1 / 26

Framework for Classifying Denial of Service Attacks

This paper proposes a framework to classify DoS attacks and explains header analysis, ramp-up behavior, and spectral characteristics for attack detection.

deady
Download Presentation

Framework for Classifying Denial of Service Attacks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim

  2. What this paper DOES NOT do • It DOES NOT say how to prevent DoS attacks from happening • It DOES NOT say how to stop a DoS attack once it has been detected • It DOES NOT even say how to detect a DoS attack • It DOES propose a way to classify a DoS attack as either a single or multi- source attack once it has been detected

  3. What is a Denial of Service (DoS) attack? • A malicious user exploits the connectivity of the Internet to cripple the services offered by a victim site

  4. Types of DoS attacks • 2 types of DoS: • software exploits • flooding attacks • Flooding attacks: • single source • multi-source • Multi-source attacks: • zombie host attack • reflector attack

  5. Proposed framework • Classify attacks using: • header contents • transient ramp-up behavior • spectral characteristics

  6. 1. Header analysis • Source address is easily spoofed • Use other header fields: • Fragment identification field (ID) • Time-to-live field (TTL) • OS usually sequentially increments ID field for each successive packet • Assuming routes remain relatively stable, TTL value will remain constant

  7. 1. Header analysis (continued) • Method: estimate the number of attackers by counting the number of distinct ID sequences present in attack • Packets are considered to belong to the same ID sequence if : • ID values are separated by less than an idgap (=16) • TTL are the same

  8. 2. Ramp-up behaviour • No ramp-up usually indicates single source • Presence of ramp-up (200ms-14s) usually indicates multiple sources

  9. Spectral Characteristics • Attack streams have markedly different spectral content that varies depending on number of attackers • Use quantile, F(p), as a numerical method of comparing power spectral graphs. • Compare the F(60%) values of attacks: • 240-296Hz  single source • 142-210Hz  multiple source

  10. Proposed framework in action (Attack Detection) • Capture packet headers using tcpdump • Flag packet as potential attack if: • Number of sources that connect to the same destination within one second exceeds 60 • The traffic rate exceeds 40Kpackets/s

  11. Proposed framework in action (Packet header analysis)

  12. Proposed framework in action (Packet header analysis) • Observations • 87% of zombie attacks use illegal packet formats or randomize fields, indicating root access on zombies • TCP protocol was most commonly used • ICMP next favorite protocol

  13. Proposed framework in action (Ramp-up behavior) • Ramp-up duration : 3s

  14. Proposed framework in action (Ramp-up behavior) • Ramp-up duration : 14s

  15. Proposed framework in action (Spectral Analysis)

  16. Proposed framework in action (Spectral Analysis)

  17. Proposed framework in action (Spectral Analysis)

  18. Spectral analysis with synthetic data (clustered topology)

  19. Spectral analysis with synthetic data (clustered topology)

  20. Spectral analysis with synthetic data (distributed topology)

  21. Spectral analysis with synthetic data (distributed topology)

  22. Understanding frequency shift in F(60%) • 3 hypothesis: • Agregation of multiple sources at either slightly or very different rates • Bunching of traffic due to queuing behavior • Aggregation of multiple sources with different phase

  23. 1. Different rates • Scale traffic rate by scaling factor s, varying from 0.5 to 2 (i.e. attackers with rates varying from twice to half the original attack rate) • F(60%) does not decrease

  24. 2. Bunching of traffic • Queue p attack packets before sending all of them out at once (p varies from 5-15) • F(60%) does not decrease

  25. 3. Different phases • Shift traffic by one phase • F(60%) does not decrease • Shift multiple copies of traffic by multiple phases, and aggregate them • F(60%) does decrease

  26. Conclusion • Spectral analysis is a good way of classifying a DoS attack as either a single or multi-source attack

More Related