A Framework for Classifying Denial of Service Attacks

Alefiya Hussain, John Heidemann,Christos Papadopoulos

Reviewed by Dave Lim

What this paper DOES NOT do It DOES NOT say how to prevent DoS

attacks from happening It DOES NOT say how to stop a DoS

attack once it has been detected It DOES NOT even say how to detect a

DoS attack It DOES propose a way to classify a DoS

attack as either a single or multi- source attack once it has been detected

What is a Denial of Service (DoS) attack?

A malicious user exploits the connectivity of the Internet to cripple the services offered by a victim site

Types of DoS attacks 2 types of DoS:

software exploits flooding attacks

Flooding attacks: single source multi-source

Multi-source attacks: zombie host attack reflector attack

Proposed framework

Classify attacks using:1. header contents2. transient ramp-up behavior3. spectral characteristics

1. Header analysis Source address is easily spoofed Use other header fields:

Fragment identification field (ID) Time-to-live field (TTL)

OS usually sequentially increments ID field for each successive packet

Assuming routes remain relatively stable, TTL value will remain constant

1. Header analysis (continued)

Method: estimate the number of attackers by counting the number of distinct ID sequences present in attack

Packets are considered to belong to the same ID sequence if : ID values are separated by less than an

idgap (=16) TTL are the same

2. Ramp-up behaviour

No ramp-up usually indicates single source

Presence of ramp-up (200ms-14s) usually indicates multiple sources

Spectral Characteristics Attack streams have markedly different

spectral content that varies depending on number of attackers

Use quantile, F(p), as a numerical method of comparing power spectral graphs.

Compare the F(60%) values of attacks: 240-296Hz single source 142-210Hz multiple source

Proposed framework in action (Attack Detection)

Capture packet headers using tcpdump

Flag packet as potential attack if: Number of sources that connect to

the same destination within one second exceeds 60

The traffic rate exceeds 40Kpackets/s

Proposed framework in action (Packet header analysis)

Proposed framework in action (Packet header analysis)

Observations 87% of zombie attacks use illegal

packet formats or randomize fields, indicating root access on zombies

TCP protocol was most commonly used

ICMP next favorite protocol

Proposed framework in action (Ramp-up behavior)

Ramp-up duration : 3s

Proposed framework in action (Ramp-up behavior)

Ramp-up duration : 14s

Proposed framework in action (Spectral Analysis)

Proposed framework in action (Spectral Analysis)

Proposed framework in action (Spectral Analysis)

Spectral analysis with synthetic data (clustered topology)

Spectral analysis with synthetic data (clustered topology)

Spectral analysis with synthetic data (distributed topology)

Spectral analysis with synthetic data (distributed topology)

Understanding frequency shift in F(60%)

3 hypothesis:1. Agregation of multiple sources at

either slightly or very different rates2. Bunching of traffic due to queuing

behavior3. Aggregation of multiple sources with

different phase

1. Different rates

Scale traffic rate by scaling factor s, varying from 0.5 to 2 (i.e. attackers with rates varying from twice to half the original attack rate) F(60%) does not decrease

2. Bunching of traffic

Queue p attack packets before sending all of them out at once (p varies from 5-15) F(60%) does not decrease

3. Different phases

Shift traffic by one phase F(60%) does not decrease

Shift multiple copies of traffic by multiple phases, and aggregate them F(60%) does decrease

Conclusion

Spectral analysis is a good way of classifying a DoS attack as either a single or multi-source attack