a framework for classifying denial of service attacks alefiya hussain, john heidemann and christos...
Post on 19-Dec-2015
215 views
TRANSCRIPT
A Framework for Classifying Denial of Service Attacks
Alefiya Hussain, John Heidemann and Christos Papadopoulos
presented by Nahur FonsecaNRG, June, 22nd, 2004
This paper is NOT about…
• Detecting DoS attacks, although they suggest an application for it in the end.
• Responding to DoS attacks.
• Dealing with smart attacks which explore software bugs or protocol synchronization. (so don’t worry Mina, you can continue your plans to take over the World).
Problem and Motivation
• Problem: Need a robust and automatic way of classifying DoS attacks into these two classes: single- and multi-source.
• Because: Different types of attacks (single- or multi-source) are handled differently.
• Classification is not easy. For instance, packets can be spoofed by attacker.
Discussion
• DWE Quiz:
1) Is this problem interesting at all ?
2) What could make it a SIGCOMM paper ?
3) [Optional] What is the related work ?
4) What should be the OUTLINE of the rest of the presentation ?
Outline
• Description of traces used
• Four Classification Techniques
• Evaluation of Results
• Conclusion & Discussion
& Validation
Data Collection
• Monitored two links at moderate size ISP.
• Captured packet header in both directions using tcpdump, and saved every two mins.
• Attack detected when:a) # of sources to the same destination > 60 in 1s, orb) Traffic rate > 40K packets/s.
• Manually verify detected attacks. False positive rate of 25 – 35 %.Resulting in a total of 80 attacks in 5 months.
T1: Packet Header Analysis
• Based on ID and TTLfields filled by OS.
• Idea: identify sequences of increasing ID number with a fixed TTL.
• Classified 67 / 80.
• Some statistics:87% evidence of root accessTCP prevalence flwd by ICMP
Attack #
Single 37
Multi 10
Reflected 20
Unclassified 13
T2: Arrival Rate Analysis
Single-source Multi-source Reflected
• Single-, multi-source and reflected attacks have different mean.
• Kruskal-Wallis one-way ANOVA test F=37 (>> 1) p=1.7 x 10-11 (<< 1)
105
104
103
102
Att
ack
rate
(pk
t/s)
T3: Ramp-Up Behavior
• Single-source attacks start at full throttle.• All multi-source attacks presented ramp-up due
to synchronization of zombies.
• (Left) one of the 13 unclassified attacks (Right) agree with header analysis
0 10 20 30 40 50 60 70Time (seconds)
0 10 20 30 40 50 60 70Time (seconds)
100
80
60
40
20
0
60
50
40
30
20
10
0
Att
ack
rate
(pk
t/s)
Att
ack
rate
(pk
t/s)
T4: Spectral Content Analysis
• Trace as time series.• Consider segments in
steady-state only.• Compute Power
Spectral Density S(f)• C(f) is the normalized
cumulative power up to frequency f.
• F(p) = C(f)-1
0 100 200 300 400 500Frequency (Hz)
a) Single-Source
0 100 200 300 400 500Frequency (Hz)b) Multi-Source
1600
1200
800
400
0
1.6
1.2
0.8
0.4
0
1.00.80.60.40.2
0
1.00.80.60.40.2
0
S(f)
C(f)
S(f)
C(f)
The F(60%) Spectral Test
• Single-sourceF(60%)[240-295] Hz
• Multi-sourceF(60%)[142-210] Hz
• Wilcoxon rank sum test used to verify the 2 classes have different F(.) ranges.
Validation of F(60%) Test
• Observations in a smaller alternate site.
• Controlled experiments over the Internet with varying topology (cluster x distributed) and # of attackers (1 to 5 Iperf clients).
• Use of attack tools (punk, stream and synful) in testbed network.
Effect of Increasing # of Attackers
• Similar curve for controlled experiment and testbed attack using hacker tools.
Why ?
• Aggregation of two scaled sources? No! a1(t) = a(t) + a((s+)t)
• Bunch of traffic (lika ACK compression)? No!a2(t) delay the arrival of packets until 5-15 have accumulated and send all at once
• Aggregation of two shifted sources? No!a3(t) = a(t) + a(t + + )
• Aggregation of multiple slightly shifted sources? Yes!
a3b(t) = a(t + i), 2 < i < n
Conclusions
• ‘Network security is an arms race.’Thus the need for more robust techniques.
• Once detection is done, spectral analysis can be used to identify type of attack and trigger appropriate response.
• Contribution to model attack traffic pattern.
• Use of statistical tests to make inference about attack patterns.