A Framework for Classifying Denial of Service Attacks
-
Upload
evangeline-byrd -
Category
Documents
-
view
28 -
download
2
description
Transcript of A Framework for Classifying Denial of Service Attacks
![Page 1: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/1.jpg)
A Framework for Classifying Denial of Service Attacks
Alefiya Hussain, John Heidemann,Christos Papadopoulos
Reviewed by Dave Lim
![Page 2: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/2.jpg)
What this paper DOES NOT do It DOES NOT say how to prevent DoS
attacks from happening It DOES NOT say how to stop a DoS
attack once it has been detected It DOES NOT even say how to detect a
DoS attack It DOES propose a way to classify a DoS
attack as either a single or multi- source attack once it has been detected
![Page 3: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/3.jpg)
What is a Denial of Service (DoS) attack?
A malicious user exploits the connectivity of the Internet to cripple the services offered by a victim site
![Page 4: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/4.jpg)
Types of DoS attacks 2 types of DoS:
software exploits flooding attacks
Flooding attacks: single source multi-source
Multi-source attacks: zombie host attack reflector attack
![Page 5: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/5.jpg)
Proposed framework
Classify attacks using:1. header contents2. transient ramp-up behavior3. spectral characteristics
![Page 6: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/6.jpg)
1. Header analysis Source address is easily spoofed Use other header fields:
Fragment identification field (ID) Time-to-live field (TTL)
OS usually sequentially increments ID field for each successive packet
Assuming routes remain relatively stable, TTL value will remain constant
![Page 7: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/7.jpg)
1. Header analysis (continued)
Method: estimate the number of attackers by counting the number of distinct ID sequences present in attack
Packets are considered to belong to the same ID sequence if : ID values are separated by less than an
idgap (=16) TTL are the same
![Page 8: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/8.jpg)
2. Ramp-up behaviour
No ramp-up usually indicates single source
Presence of ramp-up (200ms-14s) usually indicates multiple sources
![Page 9: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/9.jpg)
Spectral Characteristics Attack streams have markedly different
spectral content that varies depending on number of attackers
Use quantile, F(p), as a numerical method of comparing power spectral graphs.
Compare the F(60%) values of attacks: 240-296Hz single source 142-210Hz multiple source
![Page 10: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/10.jpg)
Proposed framework in action (Attack Detection)
Capture packet headers using tcpdump
Flag packet as potential attack if: Number of sources that connect to
the same destination within one second exceeds 60
The traffic rate exceeds 40Kpackets/s
![Page 11: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/11.jpg)
Proposed framework in action (Packet header analysis)
![Page 12: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/12.jpg)
Proposed framework in action (Packet header analysis)
Observations 87% of zombie attacks use illegal
packet formats or randomize fields, indicating root access on zombies
TCP protocol was most commonly used
ICMP next favorite protocol
![Page 13: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/13.jpg)
Proposed framework in action (Ramp-up behavior)
Ramp-up duration : 3s
![Page 14: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/14.jpg)
Proposed framework in action (Ramp-up behavior)
Ramp-up duration : 14s
![Page 15: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/15.jpg)
Proposed framework in action (Spectral Analysis)
![Page 16: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/16.jpg)
Proposed framework in action (Spectral Analysis)
![Page 17: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/17.jpg)
Proposed framework in action (Spectral Analysis)
![Page 18: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/18.jpg)
Spectral analysis with synthetic data (clustered topology)
![Page 19: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/19.jpg)
Spectral analysis with synthetic data (clustered topology)
![Page 20: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/20.jpg)
Spectral analysis with synthetic data (distributed topology)
![Page 21: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/21.jpg)
Spectral analysis with synthetic data (distributed topology)
![Page 22: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/22.jpg)
Understanding frequency shift in F(60%)
3 hypothesis:1. Agregation of multiple sources at
either slightly or very different rates2. Bunching of traffic due to queuing
behavior3. Aggregation of multiple sources with
different phase
![Page 23: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/23.jpg)
1. Different rates
Scale traffic rate by scaling factor s, varying from 0.5 to 2 (i.e. attackers with rates varying from twice to half the original attack rate) F(60%) does not decrease
![Page 24: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/24.jpg)
2. Bunching of traffic
Queue p attack packets before sending all of them out at once (p varies from 5-15) F(60%) does not decrease
![Page 25: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/25.jpg)
3. Different phases
Shift traffic by one phase F(60%) does not decrease
Shift multiple copies of traffic by multiple phases, and aggregate them F(60%) does decrease
![Page 26: A Framework for Classifying Denial of Service Attacks](https://reader035.fdocuments.us/reader035/viewer/2022062321/56813556550346895d9cbb7e/html5/thumbnails/26.jpg)
Conclusion
Spectral analysis is a good way of classifying a DoS attack as either a single or multi-source attack