Today, network security relies largely on systems techniques like secure protocols and rule/pattern-based methods.
We are applying statistical, decision theoretic, pattern recognition, and machine learning techniques to the automated and adaptive analysis of network traffic. We focus on
DDoS attacks are one of the most threatening assaults on the Internet today. Servers are flooded with a tremendous number of nonsense requests from thousands of clients in order to cause a server overload or even a crash. Usually, a single attacker controls a powerful (bot) network of trojan horse infected PCs and let them attack a web service simultaneously without the knowledge of the PC owner. DDoS attacks seriously harm e-businesses such as web shops, online auctions, online banking or simply cause an image loss of a company. Massive DDoS attacks may also harm the IP network as well, for example congesting links of an Internet Service Provider (ISP).
The fact, that the requests origin from computers all over the world and might even look like legitimate request messages makes it very hard to filter them or firewall them in a classical way.
Nevertheless, the requests are machine generated and not initiated by a human. Our new approach to detect and prevent DDoS attacks claims to detect anomaly patterns which are a result of these machine generated packets. Therefore, we use pattern recognition methods to determine and filter the non-legitimate packets based on multiple parameters, such as routing information, origin networks, coherences on document structures and many others.
Our remediation research is part of the Deutsche Telekom Laboratories project NetCentric Security. For network monitoring as a basis of this project we are also in a close cooperation with the Fraunhofer FOKUS institute using their OpenIMP software.
A demo video and further information can be found on our detailed NetCentric Security project page.
A web demo to generate firewall filter rules against DDoS attacks can be found on the IP Density Estimation demo page.
Simulating DDoS Traffic from bot networks is fairly easy as long as source IP addresses can be spoofed (SYN, UDP or ICMP floods). Simulating a TCP based botnet requires to implement a very fast TCP stack. BoNeSi, our botnet simulator is able to simulate a TCP based HTTP-GET flood on a victim. Since non spoofed IP connections require correct routing setup, this tool can only be used in closed testbed setups. We are able to establish several thousands of HTTP connections from different IP addresses from just a single host running BoNeSi making this tool perfect to simulate advanced bot networks. It can be used to test firewall systems, routing hardware, DDoS Mitigation Systems or webservers directly.
BoNeSi is Open Source. Further information and downloads can be found on the BoNeSi project homepage.
Repache replays Apache logfiles in a network. Repache take a previously recorded apache logfile and generates the TCP packets including handshake, request and connection teardown with the recorded IP address. The advantage of repache is that it preseves the original IP and therefore it can be used to test IP geolocation services, intrusion detection systems and webservers under realistic conditions.
Repache and further documentation can be found on the repache project homepage.
nf-HiShape is a kernel module for traffic shaping according to source IP address. It limits the bandwidth usage of user-defined IP address ranges and was implemented by the constraint of high-performance operation as well as easy usage.The kernel module hooks into the netfilter (nf) code of Linux kernel and can be used on any standard PC. The focus of nf-HiShape is that it can be used to define thousands of rules (IP-ranges) with multiple bandwidth settings, which is not possible with Linux tc for example. This provides new application scenarios such as traffic shaping of countries or flexible DDoS mitigation.
The nf-HiShape software consits of the kernel module itself and a user-land tool for its configuration. Further information can be found on the nf-HiShape project homepage.
Today, geo location services (identifying in which country an IP address is located) are used widely, e.g. for determining the closest download mirror server or restricting online TV applications due to national copyright contracts. There are several commercial providers offering this data but since this information is available in the Regional Internet Registraries databases (RIR) for free, we decided to start an open source project ip-countryside to get this information for free and updated.
If you have any questions, please feel free to contact Markus Goldstein.
Our recent publications in this area are listed below.
Anomaly Detection in Large Datasets
PhD-Thesis, Dr. Hut, Technische Universität Kaiserslautern, München, 2/2014
Server-side Prediction of Source IP Addresses using Density Estimation
Availability, Reliability and Security, 2009. ARES 09. Fourth International Conference on,
Anomaly Detection by Combining Decision Trees and Parametric Densities
Pattern Recognition, 2008. ICPR 2008., Tampa, FL, USA, IEEE, 12/2008
High Performance Traffic Shaping for DDoS Mitigation
Proceedings of the 2008 ACM CoNEXT conference, Madrid, Spain, ACM, SIGCOMM, 12/2008
Bayes Optimal DDoS Mitigation by Adaptive History-Based IP Filtering
Seventh International Conference on Networking,