1 / 18

Inferring Internet Denial-of-Service Activity

Inferring Internet Denial-of-Service Activity. Authors : David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish : Usenix Security Symposium 2001 Presenter : Xingbo Gao. Outline. Contribution Motivation

rkrieg
Download Presentation

Inferring Internet Denial-of-Service Activity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish: Usenix Security Symposium 2001 Presenter: Xingbo Gao

  2. Outline • Contribution • Motivation • Introduction of Denial-of-Service (DoS) Attacks • Basic Methodology • Attack Classification • Results • Strengths, Weakness and Improvements

  3. Contribution • Presented a novel technique “backscatter analysis” to estimate the worldwide DoS activity • Performed three-week long real experiments on /8 network and classified the DoS attacks quantitatively

  4. Motivation • How prevalent are DoS attacks in the Internet today? • How often? • What attack protocols used? • Attack rate? • Attack duration? • Victim names and domains? • And more …

  5. DoS Attack Introduction • Devastating • Feb. 2000 “fast” and “intense” assault took down Yahoo, Ebay and E*trade • Yahoo main site were unreachable for around three hours on Monday • "This was so fast and so intense that we couldn't even redirect our traffic," Yahoo spokesperson said. (CNN) • Jan. 2001 manual mis-configuration of a router caused Microsoft websites unreachable for Tue and Wed; inaccessible throughout Thursday due to a DoS attack (PC World) • FBI investigated both incidents …

  6. DoS Attack Introduction - contd • Logic attacks: software flaws • Ping-of-Death • Flooding attacks: overwhelm CPU, memory or network resources • SYN flood • TCP ACK, NUL, RST and DATA floods • ICMP Echo Request floods • And so on …

  7. SYN flood TCP RST DoS Attack Introduction - contd S D A D SYNx LISTEN Non-existent spoofed SYN LISTEN SYNy, ACKx+1 SYN_RECVD SYN_RECVD SYN+ACK ACKy+1 Port flooding occurs CONNECTED

  8. DoS Attack Introduction - contd • Distributed denial-of-service attack (DDoS) • Control a group of “zombie” hosts to launch assault on specific target(s) • A botnet can perform the DDoS attacks • IP spoofing • Attackers forge IP source addresses • Simple technique but very difficult to trace-back • “Backscatter” is based on IP spoofing

  9. Basic Methodology - Backscatter E Attacker Victim backscatter B D

  10. Experimental Platform Internet n - # distinct IP addresses monitored m - # attacking packets Hub Monitor R’ – measured average inter-arrival rate of backscatter /8 network

  11. Attack Classification • Flow-based classification • A flow is a series of consecutive packets sharing the same target IP address and IP protocol • Flow lifetime: fixed five-minute approach • Reduce noise and misconfiguration traffic by setting thresholds • Extract packet information from flows • Event-based classification • Flow-based obscures time-domain characteristics • An attack event is defined by a victim emitting at least ten backscatter packets in one minute

  12. Experimental Results Breakdown of attack protocols

  13. Attack Frequency Estimated number of attacks per hour as a function of time (UTC)

  14. Attack Rate and Duration Cumulative distribution of estimated attack rates in packets per second Probability density of attack durations

  15. Strengths of the Paper • Presented a novel technique “backscatter analysis” to estimate the worldwide DoS activity • Performed three-week long real experiments on /8 network and classified the DoS attacks quantitatively • Data is still available for public research

  16. Weakness of the Paper • Analysis Limitations • Uniformity of spoofed source addresses • Reliable delivery of backscatter • Backscatter hypothesis • Difficult to validate • Unable to explain some scenarios presented in resulted graphs

  17. How to Improve the Paper? • Find and create a theoretic model to model DoS attacks like worm propagation? • Take geography into consideration • Take more researches and experiments to fully explain the figures presented

  18. Questions ?

More Related