performanceevaluationin high-speednetworksbythe ... · tcpsynflood hping3 udpflood hping3 synscan...
TRANSCRIPT
![Page 1: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/1.jpg)
Thomas Lukaseder, Jessika Fiedler,Frank Kargl
June 27th, 2018
Performance Evaluation inHigh-Speed Networks by theExample of IDS
![Page 2: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/2.jpg)
2 Performance Evaluation in High-Speed Networks by the Example of IDS
bwNET100G+
![Page 3: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/3.jpg)
3 Performance Evaluation in High-Speed Networks by the Example of IDS
bwNET100G+ – Ulm: Security Concepts
Security of and through SDNSecurity issues of SDN networks – how can SDN Networks beattacked?How can SDN be used to secure a network?
Mitigation of DDoS AttacksDetection of attacks within the network through traffic analysisand potential victim surveillance.DDoS attack vs. flash crowd effect.Identification of attackers – how can attackers bedifferentiated from benign clients?
Intrusion Detection Systems in high-throughput Networks.
![Page 4: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/4.jpg)
4 Performance Evaluation in High-Speed Networks by the Example of IDS
bwNET100G+ – Ulm: Security Concepts
Security of and through SDNSecurity issues of SDN networks – how can SDN Networks beattacked?How can SDN be used to secure a network?
Mitigation of DDoS AttacksDetection of attacks within the network through traffic analysisand potential victim surveillance.DDoS attack vs. flash crowd effect.Identification of attackers – how can attackers bedifferentiated from benign clients?
Intrusion Detection Systems in high-throughput Networks.
![Page 5: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/5.jpg)
5 Performance Evaluation in High-Speed Networks by the Example of IDS
Motivation
Ever increasing bandwidth requirements whilecomputational power increases slower.
IDS necessary to detect attackers in the network. Perimetersecurity in form of firewalls can only protect against someattacks.
Budget constrains: is a cheap solution viable?
![Page 6: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/6.jpg)
6 Performance Evaluation in High-Speed Networks by the Example of IDS
Motivation – Cheap solution?
No licensing costs: Open Source IDS.
Affordable Hardware.
![Page 7: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/7.jpg)
7 Performance Evaluation in High-Speed Networks by the Example of IDS
Setup – Hardware
IDSSender
Receiver
home networkexternal network
![Page 8: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/8.jpg)
8 Performance Evaluation in High-Speed Networks by the Example of IDS
Setup – Hardware
![Page 9: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/9.jpg)
9 Performance Evaluation in High-Speed Networks by the Example of IDS
Setup – Hardware
4 CPU cores with 3.1 GHz, 6 GB of memory
10 Gbps SFP+ connection
![Page 10: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/10.jpg)
10 Performance Evaluation in High-Speed Networks by the Example of IDS
Setup – Software
Snort Suricata
![Page 11: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/11.jpg)
11 Performance Evaluation in High-Speed Networks by the Example of IDS
Snort
First introduced 1998 by Martin Roesch.
Developed by Sourcefire.
Sourcefire was bought by Cisco in 2013.
3 modes: sniffer, packet logger, IDS.
Current stable version single threaded.
![Page 12: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/12.jpg)
12 Performance Evaluation in High-Speed Networks by the Example of IDS
Suricata
Developed by the Open Information Security Foundation.
First Beta in 2009.
First stable release in 2010.
Multi-threaded.
Features GPU-Acceleration.
![Page 13: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/13.jpg)
13 Performance Evaluation in High-Speed Networks by the Example of IDS
Setup – Software: Attacks
Benign traffic: iperf3
Attack type Tool usedsuccessful SSH brute force Metasploit frameworkunsuccessful SSH brute force Metasploit frameworkTCP connect flood npingTCP SYN flood hping3UDP flood hping3SYN scan nmap -sSSYN OS-scan nmap -sS -OUDP scan nmap -sUUser enumeration nmap
![Page 14: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/14.jpg)
14 Performance Evaluation in High-Speed Networks by the Example of IDS
Attack Traffic Generation Scheme
![Page 15: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/15.jpg)
15 Performance Evaluation in High-Speed Networks by the Example of IDS
Setup – Software: Rule Selection
Suricata accepts rule sets written in Snort’s config fileformat.
The Snort community offers a community rule set.
Small changes to ensure detection of our attacks.
Identical rule sets for both IDS.
![Page 16: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/16.jpg)
16 Performance Evaluation in High-Speed Networks by the Example of IDS
Evaluation
Tests at different bandwidths (1,2,3,4,5,6, and 7 Gbps).
Tests at different attack strengths per attack (between 10 and35 attacks per minute per attack).
![Page 17: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/17.jpg)
17 Performance Evaluation in High-Speed Networks by the Example of IDS
Evaluation
Value Meaning ArithmeticTP Correct logged messages sample sumFP Logged but not expected sample sumFN Expected but not logged sample sumTPR Attack detection rate (Sensitivity) TP/(TP + FN)Precision Rate of correct alerts among alerts TP/(TP + FP)CPU CPU usage of IDS sample averageMemory Memory usage of IDS sample averageRP Packets analyzed by IDS average over timeDR Packets dropped by the IDS average over timeSP Actual send packets average over time
![Page 18: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/18.jpg)
18 Performance Evaluation in High-Speed Networks by the Example of IDS
Results – Snort CPU Utilization (in %)
![Page 19: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/19.jpg)
19 Performance Evaluation in High-Speed Networks by the Example of IDS
Results – Suricata CPU Utilization (in %)
![Page 20: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/20.jpg)
20 Performance Evaluation in High-Speed Networks by the Example of IDS
Results – Snort Drop Rate (in %)
![Page 21: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/21.jpg)
21 Performance Evaluation in High-Speed Networks by the Example of IDS
Results – Suricata Drop Rate (in %)
![Page 22: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/22.jpg)
22 Performance Evaluation in High-Speed Networks by the Example of IDS
Results – Snort Precision (TP/(TP + FP))
![Page 23: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/23.jpg)
23 Performance Evaluation in High-Speed Networks by the Example of IDS
Results – Suricata Precision (TP/(TP + FP))
![Page 24: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/24.jpg)
24 Performance Evaluation in High-Speed Networks by the Example of IDS
Results – Snort Sensitivity (TP/(TP + FN))
![Page 25: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/25.jpg)
25 Performance Evaluation in High-Speed Networks by the Example of IDS
Results – Suricata Sensitivity (TP/(TP + FN))
![Page 26: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/26.jpg)
26 Performance Evaluation in High-Speed Networks by the Example of IDS
Results
Memory usage is fixed; bandwidth and number of attackshave no influence.
CPU utilization depends on bandwidth (Snort) or settings(Suricata); no correlation with number of attacks in thenetwork.
Even with a higher drop rate, Suricata achieves higherprecision and sensitivity than Snort.
![Page 27: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/27.jpg)
27 Performance Evaluation in High-Speed Networks by the Example of IDS
Future Work
Current stable release of Snort is single threaded, betaversion (Snort 3) is multi-threaded. Evaluation of this isplanned.
Suricata offers GPU acceleration. How does this performcompared to CPU only?
Experimental integration of GPU acceleration was done forSnort ten years ago. We are currently working on integratingthis again in Snort 3.
Publish the test attack traffic combined with a networktesting environment.
![Page 28: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/28.jpg)
28 Performance Evaluation in High-Speed Networks by the Example of IDS
Thank you
![Page 29: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/29.jpg)
29 Performance Evaluation in High-Speed Networks by the Example of IDS
Results – Droprate Snort
![Page 30: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/30.jpg)
30 Performance Evaluation in High-Speed Networks by the Example of IDS
Results – Droprate Suricata
![Page 31: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/31.jpg)
31 Performance Evaluation in High-Speed Networks by the Example of IDS
Results – False alarms @ 7 Gbps
![Page 32: PerformanceEvaluationin High-SpeedNetworksbythe ... · TCPSYNflood hping3 UDPflood hping3 SYNscan nmap-sS SYNOS-scan nmap-sS-O UDPscan nmap-sU Userenumeration nmap. 14 PerformanceEvaluationinHigh-SpeedNetworksbytheExampleofIDS](https://reader030.vdocuments.mx/reader030/viewer/2022040521/5e7b0bc7fba3a572f32ce7aa/html5/thumbnails/32.jpg)
32 Performance Evaluation in High-Speed Networks by the Example of IDS
Results – Sensitivity @ 7 Gbps