A Framework for Classifying Denial of Service Attacks

Alefiya Hussain, John Heidemann and Christos Papadopoulos

presented by Nahur FonsecaNRG, June, 22nd, 2004

This paper is NOT about…

• Detecting DoS attacks, although they suggest an application for it in the end.

• Responding to DoS attacks.

• Dealing with smart attacks which explore software bugs or protocol synchronization. (so don’t worry Mina, you can continue your plans to take over the World).

Problem and Motivation

• Problem: Need a robust and automatic way of classifying DoS attacks into these two classes: single- and multi-source.

• Because: Different types of attacks (single- or multi-source) are handled differently.

• Classification is not easy. For instance, packets can be spoofed by attacker.

Preliminaries

• Zombie x Reflectors

• Single- x Multi-source

• Direct x Reflection

Discussion

• DWE Quiz:

1) Is this problem interesting at all ?

2) What could make it a SIGCOMM paper ?

3) [Optional] What is the related work ?

4) What should be the OUTLINE of the rest of the presentation ?

Outline

• Description of traces used

• Four Classification Techniques

• Evaluation of Results

• Conclusion & Discussion

& Validation

Data Collection

• Monitored two links at moderate size ISP.

• Captured packet header in both directions using tcpdump, and saved every two mins.

• Attack detected when:a) # of sources to the same destination > 60 in 1s, orb) Traffic rate > 40K packets/s.

• Manually verify detected attacks. False positive rate of 25 – 35 %.Resulting in a total of 80 attacks in 5 months.

T1: Packet Header Analysis

• Based on ID and TTLfields filled by OS.

• Idea: identify sequences of increasing ID number with a fixed TTL.

• Classified 67 / 80.

• Some statistics:87% evidence of root accessTCP prevalence flwd by ICMP

Attack #

Single 37

Multi 10

Reflected 20

Unclassified 13

T2: Arrival Rate Analysis

Single-source Multi-source Reflected

• Single-, multi-source and reflected attacks have different mean.

• Kruskal-Wallis one-way ANOVA test F=37 (>> 1) p=1.7 x 10-11 (<< 1)

105

104

103

102

Att

ack

rate

(pk

t/s)

T3: Ramp-Up Behavior

• Single-source attacks start at full throttle.• All multi-source attacks presented ramp-up due

to synchronization of zombies.

• (Left) one of the 13 unclassified attacks (Right) agree with header analysis

0 10 20 30 40 50 60 70Time (seconds)

0 10 20 30 40 50 60 70Time (seconds)

100

80

60

40

20

0

60

50

40

30

20

10

0

Att

ack

rate

(pk

t/s)

Att

ack

rate

(pk

t/s)

T4: Spectral Content Analysis

• Trace as time series.• Consider segments in

steady-state only.• Compute Power

Spectral Density S(f)• C(f) is the normalized

cumulative power up to frequency f.

• F(p) = C(f)-1

0 100 200 300 400 500Frequency (Hz)

a) Single-Source

0 100 200 300 400 500Frequency (Hz)b) Multi-Source

1600

1200

800

400

0

1.6

1.2

0.8

0.4

0

1.00.80.60.40.2

0

1.00.80.60.40.2

0

S(f)

C(f)

S(f)

C(f)

The F(60%) Spectral Test

• Single-sourceF(60%)[240-295] Hz

• Multi-sourceF(60%)[142-210] Hz

• Wilcoxon rank sum test used to verify the 2 classes have different F(.) ranges.

Validation of F(60%) Test

• Observations in a smaller alternate site.

• Controlled experiments over the Internet with varying topology (cluster x distributed) and # of attackers (1 to 5 Iperf clients).

• Use of attack tools (punk, stream and synful) in testbed network.

Effect of Topology

Effect of Increasing # of Attackers

• Similar curve for controlled experiment and testbed attack using hacker tools.

Why ?

• Aggregation of two scaled sources? No! a1(t) = a(t) + a((s+)t)

• Bunch of traffic (lika ACK compression)? No!a2(t) delay the arrival of packets until 5-15 have accumulated and send all at once

• Aggregation of two shifted sources? No!a3(t) = a(t) + a(t + + )

• Aggregation of multiple slightly shifted sources? Yes!

a3b(t) = a(t + i), 2 < i < n

Conclusions

• ‘Network security is an arms race.’Thus the need for more robust techniques.

• Once detection is done, spectral analysis can be used to identify type of attack and trigger appropriate response.

• Contribution to model attack traffic pattern.

• Use of statistical tests to make inference about attack patterns.

Discussion

• How a single-source could try to foul the spectral analysis tool ?

• What is the spectral face of normal traffic?

• What other type of patterns could we identify and design statistical tests for it ?

• More thoughts ?