Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22."— Presentation transcript:

1 A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22 nd, 2004

2 This paper is NOT about… Detecting DoS attacks, although they suggest an application for it in the end. Responding to DoS attacks. Dealing with smart attacks which explore software bugs or protocol synchronization. (so don’t worry Mina, you can continue your plans to take over the World).

3 Problem and Motivation Problem: Need a robust and automatic way of classifying DoS attacks into these two classes: single- and multi-source. Because: Different types of attacks (single- or multi-source) are handled differently. Classification is not easy. For instance, packets can be spoofed by attacker.

4 Preliminaries Zombie x Reflectors Single- x Multi-source Direct x Reflection

5 Discussion DWE Quiz: 1)Is this problem interesting at all ? 2)What could make it a SIGCOMM paper ? 3)[Optional] What is the related work ? 4)What should be the OUTLINE of the rest of the presentation ?

6 Outline Description of traces used Four Classification Techniques Evaluation of Results Conclusion & Discussion & Validation

7 Data Collection Monitored two links at moderate size ISP. Captured packet header in both directions using tcpdump, and saved every two mins. Attack detected when: a)# of sources to the same destination > 60 in 1s, or b)Traffic rate > 40K packets/s. Manually verify detected attacks. False positive rate of 25 – 35 %. Resulting in a total of 80 attacks in 5 months.

8 T1: Packet Header Analysis Based on ID and TTL fields filled by OS. Idea: identify sequences of increasing ID number with a fixed TTL. Classified 67 / 80. Some statistics: 87% evidence of root access TCP prevalence flwd by ICMP Attack# Single37 Multi10 Reflected20 Unclassified13

9 T2: Arrival Rate Analysis Single-sourceMulti-sourceReflected Single-, multi-source and reflected attacks have different mean. Kruskal-Wallis one-way ANOVA test F=37 (>> 1) p=1.7 x 10 -11 (<< 1) 10 5 10 4 10 3 10 2 Attack rate (pkt/s)

10 T3: Ramp-Up Behavior Single-source attacks start at full throttle. All multi-source attacks presented ramp-up due to synchronization of zombies. (Left) one of the 13 unclassified attacks (Right) agree with header analysis 0 10 20 30 40 50 60 70 Time (seconds) 100 80 60 40 20 0 60 50 40 30 20 10 0 Attack rate (pkt/s)

11 T4: Spectral Content Analysis Trace as time series. Consider segments in steady-state only. Compute Power Spectral Density S(f) C(f) is the normalized cumulative power up to frequency f. F(p) = C(f) -1 0 100 200 300 400 500 Frequency (Hz) a) Single-Source 0 100 200 300 400 500 Frequency (Hz) b) Multi-Source 1600 1200 800 400 0 1.6 1.2 0.8 0.4 0 1.0 0.8 0.6 0.4 0.2 0 1.0 0.8 0.6 0.4 0.2 0 S(f) C(f) S(f) C(f)

12 The F(60%) Spectral Test Single-source F(60%)  [240-295] Hz Multi-source F(60%)  [142-210] Hz Wilcoxon rank sum test used to verify the 2 classes have different F(.) ranges.

13 Validation of F(60%) Test Observations in a smaller alternate site. Controlled experiments over the Internet with varying topology (cluster x distributed) and # of attackers (1 to 5 Iperf clients). Use of attack tools (punk, stream and synful) in testbed network.

14 Effect of Topology

15 Effect of Increasing # of Attackers Similar curve for controlled experiment and testbed attack using hacker tools.

16 Why ? Aggregation of two scaled sources? No! a 1 (t) = a(t) + a((s+  )t) Bunch of traffic (lika ACK compression)? No! a 2 (t) delay the arrival of packets until 5-15 have accumulated and send all at once Aggregation of two shifted sources? No! a 3 (t) = a(t) + a(t +  +  ) Aggregation of multiple slightly shifted sources? Yes! a 3b (t) =  a(t + i  ), 2 < i < n

17 Conclusions ‘Network security is an arms race.’ Thus the need for more robust techniques. Once detection is done, spectral analysis can be used to identify type of attack and trigger appropriate response. Contribution to model attack traffic pattern. Use of statistical tests to make inference about attack patterns.

18 Discussion How a single-source could try to foul the spectral analysis tool ? What is the spectral face of normal traffic? What other type of patterns could we identify and design statistical tests for it ? More thoughts ?

Download ppt "A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22."

Similar presentations

Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,

Internet Measurement Conference 2003 Source-Level IP Packet Bursts: Causes and Effects Hao Jiang Constantinos Dovrolis (hjiang,
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.

1 TCP - Part I Relates to Lab 5. First module on TCP which covers packet format, data transfer, and connection management.
1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.

1 CS 4396 Computer Networks Lab Transmission Control Protocol (TCP) Part I.
Overview of Distributed Denial of Service (DDoS) Wei Zhou.

Overview of Distributed Denial of Service (DDoS) Wei Zhou.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
An Empirical Study of Real Audio Traffic A. Mena and J. Heidemann USC/Information Sciences Institute In Proceedings of IEEE Infocom Tel-Aviv, Israel March.

An Empirical Study of Real Audio Traffic A. Mena and J. Heidemann USC/Information Sciences Institute In Proceedings of IEEE Infocom Tel-Aviv, Israel March.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.

Defending Against Low-rate TCP Attack: Dynamic Detection and Protection Haibin Sun John C.S.Lui CSE Dept. CUHK David K.Y.Yau CS Dept. Purdue U.
Examining IP Header Fields

Examining IP Header Fields
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others.

Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Similar presentations

Ads by Google