Post on 21-Jan-2016
1
Inferring Denial of Service
AttacksDavid Moore, Geoffrey Volker and Stefan
SavagePresented by Rafail Tsirbas
4/1/2015
Footer Text 2
Outline
• Denial of Service Attacks• Motivation & Limitations• Backscatter Analysis• Results• Conclusion
4/1/2015
Footer Text 3
Denial of Service Attacks
• Logic Attackso “Ping of Death”
• Flooding Attackso Overflow victim’s computer
4/1/2015
Footer Text 5
Flooding Attacks• The attacker tries to
overflow victim’s pco SYN Floodso TCP DATAo TCP NULLo ICMP Echo Requestso DNS Requesto Zero Day Attacko NTP “monlist”o …
4/1/2015
Attacker Victim
Footer Text 6
Flooding Attacks• Distributed Denial of
Service Attackso A lot more powero Hide easiero More sophisticated attack
• IP spoofingo Change source IP addresso Tools Shaft, TFT etc
4/1/2015
Attacker
Botnets
Footer Text 74/1/2015
Outline
• Denial of Service Attacks• Motivation & Limitations• Backscatter Analysis• Results• Conclusion
8
Motivation & Limitations
• “How prevalent are Denial of Service Attacks in the Internet today?”
• Base line for long term analysis• Limitation Factors
4/1/2015
94/1/2015
Outline
• Denial of Service Attacks• Motivation & Limitations• Backscatter Analysis• Results• Conclusion
Footer Text 11
Backscatter effect
4/1/2015
Attacker Victim
Host A
Host BHost C
Footer Text 12
Backscatter analysis
4/1/2015
Attacker Victim
Host A
Host BHost C
M packets
N pc’s monitoring
E(x) =
Footer Text 13
Backscatter analysis
• Estimation of attack rate:o R >= * Where: average inter-arrival backscatter
• Analysis Limitations:o Address uniformityo Reliable Deliveryo Backscatter hypothesis
4/1/2015
Footer Text 14
Attack classification
• Flow-basedo How many, how long, what kind
• Event-basedo Fixed time windows
4/1/2015
Footer Text 15
Backscatter analysis
• They monitored /8 Network
• 3 weeks long
4/1/2015
/8 Network
Monitor
Footer Text 164/1/2015
Outline
• Denial of Service Attacks• Motivation & Limitations• Backscatter Analysis• Results• Conclusion
Footer Text 17
Results
4/1/2015
Flow based•Over 12,800 attacks•6,000 distinct IP addresses•Almost 200 million backscatter packets
Event-based•10,000 distinct IP addresses•Almost 200 million backscatter packets
Footer Text 18
Results
4/1/2015
Footer Text 19
Responses Protocols
4/1/2015
Footer Text 20
Protocols
4/1/2015
Footer Text 21
Duration
4/1/2015
Footer Text 22
TLDs
4/1/2015
4/1/2015Footer Text 23
Outline
• Denial of Service Attacks• Motivation & Limitations• Backscatter Analysis• Results• Conclusion
Footer Text 24
Conclusions
• New techinque “backscatter analysis”• DoS attacks exist
4/1/2015
Footer Text 25
Questions?
4/1/2015
Footer Text 26
Thank You!
4/1/2015