Dr. David Eckhoff

I am a Principal Scientist and the Director of the MoVES Lab at TUMCREATE, Singapore. My research focuses on future transportation technologies, simulation, the smart city, and privacy.

David Eckhoff, "Analysis of Attack Vectors and Suitable Defense Mechanisms for Flow Monitors," Master's Thesis, Department of Computer Science, University of Erlangen-Nuremberg, June 2009. (Advisors: Tobias Limmer and Falko Dressler)


Flow monitoring is an approach to efficiently manage and monitor large scale networks. A flow monitor can also be installed to cope with rising security risks and detect ongoing attacks or anomalies. However, these monitors can be attacked themselves which becomes critical if the security solution of the whole network relies on this device. To identify possible attack vectors we analyze aggregation modules within flow-based network monitoring tools, which usually make use of fast look-up methods to be able to quickly assign received packets to their corresponding flows. In software-based aggregators, hash tables are usually used for this task. If attackers are able to create collisions by exploiting the used hash function, the hash table degenerates to linked lists with worst-case look-up times of O(n) and greatly reduce the performance of the aggregation modules. In this thesis, we analyze the aggregation modules of software-based flow meters Vermont and nProbe. We evaluate the resilience strength of used hash functions by theoretical analysis and confirm the results by performing real attacks. Lastly we present a hash function which we believe has none of the weaknesses we have discovered. The second part of this thesis examines DoS attacks against monitored networks or the monitor itself. These attacks can lead to extensive memory usage and increased export volume at the monitor. In a worst-case scenario every attack packet is represented by a single flow. We analyze the effects of TCP DDoS attacks on a flow monitor and present two approaches to minimize the damage caused by such an attack. The first detects TCP SYN attacks via the SYN/FIN ratio, the second observes the amount of newly created flows within the hash table of the monitor to detect attacks and identifies victim and attacker through TCP packet symmetry.

Quick access

BibTeX BibTeX


David Eckhoff

BibTeX reference

    author = {Eckhoff, David},
    school = {University of Erlangen-Nuremberg},
    title = {{Analysis of Attack Vectors and Suitable Defense Mechanisms for Flow Monitors}},
    year = {2009},
    month = {June},
    type = {Master's Thesis},
    advisor = {Limmer, Tobias and Dressler, Falko},
    institution = {Department of Computer Science},
    location = {Erlangen, Germany},

Copyright notice

Links to final or draft versions of papers are presented here to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or distributed for commercial purposes without the explicit permission of the copyright holder.

The following applies to all papers listed above that have IEEE copyrights: Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

The following applies to all papers listed above that are in submission to IEEE conference/workshop proceeedings or journals: This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version may no longer be accessible.

The following applies to all papers listed above that have ACM copyrights: ACM COPYRIGHT NOTICE. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept., ACM, Inc., fax +1 (212) 869-0481, or permissions@acm.org.

The following applies to all SpringerLink papers listed above that have Springer Science+Business Media copyrights: The original publication is available at www.springerlink.com.

This page was automatically generated using BibDB and bib2web.