Title: A Framework for Classifying Denial of Service Attacks
1A Framework for Classifying Denial of Service
Attacks
Alefiya Hussain, John Heidemann, Christos
Papadopoulos Reviewed by Dave Lim
2What this paper DOES NOT do
- It DOES NOT say how to prevent DoS attacks from
happening - It DOES NOT say how to stop a DoS attack once it
has been detected - It DOES NOT even say how to detect a DoS attack
- It DOES propose a way to classify a DoS attack as
either a single or multi- source attack once it
has been detected
3What is a Denial of Service (DoS) attack?
- A malicious user exploits the connectivity of the
Internet to cripple the services offered by a
victim site
4Types of DoS attacks
- 2 types of DoS
- software exploits
- flooding attacks
- Flooding attacks
- single source
- multi-source
- Multi-source attacks
- zombie host attack
- reflector attack
5Proposed framework
- Classify attacks using
- header contents
- transient ramp-up behavior
- spectral characteristics
61. Header analysis
- Source address is easily spoofed
- Use other header fields
- Fragment identification field (ID)
- Time-to-live field (TTL)
- OS usually sequentially increments ID field for
each successive packet - Assuming routes remain relatively stable, TTL
value will remain constant
71. Header analysis (continued)
- Method estimate the number of attackers by
counting the number of distinct ID sequences
present in attack - Packets are considered to belong to the same ID
sequence if - ID values are separated by less than an idgap
(16) - TTL are the same
82. Ramp-up behaviour
- No ramp-up usually indicates single source
- Presence of ramp-up (200ms-14s) usually indicates
multiple sources
9Spectral Characteristics
- Attack streams have markedly different spectral
content that varies depending on number of
attackers - Use quantile, F(p), as a numerical method of
comparing power spectral graphs. - Compare the F(60) values of attacks
- 240-296Hz ? single source
- 142-210Hz ? multiple source
10Proposed framework in action (Attack Detection)
- Capture packet headers using tcpdump
- Flag packet as potential attack if
- Number of sources that connect to the same
destination within one second exceeds 60 - The traffic rate exceeds 40Kpackets/s
11Proposed framework in action (Packet header
analysis)
12Proposed framework in action (Packet header
analysis)
- Observations
- 87 of zombie attacks use illegal packet formats
or randomize fields, indicating root access on
zombies - TCP protocol was most commonly used
- ICMP next favorite protocol
13Proposed framework in action (Ramp-up behavior)
14Proposed framework in action (Ramp-up behavior)
15Proposed framework in action (Spectral Analysis)
16Proposed framework in action (Spectral Analysis)
17Proposed framework in action (Spectral Analysis)
18Spectral analysis with synthetic data (clustered
topology)
19Spectral analysis with synthetic data (clustered
topology)
20Spectral analysis with synthetic data
(distributed topology)
21Spectral analysis with synthetic data
(distributed topology)
22Understanding frequency shift in F(60)
- 3 hypothesis
- Agregation of multiple sources at either slightly
or very different rates - Bunching of traffic due to queuing behavior
- Aggregation of multiple sources with different
phase
231. Different rates
- Scale traffic rate by scaling factor s, varying
from 0.5 to 2 (i.e. attackers with rates varying
from twice to half the original attack rate) - F(60) does not decrease
242. Bunching of traffic
- Queue p attack packets before sending all of them
out at once (p varies from 5-15) - F(60) does not decrease
253. Different phases
- Shift traffic by one phase
- F(60) does not decrease
- Shift multiple copies of traffic by multiple
phases, and aggregate them - F(60) does decrease
26Conclusion
- Spectral analysis is a good way of classifying a
DoS attack as either a single or multi-source
attack