a framework for classifying denial of service attacks
DESCRIPTION
A Framework for Classifying Denial of Service Attacks. Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim. What this paper DOES NOT do. It DOES NOT say how to prevent DoS attacks from happening It DOES NOT say how to stop a DoS attack once it has been detected - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/1.jpg)
A Framework for Classifying Denial of Service Attacks
Alefiya Hussain, John Heidemann,Christos Papadopoulos
Reviewed by Dave Lim
![Page 2: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/2.jpg)
What this paper DOES NOT do It DOES NOT say how to prevent DoS
attacks from happening It DOES NOT say how to stop a DoS
attack once it has been detected It DOES NOT even say how to detect a
DoS attack It DOES propose a way to classify a DoS
attack as either a single or multi- source attack once it has been detected
![Page 3: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/3.jpg)
What is a Denial of Service (DoS) attack?
A malicious user exploits the connectivity of the Internet to cripple the services offered by a victim site
![Page 4: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/4.jpg)
Types of DoS attacks 2 types of DoS:
software exploits flooding attacks
Flooding attacks: single source multi-source
Multi-source attacks: zombie host attack reflector attack
![Page 5: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/5.jpg)
Proposed framework
Classify attacks using:1. header contents2. transient ramp-up behavior3. spectral characteristics
![Page 6: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/6.jpg)
1. Header analysis Source address is easily spoofed Use other header fields:
Fragment identification field (ID) Time-to-live field (TTL)
OS usually sequentially increments ID field for each successive packet
Assuming routes remain relatively stable, TTL value will remain constant
![Page 7: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/7.jpg)
1. Header analysis (continued)
Method: estimate the number of attackers by counting the number of distinct ID sequences present in attack
Packets are considered to belong to the same ID sequence if : ID values are separated by less than an
idgap (=16) TTL are the same
![Page 8: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/8.jpg)
2. Ramp-up behaviour
No ramp-up usually indicates single source
Presence of ramp-up (200ms-14s) usually indicates multiple sources
![Page 9: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/9.jpg)
Spectral Characteristics Attack streams have markedly different
spectral content that varies depending on number of attackers
Use quantile, F(p), as a numerical method of comparing power spectral graphs.
Compare the F(60%) values of attacks: 240-296Hz single source 142-210Hz multiple source
![Page 10: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/10.jpg)
Proposed framework in action (Attack Detection)
Capture packet headers using tcpdump
Flag packet as potential attack if: Number of sources that connect to
the same destination within one second exceeds 60
The traffic rate exceeds 40Kpackets/s
![Page 11: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/11.jpg)
Proposed framework in action (Packet header analysis)
![Page 12: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/12.jpg)
Proposed framework in action (Packet header analysis)
Observations 87% of zombie attacks use illegal
packet formats or randomize fields, indicating root access on zombies
TCP protocol was most commonly used
ICMP next favorite protocol
![Page 13: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/13.jpg)
Proposed framework in action (Ramp-up behavior)
Ramp-up duration : 3s
![Page 14: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/14.jpg)
Proposed framework in action (Ramp-up behavior)
Ramp-up duration : 14s
![Page 15: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/15.jpg)
Proposed framework in action (Spectral Analysis)
![Page 16: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/16.jpg)
Proposed framework in action (Spectral Analysis)
![Page 17: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/17.jpg)
Proposed framework in action (Spectral Analysis)
![Page 18: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/18.jpg)
Spectral analysis with synthetic data (clustered topology)
![Page 19: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/19.jpg)
Spectral analysis with synthetic data (clustered topology)
![Page 20: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/20.jpg)
Spectral analysis with synthetic data (distributed topology)
![Page 21: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/21.jpg)
Spectral analysis with synthetic data (distributed topology)
![Page 22: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/22.jpg)
Understanding frequency shift in F(60%)
3 hypothesis:1. Agregation of multiple sources at
either slightly or very different rates2. Bunching of traffic due to queuing
behavior3. Aggregation of multiple sources with
different phase
![Page 23: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/23.jpg)
1. Different rates
Scale traffic rate by scaling factor s, varying from 0.5 to 2 (i.e. attackers with rates varying from twice to half the original attack rate) F(60%) does not decrease
![Page 24: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/24.jpg)
2. Bunching of traffic
Queue p attack packets before sending all of them out at once (p varies from 5-15) F(60%) does not decrease
![Page 25: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/25.jpg)
3. Different phases
Shift traffic by one phase F(60%) does not decrease
Shift multiple copies of traffic by multiple phases, and aggregate them F(60%) does decrease
![Page 26: A Framework for Classifying Denial of Service Attacks](https://reader035.vdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/26.jpg)
Conclusion
Spectral analysis is a good way of classifying a DoS attack as either a single or multi-source attack