EMIST DDoS Experimental Methodology Alefiya Hussain January 31, 2006.
10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann,...
-
date post
22-Dec-2015 -
Category
Documents
-
view
221 -
download
0
Transcript of 10/21/20031 Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann,...
10/21/2003 1
Framework For Classifying Denial of Service Attacks
Alefiya Hussain, John Heidemann, Christos Papadopoulos
Kavita Chada& Viji Avali
CSCE 790
10/21/2003 2
Introduction
• What is Denial-Of-Service Attack (DOS)?
Adversary A can send huge amount of messages to y to block m from arriving at y
x y
m… … … … ……
?????
A
10/21/2003 3
Introduction
• DOS can be Single source attack - Only one host
Multi source attack (DDOS)- multiple hosts
• Launching is trivial but detection and response are not.
10/21/2003 4
Previous techniques used
• Anomaly detection detects ongoing attacks by the significant disproportional difference between packet rates going from and to the victim or attacker.
• Trace back techniques assist in tracking down attackers post-mortem
• Signature-scan techniquesTry to detect attackers by monitoring network
links over which the attackers’ traffic transits.
• Backscatter techniqueAllows detection of attacks that uniformly spoof source addresses in the complete IP address
space.
10/21/2003 5
Attack taxonomy
• Software exploits
• Flooding attacks– Single source attacks– Multi source attacks– Reflector attacks
10/21/2003 9
Attack classification
• Header content
• Transient Ramp-up behavior
• Spectral Characteristics
10/21/2003 10
Attack classification
• Header content-Using ID field
Many Operating systems sequentially increment the ID field for each successive packet.
-Using TTL value
TTL value remains constant for the same source-destination pair.
10/21/2003 11
Attack Classification
• Using Header ContentsPseudo code to identify number of attackers
based on header content.– Let P ={attack packets}, Pi ⊂ P, P =
If ∀ p ∈ PID value increases monotonically andTTL value remains constantthen Single-source
elseif ∀ p ∈ PiID value increases monotonically andTTL value remains constantThen Multi-source with n attackers
else Unclassified
n
iPi
2
10/21/2003 12
Attack Classification
• Using Ramp-up behavior– Single source attacks do not exhibit ramp-up
behavior.– Multi-source attacks do exhibit ramp-up.– Cannot robustly identify single-source
attacks.
10/21/2003 14
Attack Classification
• Using Spectral Analysis– Single source attacks have a linear
cumulative spectrum due to dominant frequencies spread across the spectrum.
– Multi-source attacks shift spectrum to lower frequencies.
10/21/2003 19
Evaluation
• Attack Detection
• Packet Headers Analysis
• Arrival Rate Analysis
• Ramp-up Behavior Analysis
• Spectral Content Analysis
10/21/2003 27
Validation
• Observations from an alternate site
• Experimental Confirmation
Clustered Topology
Distributed Topology
• Understanding Multi-Source Effects
10/21/2003 30
Validation
Understanding Multi-Source Effects
1. Aggregation of multiple sources at either slightly, or very different rates.
2. Bunching of traffic due to queuing behavior.
3. Aggregation of multiple sources, each at different phase.
10/21/2003 33
Applications
• Automating Attack Detection
will be useful in selecting the appropriate response mechanism.
• Modeling Attacks
will help in the attack detection and response.• Inferring DoS Activity in the Internet
will be useful at approximating attack prevalence if we can increase the size and duration of the monitored region.