Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim.

Published byMagdalene Barton Modified over 8 years ago

Similar presentations

Presentation on theme: "A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim."— Presentation transcript:

1 A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim

2 What this paper DOES NOT do It DOES NOT say how to prevent DoS attacks from happening It DOES NOT say how to stop a DoS attack once it has been detected It DOES NOT even say how to detect a DoS attack It DOES propose a way to classify a DoS attack as either a single or multi- source attack once it has been detected

3 What is a Denial of Service (DoS) attack? A malicious user exploits the connectivity of the Internet to cripple the services offered by a victim site

4 Types of DoS attacks 2 types of DoS: software exploits flooding attacks Flooding attacks: single source multi-source Multi-source attacks: zombie host attack reflector attack

5 Proposed framework Classify attacks using: 1.header contents 2.transient ramp-up behavior 3.spectral characteristics

6 1. Header analysis Source address is easily spoofed Use other header fields: Fragment identification field (ID) Time-to-live field (TTL) OS usually sequentially increments ID field for each successive packet Assuming routes remain relatively stable, TTL value will remain constant

7 1. Header analysis (continued) Method: estimate the number of attackers by counting the number of distinct ID sequences present in attack Packets are considered to belong to the same ID sequence if : ID values are separated by less than an idgap (=16) TTL are the same

8 2. Ramp-up behaviour No ramp-up usually indicates single source Presence of ramp-up (200ms-14s) usually indicates multiple sources

9 Spectral Characteristics Attack streams have markedly different spectral content that varies depending on number of attackers Use quantile, F(p), as a numerical method of comparing power spectral graphs. Compare the F(60%) values of attacks: 240-296Hz  single source 142-210Hz  multiple source

10 Proposed framework in action (Attack Detection) Capture packet headers using tcpdump Flag packet as potential attack if: Number of sources that connect to the same destination within one second exceeds 60 The traffic rate exceeds 40Kpackets/s

11 Proposed framework in action (Packet header analysis)

12 Observations 87% of zombie attacks use illegal packet formats or randomize fields, indicating root access on zombies TCP protocol was most commonly used ICMP next favorite protocol

13 Proposed framework in action (Ramp-up behavior) Ramp-up duration : 3s

14 Proposed framework in action (Ramp-up behavior) Ramp-up duration : 14s

15 Proposed framework in action (Spectral Analysis)

16

17

18 Spectral analysis with synthetic data (clustered topology)

19

20 Spectral analysis with synthetic data (distributed topology)

21

22 Understanding frequency shift in F(60%) 3 hypothesis: 1.Agregation of multiple sources at either slightly or very different rates 2.Bunching of traffic due to queuing behavior 3.Aggregation of multiple sources with different phase

23 1. Different rates Scale traffic rate by scaling factor s, varying from 0.5 to 2 (i.e. attackers with rates varying from twice to half the original attack rate) F(60%) does not decrease

24 2. Bunching of traffic Queue p attack packets before sending all of them out at once (p varies from 5- 15) F(60%) does not decrease

25 3. Different phases Shift traffic by one phase F(60%) does not decrease Shift multiple copies of traffic by multiple phases, and aggregate them F(60%) does decrease

26 Conclusion Spectral analysis is a good way of classifying a DoS attack as either a single or multi-source attack

Download ppt "A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann, Christos Papadopoulos Reviewed by Dave Lim."

Similar presentations

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.

IP Fragmentation. MTU Maximum Transmission Unit (MTU) –Largest IP packet a network will accept –Arriving IP packet may be larger IP Packet MTU.
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
UDP & TCP Where would we be without them!. UDP User Datagram Protocol.

UDP & TCP Where would we be without them!. UDP User Datagram Protocol.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
Leon-Garcia & Widjaja: Communication Networks Copyright ©2000 The McGraw Hill Companies A Little More on Chapter 7 And Start Chapter 8 TCP/IP.

Leon-Garcia & Widjaja: Communication Networks Copyright ©2000 The McGraw Hill Companies A Little More on Chapter 7 And Start Chapter 8 TCP/IP.
Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.

Intrusion Detection and Hackers Exploits IP Spoofing Attack Yousef Yahya & Ahmed Alkhamaisa Prepared for Arab Academy for Banking and Financial Sciences.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Attacks Mark Shtern.

Network Attacks Mark Shtern.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.

A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Examining IP Header Fields

Examining IP Header Fields
1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)

1 Internet Networking Spring 2003 Tutorial 11 Explicit Congestion Notification (RFC 3168)
Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others.

Characterizing and Defending Against DDoS Attacks Christos Papadopoulos..and many others.
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Similar presentations

Ads by Google