10/21/2003 1

Framework For Classifying Denial of Service Attacks

Alefiya Hussain, John Heidemann, Christos Papadopoulos

Kavita Chada& Viji Avali

CSCE 790

10/21/2003 2

Introduction

• What is Denial-Of-Service Attack (DOS)?

Adversary A can send huge amount of messages to y to block m from arriving at y

x y

m… … … … ……

?????

A

10/21/2003 3

Introduction

• DOS can be Single source attack - Only one host

Multi source attack (DDOS)- multiple hosts

• Launching is trivial but detection and response are not.

10/21/2003 4

Previous techniques used

• Anomaly detection detects ongoing attacks by the significant disproportional difference between packet rates going from and to the victim or attacker.

• Trace back techniques assist in tracking down attackers post-mortem

• Signature-scan techniquesTry to detect attackers by monitoring network

links over which the attackers’ traffic transits.

• Backscatter techniqueAllows detection of attacks that uniformly spoof source addresses in the complete IP address

space.

10/21/2003 5

Attack taxonomy

• Software exploits

• Flooding attacks– Single source attacks– Multi source attacks– Reflector attacks

10/21/2003 6

Attack Taxonomy

10/21/2003 7

Attack Taxonomy

10/21/2003 8

Attack Taxonomy

10/21/2003 9

Attack classification

• Header content

• Transient Ramp-up behavior

• Spectral Characteristics

10/21/2003 10

Attack classification

• Header content-Using ID field

Many Operating systems sequentially increment the ID field for each successive packet.

-Using TTL value

TTL value remains constant for the same source-destination pair.

10/21/2003 11

Attack Classification

• Using Header ContentsPseudo code to identify number of attackers

based on header content.– Let P ={attack packets}, Pi ⊂ P, P =

If ∀ p ∈ PID value increases monotonically andTTL value remains constantthen Single-source

elseif ∀ p ∈ PiID value increases monotonically andTTL value remains constantThen Multi-source with n attackers

else Unclassified

n

iPi

2

10/21/2003 12

Attack Classification

• Using Ramp-up behavior– Single source attacks do not exhibit ramp-up

behavior.– Multi-source attacks do exhibit ramp-up.– Cannot robustly identify single-source

attacks.

10/21/2003 13

Attack Classification

10/21/2003 14

Attack Classification

• Using Spectral Analysis– Single source attacks have a linear

cumulative spectrum due to dominant frequencies spread across the spectrum.

– Multi-source attacks shift spectrum to lower frequencies.

10/21/2003 15

Attack Classification

10/21/2003 16

Attack classification

10/21/2003 17

Attack Classification

10/21/2003 18

Attack Classification

10/21/2003 19

Evaluation

• Attack Detection

• Packet Headers Analysis

• Arrival Rate Analysis

• Ramp-up Behavior Analysis

• Spectral Content Analysis

10/21/2003 20

Evaluation

10/21/2003 21

Evaluation

10/21/2003 22

Evaluation

10/21/2003 23

Evaluation

10/21/2003 24

Evaluation

10/21/2003 25

Evaluation

10/21/2003 26

Evaluation

10/21/2003 27

Validation

• Observations from an alternate site

• Experimental Confirmation

Clustered Topology

Distributed Topology

• Understanding Multi-Source Effects

10/21/2003 28

Validation

10/21/2003 29

Validation

10/21/2003 30

Validation

Understanding Multi-Source Effects

1. Aggregation of multiple sources at either slightly, or very different rates.

2. Bunching of traffic due to queuing behavior.

3. Aggregation of multiple sources, each at different phase.

10/21/2003 31

Validation

10/21/2003 32

Validation

10/21/2003 33

Applications

• Automating Attack Detection

will be useful in selecting the appropriate response mechanism.

• Modeling Attacks

will help in the attack detection and response.• Inferring DoS Activity in the Internet

will be useful at approximating attack prevalence if we can increase the size and duration of the monitored region.

10/21/2003 34

Conclusion

• This paper presented a framework to classify DoS attacks into single and multi-source attacks.

• If the spectral characteristics were altered, this paper does not give a method to classify those DoS attacks into single or multi-source attacks.