A Framework for Classifying Denial of Service Attacks

1
A Framework for Classifying Denial of Service
Attacks
Alefiya Hussain, John Heidemann, Christos
Papadopoulos Reviewed by Dave Lim
2
What this paper DOES NOT do

• It DOES NOT say how to prevent DoS attacks from
  happening
• It DOES NOT say how to stop a DoS attack once it
  has been detected
• It DOES NOT even say how to detect a DoS attack
• It DOES propose a way to classify a DoS attack as
  either a single or multi- source attack once it
  has been detected

3
What is a Denial of Service (DoS) attack?

• A malicious user exploits the connectivity of the
  Internet to cripple the services offered by a
  victim site

4
Types of DoS attacks

• 2 types of DoS
• software exploits
• flooding attacks
• Flooding attacks
• single source
• multi-source
• Multi-source attacks
• zombie host attack
• reflector attack

5
Proposed framework

• Classify attacks using
• header contents
• transient ramp-up behavior
• spectral characteristics

6
1. Header analysis

• Source address is easily spoofed
• Use other header fields
• Fragment identification field (ID)
• Time-to-live field (TTL)
• OS usually sequentially increments ID field for
  each successive packet
• Assuming routes remain relatively stable, TTL
  value will remain constant

7
1. Header analysis (continued)

• Method estimate the number of attackers by
  counting the number of distinct ID sequences
  present in attack
• Packets are considered to belong to the same ID
  sequence if
• ID values are separated by less than an idgap
  (16)
• TTL are the same

8
2. Ramp-up behaviour

• No ramp-up usually indicates single source
• Presence of ramp-up (200ms-14s) usually indicates
  multiple sources

9
Spectral Characteristics

• Attack streams have markedly different spectral
  content that varies depending on number of
  attackers
• Use quantile, F(p), as a numerical method of
  comparing power spectral graphs.
• Compare the F(60) values of attacks
• 240-296Hz ? single source
• 142-210Hz ? multiple source

10
Proposed framework in action (Attack Detection)

• Capture packet headers using tcpdump
• Flag packet as potential attack if
• Number of sources that connect to the same
  destination within one second exceeds 60
• The traffic rate exceeds 40Kpackets/s

11
Proposed framework in action (Packet header
analysis)
12
Proposed framework in action (Packet header
analysis)

• Observations
• 87 of zombie attacks use illegal packet formats
  or randomize fields, indicating root access on
  zombies
• TCP protocol was most commonly used
• ICMP next favorite protocol

13
Proposed framework in action (Ramp-up behavior)

• Ramp-up duration 3s

14
Proposed framework in action (Ramp-up behavior)

• Ramp-up duration 14s

15
Proposed framework in action (Spectral Analysis)
16
Proposed framework in action (Spectral Analysis)
17
Proposed framework in action (Spectral Analysis)
18
Spectral analysis with synthetic data (clustered
topology)
19
Spectral analysis with synthetic data (clustered
topology)
20
Spectral analysis with synthetic data
(distributed topology)
21
Spectral analysis with synthetic data
(distributed topology)
22
Understanding frequency shift in F(60)

• 3 hypothesis
• Agregation of multiple sources at either slightly
  or very different rates
• Bunching of traffic due to queuing behavior
• Aggregation of multiple sources with different
  phase

23
1. Different rates

• Scale traffic rate by scaling factor s, varying
  from 0.5 to 2 (i.e. attackers with rates varying
  from twice to half the original attack rate)
• F(60) does not decrease

24
2. Bunching of traffic

• Queue p attack packets before sending all of them
  out at once (p varies from 5-15)
• F(60) does not decrease

25
3. Different phases

• Shift traffic by one phase
• F(60) does not decrease
• Shift multiple copies of traffic by multiple
  phases, and aggregate them
• F(60) does decrease

26
Conclusion

• Spectral analysis is a good way of classifying a
  DoS attack as either a single or multi-source
  attack