1 / 21

Inferring Internet Denial-of-Service Activity

Inferring Internet Denial-of-Service Activity. David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005. Outline. Motivation Attack types Backscatter analysis Results Conclusion. Motivation. “How to prevalent are DOS attacks today on the internet?”

bess
Download Presentation

Inferring Internet Denial-of-Service Activity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Inferring Internet Denial-of-Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005

  2. Outline • Motivation • Attack types • Backscatter analysis • Results • Conclusion

  3. Motivation • “How to prevalent are DOS attacks today on the internet?” • Nature of the current treats • Longer term analyses of trends and recurring patterns of attacks • Publish quantitative data about attacks

  4. Attack Types • Logic attacks • Exploit software vulnerabilities • Software patches • Flooding attacks • Distributed DoS • Spoof source IP address randomly • Exhaust system resources

  5. Backscatter • Attacker uses randomly selected source IP address • Victim reply to spoofed source IP • Results in unsolicited response from victim to third party IP addresses

  6. Backscatter

  7. Backscatter Analysis • m attack packets sent • n distinct IP address monitored • Expectation of observing an attack: • R’ Actual rate of attack: • R extrapolated attack rate

  8. Analysis Assumptions • Address uniformity • Spoof at random • Uniformly distributed • Reliable delivery • Attack and backscatter traffic delivered reliably • Backscatter hypothesis • Unsolicited packets observed represent backscatter

  9. Attack classifications • Flow-based • Based on target IP address and protocol • Fixed time frame (Within 5mins of most recent packet) • Event-based • Based on target IP address only • Fixed time frame

  10. Data collection /8 network 2^24 IP 1/256 of internet address space

  11. Data collections • Collect data extract following information • TCP flags • ICMP payload • Address uniformity • Port settings • DNS information • Routing information

  12. Response/Used Protocols

  13. Rate of attack

  14. Victims by ports

  15. Attack Duration Cumulative - Probability Cumulative probability density

  16. Top level domain

  17. Victims by Hostnames

  18. Autonomous System

  19. Repeated Attacks

  20. Conclusion • Observed 12,000 attacks against more than 5,000 distinct targets. • Distributed over many different domains and ISP • Small # long attacks with large % of attack volume • An unexpected amount of attacks targeting home, foreign, specific ISP

  21. Thanks • Questions?

More Related