A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann,
Download
Report
Transcript A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann,
A Framework for Classifying
Denial of Service Attacks
Alefiya Hussain, John Heidemann,
Christos Papadopoulos
Reviewed by Dave Lim
What this paper DOES NOT do
It DOES NOT say how to prevent DoS attacks
from happening
It DOES NOT say how to stop a DoS attack
once it has been detected
It DOES NOT even say how to detect a DoS
attack
It DOES propose a way to classify a DoS
attack as either a single or multi- source
attack once it has been detected
What is a Denial of Service
(DoS) attack?
A malicious user exploits the
connectivity of the Internet to cripple
the services offered by a victim site
Types of DoS attacks
2 types of DoS:
Flooding attacks:
software exploits
flooding attacks
single source
multi-source
Multi-source attacks:
zombie host attack
reflector attack
Proposed framework
Classify attacks using:
1. header contents
2. transient ramp-up behavior
3. spectral characteristics
1. Header analysis
Source address is easily spoofed
Use other header fields:
Fragment identification field (ID)
Time-to-live field (TTL)
OS usually sequentially increments ID
field for each successive packet
Assuming routes remain relatively
stable, TTL value will remain constant
1. Header analysis (continued)
Method: estimate the number of
attackers by counting the number of
distinct ID sequences present in attack
Packets are considered to belong to the
same ID sequence if :
ID values are separated by less than an
idgap (=16)
TTL are the same
2. Ramp-up behaviour
No ramp-up usually indicates single
source
Presence of ramp-up (200ms-14s)
usually indicates multiple sources
Spectral Characteristics
Attack streams have markedly different
spectral content that varies depending on
number of attackers
Use quantile, F(p), as a numerical method of
comparing power spectral graphs.
Compare the F(60%) values of attacks:
240-296Hz single source
142-210Hz multiple source
Proposed framework in action
(Attack Detection)
Capture packet headers using tcpdump
Flag packet as potential attack if:
Number of sources that connect to the
same destination within one second
exceeds 60
The traffic rate exceeds 40Kpackets/s
Proposed framework in action
(Packet header analysis)
Proposed framework in action
(Packet header analysis)
Observations
87% of zombie attacks use illegal packet
formats or randomize fields, indicating root
access on zombies
TCP protocol was most commonly used
ICMP next favorite protocol
Proposed framework in action
(Ramp-up behavior)
Ramp-up duration : 3s
Proposed framework in action
(Ramp-up behavior)
Ramp-up duration : 14s
Proposed framework in action
(Spectral Analysis)
Proposed framework in action
(Spectral Analysis)
Proposed framework in action
(Spectral Analysis)
Spectral analysis with synthetic
data (clustered topology)
Spectral analysis with synthetic
data (clustered topology)
Spectral analysis with synthetic
data (distributed topology)
Spectral analysis with synthetic
data (distributed topology)
Understanding frequency shift
in F(60%)
3 hypothesis:
1. Agregation of multiple sources at either
slightly or very different rates
2. Bunching of traffic due to queuing
behavior
3. Aggregation of multiple sources with
different phase
1. Different rates
Scale traffic rate by scaling factor s,
varying from 0.5 to 2 (i.e. attackers
with rates varying from twice to half the
original attack rate)
F(60%) does not decrease
2. Bunching of traffic
Queue p attack packets before sending
all of them out at once (p varies from 515)
F(60%) does not decrease
3. Different phases
Shift traffic by one phase
F(60%) does not decrease
Shift multiple copies of traffic by
multiple phases, and aggregate them
F(60%) does decrease
Conclusion
Spectral analysis is a good way of
classifying a DoS attack as either a
single or multi-source attack