With the emergence of active worms, the targets of attacks have been moved from well-known Internet servers to generic Internet hosts, and since the rate at which patches can be applied is always much slower than the spread of a worm, an Internet worm can usually attack or infect millions of hosts in a short time. It is difficult to eliminate Internet attacks globally; thus, protecting client networks from being attacked or infected is a relatively critical issue.
In this paper, we propose a method that protects client networks from being attacked by people who try to scan, attack, or infect hosts in local networks via unpatched vulnerabilities. Based on the symmetry of network traffic in both temporal and spatial domains, a bitmap filter is installed at the entry point of a client network to filter out possible attack traffic. Our evaluation shows that with a small amount of memory (less than 1 megabyte), more than 95% of attack traffic can be filtered out in a small- or medium-scale client network.
Presentation on how to chat with PDF using ChatGPT code interpreter
Mitigating Active Attacks Using Bitmap Filter
1. Outline
Introduction
The Bitmap Filter
Evaluations
Discussions
Conclusion
Mitigating Active Attacks Towards
Client Networks Using the Bitmap Filter
Chun-Ying Huang Kuan-Ta Chen Chin-Laung Lei
Distributed Computing and Network Security Lab
Department of Electrical Engineering
National Taiwan University
June 26, 2006
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 1/31
2. Outline
Introduction
The Bitmap Filter
Evaluations
Discussions
Conclusion
Outline
1 Introduction
2 The Bitmap Filter
3 Evaluations
4 Discussions
5 Conclusion
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 2/31
3. Outline
Introduction
The Bitmap Filter Definitions and Motivations
Evaluations Stateful Packet Inspection
Discussions
Conclusion
Outline
1 Introduction
2 The Bitmap Filter
3 Evaluations
4 Discussions
5 Conclusion
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 3/31
4. Outline
Introduction
The Bitmap Filter Definitions and Motivations
Evaluations Stateful Packet Inspection
Discussions
Conclusion
Active Attacks
Definition
An active attack is behavior that deliberately scans, probes, or
intrudes on certain hosts or networks with malicious intent.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
5. Outline
Introduction
The Bitmap Filter Definitions and Motivations
Evaluations Stateful Packet Inspection
Discussions
Conclusion
Active Attacks
Definition
An active attack is behavior that deliberately scans, probes, or
intrudes on certain hosts or networks with malicious intent.
Motivations
The popularity of Internet worms moves the victims.
Most defense mechanisms are required to deploy globally.
How does an ISP prevent customers/clients from attacks?
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
6. Outline
Introduction
The Bitmap Filter Definitions and Motivations
Evaluations Stateful Packet Inspection
Discussions
Conclusion
Active Attacks
Definition
An active attack is behavior that deliberately scans, probes, or
intrudes on certain hosts or networks with malicious intent.
Motivations
The popularity of Internet worms moves the victims.
Most defense mechanisms are required to deploy globally.
How does an ISP prevent customers/clients from attacks?
Construct an efficient stateful packet inspection (SPI) filter.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 4/31
7. Outline
Introduction
The Bitmap Filter Definitions and Motivations
Evaluations Stateful Packet Inspection
Discussions
Conclusion
Stateful Packet Inspection
Attacker A
Client C SPI Filter
Server S
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
8. Outline
Introduction
The Bitmap Filter Definitions and Motivations
Evaluations Stateful Packet Inspection
Discussions
Conclusion
Stateful Packet Inspection
State Table
Src Src-Port Dst Dst-Port
..
..
..
..
C 1234 S 80
....
....
....
....
Attacker A
Request:
C:1234 S:80
Client C SPI Filter
Server S
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
9. Outline
Introduction
The Bitmap Filter Definitions and Motivations
Evaluations Stateful Packet Inspection
Discussions
Conclusion
Stateful Packet Inspection
State Table
Src Src-Port Dst Dst-Port
..
..
..
..
C 1234 S 80
....
....
....
....
Attacker A
Request:
C:1234 S:80
Client C SPI Filter R e s
S:80 p on s e :
C :1
23 4
Server S
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
10. Outline
Introduction
The Bitmap Filter Definitions and Motivations
Evaluations Stateful Packet Inspection
Discussions
Conclusion
Stateful Packet Inspection
State Table
Src Src-Port Dst Dst-Port
..
..
..
..
C 1234 S 80
C : 1:
67
....
....
....
....
#
45
k
Attacker A
8 0 ta c
A : A t
2 : 7 8
k# :5 6
ta c C
Request: A t 4
3
C:1234 S:80
X :1 2
Client C SPI Filter R e s
S:80 p on s e :
C :1
23 4
Server S
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 5/31
11. Outline
Introduction
The Bitmap Filter Definitions and Motivations
Evaluations Stateful Packet Inspection
Discussions
Conclusion
Stateful Packet Inspection (cont’d)
The Problem
The linearly increased costs on both
storage spaces and computations.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 6/31
12. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
Outline
1 Introduction
2 The Bitmap Filter
3 Evaluations
4 Discussions
5 Conclusion
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 7/31
13. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
Client Network Traffic Characteristics
Observations
1 Connection/Session lifetime
2 Out-In packet delay
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 8/31
14. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
Client Network Traffic Characteristics
Observations
1 Connection/Session lifetime
2 Out-In packet delay
Data source: aggregated six class-C campus client networks
A 6-hour TCP and UDP packet trace.
Collected between 10AM and 4PM in a weekday.
96.25% are TCP packets; and 3.75% are UDP packets.
Average packet rate: 24.63K packets per second.
Average bandwidth utilization: 138.55 Mbps.
Average packet size: 720 bytes.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 8/31
15. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
Connection/Session Lifetime
Definition
Given a TCP connection, measure
the time between the last TCP-SYN
and the first TCP-FIN packet.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 9/31
16. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
Connection/Session Lifetime
Definition
a. Connection Lifetime
Given a TCP connection, measure
the time between the last TCP-SYN
1e+06
319
99% connections
are shorter than
and the first TCP-FIN packet. 515 seconds
Number of connections
1e+04
Result summary
1e+02
90%: < 76 seconds.
95%: < 6 minutes. 1e+00
99%: < 515 seconds. 76 515
0 2000 4000 6000 8000 10000
Lifetime is short.
Lifetime (in seconds)
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 9/31
17. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
Out-In Packet Delay
Definition of the Out-In Packet Delay
A connection contains several outgoing and incoming packets.
We measure the elapsed time between the outgoing packet and the
successive incoming packets in each connection.
Outgoing Packets
A B C D
Incoming Packets
1 2 3 4 5 6
LAN A-1
A-2
B-4
B-5
D-6 WAN
A-3
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 10/31
18. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
Out-In Packet Delay (cont’d)
Result summary
Observed port-reuse effect.
99% < 2.8 seconds, implies that Internet traffic is bi-directional and
has high locality in the temporal domain.
b. Out−In Packet Delay c. Out−In Packet Delay (CDF)
1.00
1e+08
99% out−in packet delays
are shorter than
2.8 seconds
1e+06
0.95
Packet Count
60
95% out−in packet delays
Peaks are interleaved with are shorter than
30 CDF
1e+04
120 intervals of roughly 30 or 60 seconds 0.8 seconds
100
160 220 290 350 420 480 540 0.90
150
190
1e+02
1e+00
0.85
0 100 200 300 400 500 600 0 5 10 15 20
Delay (in seconds) Delay (in seconds)
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 11/31
19. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
Construct the Bitmap Filter
With the previous observations:
1 Connection/Session lifetime is short.
2 Out-in packet delays are short.
3 Internet traffic is bi-directional.
A stateful packet inspection (SPI) filter can be modified.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 12/31
20. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
A Na¨ Method to Modify an SPI Filter
ıve
Expire connection state information with timers.
State Table
Connection Info. Timer
..
..
C:1234 S:80 10
C : 1:
67
....
....
#
45
k
Attacker A
8 0 ta c
A : A t
2 : 7 8
k# :5 6
ta c C
Request: A t 4
3
C:1234 S:80
X :1 2
Client C SPI Filter R e s
S:80 p o n s e :
C :1
234
Server S
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 13/31
21. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
A Na¨ Method to Modify an SPI Filter
ıve
Expire connection state information with timers.
State Table
Connection Info. Timer
..
..
C:1234 S:80 10
C : 1:
67
....
....
#
45
k
Attacker A
8 0 ta c
A : A t
2 : 7 8
k# :5 6
ta c C
Request: A t 4
3
C:1234 S:80
X :1 2
Client C SPI Filter R e s
S:80 p o n s e :
C :1
234
Server S
However: Still linear complexities on storages and computations.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 13/31
22. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
Improved Performance: Using the Bitmap Filter
Reduce storages/computations complexities to constant.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
23. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
Improved Performance: Using the Bitmap Filter
Reduce storages/computations complexities to constant.
Definition
A bitmap filter is a composition of k
bloom filters of equal size N
(=2n -bit), denoted as a
{k × N}-bitmap filter.
The i th bloom filter is denoted as
bit-vector [i] in the algorithms.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
24. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
Improved Performance: Using the Bitmap Filter
Reduce storages/computations complexities to constant.
1 2 3 ... k
Definition H1(t)
1 1 1 ... 1
A bitmap filter is a composition of k H2(t)
bloom filters of equal size N
...
(=2n -bit), denoted as a Hm(t)
2n
bits
{k × N}-bitmap filter. n-bit
1 1 1 ... 1
The i th bloom filter is denoted as
1 1 1 ... 1
bit-vector [i] in the algorithms.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 14/31
25. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
The Algorithms
Initialization
A {k × N}-bitmap filter is initialized to all bits zero.
All the k bloom filters are configured to share the same m hash functions.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
26. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
The Algorithms
Initialization
A {k × N}-bitmap filter is initialized to all bits zero.
All the k bloom filters are configured to share the same m hash functions.
The concept: Time-rotated bloom filters
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
27. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
The Algorithms
The concept: Time-rotated bloom filters
At time = t0
1 2 3 ... K
...
...
...
current
eldest
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
28. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
The Algorithms
The concept: Time-rotated bloom filters
At time = t0 At time = t0 + ∆t
1 2 3 ... K 1 2 3 ... K
... ...
... ...
... ...
current current
eldest eldest
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
29. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
The Algorithms
The concept: Time-rotated bloom filters
At time = t0 At time = t0 + ∆t At time = t0 + 2∆t
1 2 3 ... K 1 2 3 ... K 1 2 3 ... K
... ... ...
... ... ...
... ... ...
current current current
eldest eldest eldest
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 15/31
30. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
The Algorithms (cont’d)
Algorithm I: Periodically reset the eldest bloom filter
Rotate one time unit, then reset the eldest bloom filter.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 16/31
31. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
The Algorithms (cont’d)
Algorithm I: Periodically reset the eldest bloom filter
Rotate one time unit, then reset the eldest bloom filter.
Algorithm II: Test and set the bloom filters
Outgoing packets: Mark all corresponding bits on all bloom filters.
Incoming packets: Reject if not all corresponding bits are marked on the current
bloom filter.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 16/31
32. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
The Algorithms: Illustrated
The two algorithms implement the same concept as the modified
SPI filter presented before.
At time = tk,
a snapshot of the current bitmap status.
8
7
6
5
4
...
3
2
1
2n bits
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
33. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
The Algorithms: Illustrated
The two algorithms implement the same concept as the modified
SPI filter presented before.
At time = tk+∆t,
all columns are reduced by 1.
8
7
6
5
4
...
3
2
1
2n bits
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
34. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
The Algorithms: Illustrated
The two algorithms implement the same concept as the modified
SPI filter presented before.
At time = tk+2∆t,
all columns are reduced by 1, again.
8
7
6
5
4
...
3
2
1
2n bits
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
35. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
The Algorithms: Illustrated
The two algorithms implement the same concept as the modified
SPI filter presented before.
At time = tk+2∆t,
with an occurrence of a new connection.
8
7
6
5
4
...
3
2
1
2n bits
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 17/31
36. Outline
Introduction
Client Network Traffic Characteristics
The Bitmap Filter
Construct the Bitmap Filter
Evaluations
Parameter Decisions
Discussions
Conclusion
Parameter Decisions
Parameter List
Name Meaning
Te The expired time of a state.
∆t The time unit to rotate the bitmap.
k The number of used bloom filters.
N The size of each bloom filter. The real size is 2n -bit.
m The number of used hash functions for the bloom filters.
Guidelines
1 Recall the observed port-reuse effect. Te should not be too large.
2 ∆t should be set properly. Small ∆t increases system loads; large ∆t reduces
system granularity (and precision).
3 Te
k is roughly ∆t
.
4 N and m depends on the scale of the network and the required precision.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 18/31
37. Outline
Introduction
False Positives and False Negatives
The Bitmap Filter
Performance
Evaluations
Simulation
Discussions
Conclusion
Outline
1 Introduction
2 The Bitmap Filter
3 Evaluations
4 Discussions
5 Conclusion
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 19/31
38. Outline
Introduction
False Positives and False Negatives
The Bitmap Filter
Performance
Evaluations
Simulation
Discussions
Conclusion
False Positives and False Negatives
Definition
False positive: Normal behavior is rejected.
False negative: Attacks are accepted.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 20/31
39. Outline
Introduction
False Positives and False Negatives
The Bitmap Filter
Performance
Evaluations
Simulation
Discussions
Conclusion
False Positives and False Negatives
Definition
False positive: Normal behavior is rejected.
False negative: Attacks are accepted.
False positives
Since the lifetime of a state is Te seconds, a false positive occurs
only when the out-in packet delay is longer than Te seconds.
As the statistics show, when Te is greater than 2.8 seconds, the
false positive rates should be lower than 1%.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 20/31
40. Outline
Introduction
False Positives and False Negatives
The Bitmap Filter
Performance
Evaluations
Simulation
Discussions
Conclusion
False Negatives
Estimating on False Negative Rates
1 Given the expected max number of active connections c in Te and the bitmap
size N, the false negative rate can be estimated by
N
p ≤ exp(− ). (1)
e·c
2 In contrast, given N and a tolerable maximum value of p, the expected max
number of active connections c should satisfy
N
c≤− . (2)
e ln p
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 21/31
41. Outline
Introduction
False Positives and False Negatives
The Bitmap Filter
Performance
Evaluations
Simulation
Discussions
Conclusion
Examples
For a small- or medium-scale network
A bitmap filter is constructed using the following configuration
Parameters: k = 4, ∆t = 5, (Te = 20), m = 3
k×2n
Required memory space: 8 = 512 K bytes.
Given the tolerable penetration probability of 10%, 5%, and 1%,
the bitmap filter provides capacity of 167K, 125K, and 83K active
connections in Te , respectively.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 22/31
42. Outline
Introduction
False Positives and False Negatives
The Bitmap Filter
Performance
Evaluations
Simulation
Discussions
Conclusion
Examples
For a small- or medium-scale network
A bitmap filter is constructed using the following configuration
Parameters: k = 4, ∆t = 5, (Te = 20), m = 3
k×2n
Required memory space: 8 = 512 K bytes.
Given the tolerable penetration probability of 10%, 5%, and 1%,
the bitmap filter provides capacity of 167K, 125K, and 83K active
connections in Te , respectively.
Compare with the campus network traffic
Only 15K active connections within a Te of 20 seconds.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 22/31
43. Outline
Introduction
False Positives and False Negatives
The Bitmap Filter
Performance
Evaluations
Simulation
Discussions
Conclusion
Performance
Summary
Packet Processing:
For an outgoing packet: O(m) hashes +O(m × k) marks.
For an incoming packet: O(m) hashes +O(m) checks.
Bitmap Rotation:
Reset a bit vector: constant according to the given bitmap size.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 23/31
44. Outline
Introduction
False Positives and False Negatives
The Bitmap Filter
Performance
Evaluations
Simulation
Discussions
Conclusion
Performance
Summary
Packet Processing:
For an outgoing packet: O(m) hashes +O(m × k) marks.
For an incoming packet: O(m) hashes +O(m) checks.
Bitmap Rotation:
Reset a bit vector: constant according to the given bitmap size.
Since the bitmap is designed to have fixed size and continuous memory
space and the components used in the algorithms are easy to implement
as hardware, these algorithms can be completely implemented as a
hardware easily.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 23/31
45. Outline
Introduction
False Positives and False Negatives
The Bitmap Filter
Performance
Evaluations
Simulation
Discussions
Conclusion
Compare with Similar Implementations
Hash + link-list
AVL-tree Bitmap filter
(Linux)
Storage space -
Complexity
O(n) O(n) O(c)
Storage space -
Handle 2.55M active 77M bytes 77M bytes 8M bytes
connections
Computation Complexity -
Insert a new state
O(1) O(log n) O(1)
Computation Complexity -
Search for a state
O(n) O(log n) O(1)
Computation Complexity -
Garbage collection
O(n) O(n) O(c)
Hardware acceleration Possible Expensive Cheap
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 24/31
46. Outline
Introduction
False Positives and False Negatives
The Bitmap Filter
Performance
Evaluations
Simulation
Discussions
Conclusion
Simulation I: Drop Rate Comparison
Compare the drop rate of BF and SPI-filter
Environments
Implement an SPI filter (expire idle
state after 240 seconds).
The bitmap filter: n = 20, k = 4,
∆t = 5, Te = 20 (512K bytes).
Drop rates measure in a 5-second
time unit.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 25/31
47. Outline
Introduction
False Positives and False Negatives
The Bitmap Filter
Performance
Evaluations
Simulation
Discussions
Conclusion
Simulation I: Drop Rate Comparison
Compare the drop rate of BF and SPI-filter
Environments
3.5
Implement an SPI filter (expire idle
Drop rate of the bitmap filter (%)
3.0
state after 240 seconds).
2.5
The bitmap filter: n = 20, k = 4,
2.0
∆t = 5, Te = 20 (512K bytes).
1.5
Drop rates measure in a 5-second
time unit.
1.0
1.0 1.5 2.0 2.5 3.0
Drop rate of the SPI filter (%)
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 25/31
48. Outline
Introduction
False Positives and False Negatives
The Bitmap Filter
Performance
Evaluations
Simulation
Discussions
Conclusion
Simulation II: Filter Rate
Environments
The same bitmap filter used in simulation I.
Attack rate: spoofed addresses, 500K packets per second.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 26/31
49. Outline
Introduction
False Positives and False Negatives
The Bitmap Filter
Performance
Evaluations
Simulation
Discussions
Conclusion
Simulation II: Filter Rate
Environments
The same bitmap filter used in simulation I.
Attack rate: spoofed addresses, 500K packets per second.
a. Filter Performance b. Attack Filtering Rate
100.01
4e+05
Filtering rate (%)
Packet Count
99.99
2e+05
99.97
0e+00
99.95
0 5000 10000 15000 20000 12000 14000 16000 18000 20000 22000
Time (in seconds) Time (in seconds)
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 26/31
50. Outline
Introduction
The Bitmap Filter
Summary
Evaluations
Discussions
Conclusion
Outline
1 Introduction
2 The Bitmap Filter
3 Evaluations
4 Discussions
5 Conclusion
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 27/31
51. Outline
Introduction
The Bitmap Filter
Summary
Evaluations
Discussions
Conclusion
Summary of Discussions
1 The Compatibility
The bitmap filter is compatible with all single connection applications.
For multiple connection applications, the bitmap filter is also compatible
with hole-punching like NAT-traversal solutions.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
52. Outline
Introduction
The Bitmap Filter
Summary
Evaluations
Discussions
Conclusion
Summary of Discussions
1 The Compatibility
The bitmap filter is compatible with all single connection applications.
For multiple connection applications, the bitmap filter is also compatible
with hole-punching like NAT-traversal solutions.
2 Attack from Insiders
An inside attacker may quickly increase the bitmap utilization when
attacking outsiders. It hence increase the false negative rate.
An administrator may increase n or Te to tolerate such attacks. However,
it would be better to identify and eliminate inside attackers.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
53. Outline
Introduction
The Bitmap Filter
Summary
Evaluations
Discussions
Conclusion
Summary of Discussions
1 The Compatibility
The bitmap filter is compatible with all single connection applications.
For multiple connection applications, the bitmap filter is also compatible
with hole-punching like NAT-traversal solutions.
2 Attack from Insiders
An inside attacker may quickly increase the bitmap utilization when
attacking outsiders. It hence increase the false negative rate.
An administrator may increase n or Te to tolerate such attacks. However,
it would be better to identify and eliminate inside attackers.
3 Adaptive Packet Dropping
For bandwidth attacks only, the bitmap filter may consider to adopt
adaptive packet dropping to increase the compatibility.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 28/31
54. Outline
Introduction
The Bitmap Filter
Evaluations
Discussions
Conclusion
Outline
1 Introduction
2 The Bitmap Filter
3 Evaluations
4 Discussions
5 Conclusion
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 29/31
55. Outline
Introduction
The Bitmap Filter
Evaluations
Discussions
Conclusion
Conclusion
We propose the bitmap filter, an alternative implementation
to replace the stateful packet inspection (SPI) filter, to stop
malicious traffic for client networks.
The bitmap filter successful reduces the complexities of both
storage and computation to constants.
Analyses and simulations show that with limited resources,
the bitmap filter can filter 90% even 99% attack traffic.
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 30/31
56. Outline
Introduction
The Bitmap Filter
Evaluations
Discussions
Conclusion
Thanks for your attention.
Comments or questions?
C.-Y. Huang, K.-T. Chen, C.-L. Lei Mitigating Active Attacks Towards Client Networks 31/31