Inferring Denial of Service Attacks David Moore, Geoffrey Volker and Stefan Savage Presented by...
24
Inferring Denial of Service Attacks David Moore, Geoffrey Volker and Stefan Savage Presented by Rafail Tsirbas 4/1/2015 1
-
Upload
britney-gregory -
Category
Documents
-
view
219 -
download
0
Transcript of Inferring Denial of Service Attacks David Moore, Geoffrey Volker and Stefan Savage Presented by...
1
Inferring Denial of Service
AttacksDavid Moore, Geoffrey Volker and Stefan
SavagePresented by Rafail Tsirbas
4/1/2015
Footer Text 2
Outline
• Denial of Service Attacks• Motivation & Limitations• Backscatter Analysis• Results• Conclusion
4/1/2015
Footer Text 3
Denial of Service Attacks
• Logic Attackso “Ping of Death”
• Flooding Attackso Overflow victim’s computer
4/1/2015
Footer Text 5
Flooding Attacks• The attacker tries to
overflow victim’s pco SYN Floodso TCP DATAo TCP NULLo ICMP Echo Requestso DNS Requesto Zero Day Attacko NTP “monlist”o …
4/1/2015
Attacker Victim
Footer Text 6
Flooding Attacks• Distributed Denial of
Service Attackso A lot more powero Hide easiero More sophisticated attack
• IP spoofingo Change source IP addresso Tools Shaft, TFT etc
4/1/2015
Attacker
Botnets
Footer Text 74/1/2015
Outline
• Denial of Service Attacks• Motivation & Limitations• Backscatter Analysis• Results• Conclusion
8
Motivation & Limitations
• “How prevalent are Denial of Service Attacks in the Internet today?”
• Base line for long term analysis• Limitation Factors
4/1/2015
94/1/2015
Outline
• Denial of Service Attacks• Motivation & Limitations• Backscatter Analysis• Results• Conclusion
Footer Text 11
Backscatter effect
4/1/2015
Attacker Victim
Host A
Host BHost C
Footer Text 12
Backscatter analysis
4/1/2015
Attacker Victim
Host A
Host BHost C
M packets
N pc’s monitoring
E(x) =
Footer Text 13
Backscatter analysis
• Estimation of attack rate:o R >= * Where: average inter-arrival backscatter
• Analysis Limitations:o Address uniformityo Reliable Deliveryo Backscatter hypothesis
4/1/2015
Footer Text 14
Attack classification
• Flow-basedo How many, how long, what kind
• Event-basedo Fixed time windows
4/1/2015
Footer Text 15
Backscatter analysis
• They monitored /8 Network
• 3 weeks long
4/1/2015
/8 Network
Monitor
Footer Text 164/1/2015
Outline
• Denial of Service Attacks• Motivation & Limitations• Backscatter Analysis• Results• Conclusion
Footer Text 17
Results
4/1/2015
Flow based•Over 12,800 attacks•6,000 distinct IP addresses•Almost 200 million backscatter packets
Event-based•10,000 distinct IP addresses•Almost 200 million backscatter packets
Footer Text 18
Results
4/1/2015
Footer Text 19
Responses Protocols
4/1/2015
Footer Text 20
Protocols
4/1/2015
Footer Text 21
Duration
4/1/2015
Footer Text 22
TLDs
4/1/2015
4/1/2015Footer Text 23
Outline
• Denial of Service Attacks• Motivation & Limitations• Backscatter Analysis• Results• Conclusion
Footer Text 24
Conclusions
• New techinque “backscatter analysis”• DoS attacks exist
4/1/2015
Footer Text 25
Questions?
4/1/2015
Footer Text 26
Thank You!
4/1/2015
