inferring internet denial-of-service activity
DESCRIPTION
Inferring Internet Denial-of-Service Activity. David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005. Outline. Motivation Attack types Backscatter analysis Results Conclusion. Motivation. “How to prevalent are DOS attacks today on the internet?” - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/1.jpg)
Inferring Internet Denial-of-Service Activity
David Moore, Geoffrey M Voelker, Stefan Savage
Presented by Yuemin Yu – CS290F – Winter 2005
![Page 2: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/2.jpg)
Outline
Motivation Attack types Backscatter analysis Results Conclusion
![Page 3: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/3.jpg)
Motivation
“How to prevalent are DOS attacks today on the internet?”
Nature of the current treats Longer term analyses of trends and recurring
patterns of attacks Publish quantitative data about attacks
![Page 4: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/4.jpg)
Attack Types
Logic attacks Exploit software vulnerabilities Software patches
Flooding attacks Distributed DoS Spoof source IP address randomly Exhaust system resources
![Page 5: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/5.jpg)
Backscatter
Attacker uses randomly selected source IP address
Victim reply to spoofed source IP Results in unsolicited response from victim to
third party IP addresses
![Page 6: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/6.jpg)
Backscatter
![Page 7: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/7.jpg)
Backscatter Analysis m attack packets sent n distinct IP address
monitored Expectation of
observing an attack:
R’ Actual rate of attack: R extrapolated attack
rate
![Page 8: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/8.jpg)
Analysis Assumptions
Address uniformity Spoof at random Uniformly distributed
Reliable delivery Attack and backscatter traffic delivered reliably
Backscatter hypothesis Unsolicited packets observed represent
backscatter
![Page 9: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/9.jpg)
Attack classifications
Flow-based Based on target IP address and protocol Fixed time frame (Within 5mins of most recent
packet) Event-based
Based on target IP address only Fixed time frame
![Page 10: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/10.jpg)
Data collection
/8 network 2^24 IP 1/256 of internet address space
![Page 11: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/11.jpg)
Data collections
Collect data extract following information TCP flags ICMP payload Address uniformity Port settings DNS information Routing information
![Page 12: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/12.jpg)
Response/Used Protocols
![Page 13: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/13.jpg)
Rate of attack
![Page 14: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/14.jpg)
Victims by ports
![Page 15: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/15.jpg)
Attack Duration Cumulative - Probability
Cumulative probability density
![Page 16: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/16.jpg)
Top level domain
![Page 17: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/17.jpg)
Victims by Hostnames
![Page 18: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/18.jpg)
Autonomous System
![Page 19: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/19.jpg)
Repeated Attacks
![Page 20: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/20.jpg)
Conclusion
Observed 12,000 attacks against more than 5,000 distinct targets.
Distributed over many different domains and ISP
Small # long attacks with large % of attack volume
An unexpected amount of attacks targeting home, foreign, specific ISP
![Page 21: Inferring Internet Denial-of-Service Activity](https://reader036.vdocuments.us/reader036/viewer/2022070500/5681683b550346895dde07a3/html5/thumbnails/21.jpg)
Thanks
Questions?