Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 214 times |
Download: | 0 times |
Inferring Internet Denial-of-Service Activity
David Moore, Geoffrey M Voelker, Stefan Savage
Presented by Yuemin Yu – CS290F – Winter 2005
Motivation
“How to prevalent are DOS attacks today on the internet?”
Nature of the current treats Longer term analyses of trends and recurring
patterns of attacks Publish quantitative data about attacks
Attack Types
Logic attacks Exploit software vulnerabilities Software patches
Flooding attacks Distributed DoS Spoof source IP address randomly Exhaust system resources
Backscatter
Attacker uses randomly selected source IP address
Victim reply to spoofed source IP Results in unsolicited response from victim to
third party IP addresses
Backscatter Analysis m attack packets sent n distinct IP address
monitored Expectation of
observing an attack:
R’ Actual rate of attack: R extrapolated attack
rate
Analysis Assumptions
Address uniformity Spoof at random Uniformly distributed
Reliable delivery Attack and backscatter traffic delivered reliably
Backscatter hypothesis Unsolicited packets observed represent
backscatter
Attack classifications
Flow-based Based on target IP address and protocol Fixed time frame (Within 5mins of most recent
packet) Event-based
Based on target IP address only Fixed time frame
Data collections
Collect data extract following information TCP flags ICMP payload Address uniformity Port settings DNS information Routing information
Conclusion
Observed 12,000 attacks against more than 5,000 distinct targets.
Distributed over many different domains and ISP
Small # long attacks with large % of attack volume
An unexpected amount of attacks targeting home, foreign, specific ISP