

16 Performance Evaluation in High-Speed Networks by the Example of IDS

Evaluation

Tests at different bandwidths (1,2,3,4,5,6, and 7 Gbps).

Tests at different attack strengths per attack (between 10 and35 attacks per minute per attack).

Page 17: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

17 Performance Evaluation in High-Speed Networks by the Example of IDS

Evaluation

Value Meaning ArithmeticTP Correct logged messages sample sumFP Logged but not expected sample sumFN Expected but not logged sample sumTPR Attack detection rate (Sensitivity) TP/(TP + FN)Precision Rate of correct alerts among alerts TP/(TP + FP)CPU CPU usage of IDS sample averageMemory Memory usage of IDS sample averageRP Packets analyzed by IDS average over timeDR Packets dropped by the IDS average over timeSP Actual send packets average over time

Page 18: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

18 Performance Evaluation in High-Speed Networks by the Example of IDS

Results – Snort CPU Utilization (in %)

Page 19: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

19 Performance Evaluation in High-Speed Networks by the Example of IDS

Results – Suricata CPU Utilization (in %)

Page 20: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

20 Performance Evaluation in High-Speed Networks by the Example of IDS

Results – Snort Drop Rate (in %)

Page 21: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

21 Performance Evaluation in High-Speed Networks by the Example of IDS

Results – Suricata Drop Rate (in %)

Page 22: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

22 Performance Evaluation in High-Speed Networks by the Example of IDS

Results – Snort Precision (TP/(TP + FP))

Page 23: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

23 Performance Evaluation in High-Speed Networks by the Example of IDS

Results – Suricata Precision (TP/(TP + FP))

Page 24: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

24 Performance Evaluation in High-Speed Networks by the Example of IDS

Results – Snort Sensitivity (TP/(TP + FN))

Page 25: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

25 Performance Evaluation in High-Speed Networks by the Example of IDS

Results – Suricata Sensitivity (TP/(TP + FN))

Page 26: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

26 Performance Evaluation in High-Speed Networks by the Example of IDS

Results

Memory usage is fixed; bandwidth and number of attackshave no influence.

CPU utilization depends on bandwidth (Snort) or settings(Suricata); no correlation with number of attacks in thenetwork.

Even with a higher drop rate, Suricata achieves higherprecision and sensitivity than Snort.

Page 27: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

27 Performance Evaluation in High-Speed Networks by the Example of IDS

Future Work

Current stable release of Snort is single threaded, betaversion (Snort 3) is multi-threaded. Evaluation of this isplanned.

Suricata offers GPU acceleration. How does this performcompared to CPU only?

Experimental integration of GPU acceleration was done forSnort ten years ago. We are currently working on integratingthis again in Snort 3.

Publish the test attack traffic combined with a networktesting environment.

Page 28: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

28 Performance Evaluation in High-Speed Networks by the Example of IDS

Thank you

Page 29: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

29 Performance Evaluation in High-Speed Networks by the Example of IDS

Results – Droprate Snort

Page 30: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

30 Performance Evaluation in High-Speed Networks by the Example of IDS

Results – Droprate Suricata

Page 31: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

31 Performance Evaluation in High-Speed Networks by the Example of IDS

Results – False alarms @ 7 Gbps

Page 32: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS

32 Performance Evaluation in High-Speed Networks by the Example of IDS

Results – Sensitivity @ 7 Gbps


Top Related