Framework For Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papado

1
Framework For Classifying Denial of Service
AttacksAlefiya Hussain, John Heidemann, Christos
Papadopoulos

• Kavita Chada
• Viji Avali
• CSCE 790

2
Introduction

• What is Denial-Of-Service Attack (DOS)?
• Adversary A can send huge amount of messages to
  y to block m from arriving at y

A
m
?????
x
y
3
Introduction

• DOS can be
• Single source attack - Only one host
• Multi source attack (DDOS)- multiple hosts
• Launching is trivial but detection and response
  are not.

4
Previous techniques used

• Anomaly detection
• detects ongoing attacks by the significant
  disproportional difference between packet
  rates going from and to the victim or attacker.
• Trace back techniques
• assist in tracking down attackers post-mortem
• Signature-scan techniques
• Try to detect attackers by monitoring network
  links over which the attackers traffic
  transits.
• Backscatter technique
• Allows detection of attacks that uniformly
  spoof source addresses in the complete IP
  address space.

5
Attack taxonomy

• Software exploits
• Flooding attacks
• Single source attacks
• Multi source attacks
• Reflector attacks

6
Attack Taxonomy
7
Attack Taxonomy
8
Attack Taxonomy
9
Attack classification

• Header content
• Transient Ramp-up behavior
• Spectral Characteristics

10
Attack classification

• Header content
• -Using ID field
• Many Operating systems sequentially increment
  the ID field for each successive packet.
• -Using TTL value
• TTL value remains constant for the same
  source-destination pair.

11
Attack Classification

• Using Header Contents
• Pseudo code to identify number of attackers
  based on header content.
• Let P attack packets, Pi ? P, P
• If ? p ? P
• ID value increases monotonically and
• TTL value remains constant
• then Single-source
• elseif ? p ? Pi
• ID value increases monotonically and
• TTL value remains constant
• Then Multi-source with n attackers
• else Unclassified

12
Attack Classification

• Using Ramp-up behavior
• Single source attacks do not exhibit ramp-up
  behavior.
• Multi-source attacks do exhibit ramp-up.
• Cannot robustly identify single-source attacks.

13
Attack Classification
14
Attack Classification

• Using Spectral Analysis
• Single source attacks have a linear cumulative
  spectrum due to dominant frequencies spread
  across the spectrum.
• Multi-source attacks shift spectrum to lower
  frequencies.

15
Attack Classification
16
Attack classification
17
Attack Classification
18
Attack Classification
19
Evaluation

• Attack Detection
• Packet Headers Analysis
• Arrival Rate Analysis
• Ramp-up Behavior Analysis
• Spectral Content Analysis

20
Evaluation
21
Evaluation
22
Evaluation
23
Evaluation
24
Evaluation
25
Evaluation
26
Evaluation
27
Validation

• Observations from an alternate site
• Experimental Confirmation
• Clustered Topology
• Distributed Topology
• Understanding Multi-Source Effects

28
Validation
29
Validation
30
Validation

• Understanding Multi-Source Effects
• 1. Aggregation of multiple sources at either
  slightly, or very different rates.
• 2. Bunching of traffic due to queuing
  behavior.
• 3. Aggregation of multiple sources, each at
  different phase.

31
Validation
32
Validation
33
Applications

• Automating Attack Detection
• will be useful in selecting the appropriate
  response mechanism.
• Modeling Attacks
• will help in the attack detection and response.
• Inferring DoS Activity in the Internet
• will be useful at approximating attack
  prevalence if we can increase the size and
  duration of the monitored region.

34
Conclusion

• This paper presented a framework to classify DoS
  attacks into single and multi-source attacks.
• If the spectral characteristics were altered,
  this paper does not give a method to classify
  those DoS attacks into single or multi-source
  attacks.