CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman

1
CSE715 Presentation ProjectFall 2004byMichael
Alexandrou and Rusty Coleman
2
The paper

• A Framework for Classifying Denial of Service
  Attacks
• Authors
• Alefiya Hussain
• John Heideman
• Christos Papadopoulos

3
Basis for classifying DoS attacks

• Why classify the attack?
• Helps to counter the attack
• Attack Analysis
• Header content
• Ramp up behavior
• Spectral analysis

4
Contribution of the paper

• Automated methodology
• A real time attack analysis
• Use of a traceback to identify the attacker is
  trivia in single source
• New techniques of ramp up and spectral analysis

5
Taxonomy of DoS attacks

• To launch a Distributed DoS attack a malicious
  user
• Compromises Internet hosts by exploiting security
  holes.
• Installs attack tools on the compromised host
  also known as a zombie.

6
Taxonomy of DoS attacks

• Software exploits
• Software exploits. These attacks exploit
  specific bugs in the victims OS or
  applications. These cases are not considered in
  this paper.
• Flooding attacks

7
Flooding attacks

• One or more attackers
• Streams of packets aimed at overwhelming link
  bandwidth or computing resources at the victim.
• Single source attacks
• Multi-source attacks
• Reflector attack

8
Taxonomy of DoS attacks
9
Flooding attacks
10
Flooding attacks
11
Flooding attacks
12
Examples

• Ping of death
• A modified version of a regular ping request.
• Land attack
• A packet with source host/port equal to
  destination host/port.

13
Attack tools

• Several canned attack tools are available on the
  Internet, such as Stacheldraht, Trinoo, Tribal
  Flood Network 2000, and Mstream that generate
  flooding attacks using a combination of TCP, UDP,
  and ICMP packets

14
Attack Classification

• Header Contents
• Ramp up behavior
• Spectral Analysis

15
Header Contents

• Most attacks spoof the source IP address
• ID and TTL fields can give hints of the attackers
  
• Difficult for attackers to coordinate the ID
  fields.

16
Header Contents
17
Header Contents

• Some attack tools forge all header contents.
• Impossible to distinguish between a single or
  multiple sources based on header information
• Need to use another technique

18
Ramp-up Behavior

• Observation point near the victim
• Master triggers zombies with trigger message
• Results in a ramp up behavior

19
Spectral analysis

• The attack stream is treated as a discrete
  function of time x(t)
• The autocorrelation function r(k) of x(t) is
  examined

20
Autocorrelation function
21
Discrete-time Fourier Transform
22
Spectral analysis

• We define two functions
• The power of the attack stream P(f)
• The quantile of the attack stream F(p)

23
The cumulative power P(f) C(f)
24
The quantile F(p)
25
Sample Graphs Single Source
26
Sample Graph Two Sources
27
Sample Graph Three Sources
28
Sample Graph Multiple Sources
29
Conclusion

• Possible to determine type of DoS attack
• Analysis can be performed on the attack to
  determine if it is single or multi sourced
• Need for automated tool to produce these analyses