Embed Size (px)
Citation preview
CSE715 Presentation ProjectCSE715 Presentation ProjectFall 2004Fall 2004bybyMichael Alexandrou and Michael Alexandrou and Rusty ColemanRusty Coleman
TheThe paperpaper……
• A Framework for Classifying Denial of A Framework for Classifying Denial of Service AttacksService Attacks
Authors:Authors:
• Alefiya HussainAlefiya Hussain
• John HeidemanJohn Heideman
• Christos PapadopoulosChristos Papadopoulos
Basis for Basis for classifyingclassifying DoS attacks DoS attacks
Why classify the attack?Why classify the attack?
• Helps to counter the attackHelps to counter the attack
Attack Analysis:Attack Analysis:
• Header contentHeader content
• Ramp up behaviorRamp up behavior
• Spectral analysisSpectral analysis
Contribution of the paperContribution of the paper
• Automated methodology Automated methodology • A real time attack analysis A real time attack analysis • Use of a traceback to identify the Use of a traceback to identify the
attacker is trivia in single sourceattacker is trivia in single source• New techniques of ramp up and New techniques of ramp up and
spectral analysisspectral analysis
Taxonomy of DoS attacksTaxonomy of DoS attacks
To launch a Distributed DoS attack a To launch a Distributed DoS attack a malicious user :malicious user :
• Compromises Internet hosts by Compromises Internet hosts by exploiting security holes.exploiting security holes.
• Installs attack tools on the Installs attack tools on the compromised host also known as a compromised host also known as a zombiezombie..
Taxonomy of DoS attacksTaxonomy of DoS attacks
• Software exploitsSoftware exploitsSoftware exploits. These attacks Software exploits. These attacks
exploit specific bugs in the victim’s exploit specific bugs in the victim’s OS or applications. These cases are OS or applications. These cases are not considered in this paper.not considered in this paper.
• Flooding attacksFlooding attacks
Flooding attacksFlooding attacks
• One or more attackers One or more attackers
• Streams of packets aimed at Streams of packets aimed at overwhelming link bandwidth or overwhelming link bandwidth or computing resources at the victim.computing resources at the victim.
• Single source attacksSingle source attacks
• Multi-source attacksMulti-source attacks
• Reflector attackReflector attack
Taxonomy of DoS attacksTaxonomy of DoS attacks
Flooding attacksFlooding attacks
Flooding attacksFlooding attacks
Flooding attacksFlooding attacks
ExamplesExamples
• Ping of deathPing of death
A modified version of a regular ping A modified version of a regular ping request.request.
• Land attackLand attack
A packet with source host/port equal to A packet with source host/port equal to destination host/port.destination host/port.
Attack toolsAttack tools
• Several canned attack tools are Several canned attack tools are available on the Internet, such as available on the Internet, such as Stacheldraht, Trinoo, Tribal Flood Stacheldraht, Trinoo, Tribal Flood Network 2000, and Mstream that Network 2000, and Mstream that generate flooding attacks using a generate flooding attacks using a combination of TCP, UDP, and ICMP combination of TCP, UDP, and ICMP packets packets
Attack ClassificationAttack Classification
• Header ContentsHeader Contents
• Ramp up behaviorRamp up behavior
• Spectral AnalysisSpectral Analysis
Header ContentsHeader Contents
• Most attacks spoof the source IP Most attacks spoof the source IP addressaddress
• ID and TTL fields can give hints of the ID and TTL fields can give hints of the attackersattackers
• Difficult for attackers to coordinate the Difficult for attackers to coordinate the ID fields. ID fields.
Header ContentsHeader Contents
Header ContentsHeader Contents
• Some attack tools forge all header contents.
• Impossible to distinguish between a single or multiple sources based on header information
• Need to use another technique
Ramp-up BehaviorRamp-up Behavior
• Observation point near the victimObservation point near the victim
• Master triggers zombies with trigger Master triggers zombies with trigger messagemessage
• Results in a ramp up behaviorResults in a ramp up behavior
Spectral analysisSpectral analysis
• The attack stream is treated as a The attack stream is treated as a discrete function of time x(t)discrete function of time x(t)
• The autocorrelation function r(k) of The autocorrelation function r(k) of x(t) is examinedx(t) is examined
Autocorrelation functionAutocorrelation function
Discrete-time Fourier Discrete-time Fourier TransformTransform
Spectral analysisSpectral analysis
• We define two functionsWe define two functions
• The power of the attack stream P(f)The power of the attack stream P(f)
• The quantile of the attack stream F(p)The quantile of the attack stream F(p)
The cumulative power P(f) & C(f)The cumulative power P(f) & C(f)
The quantile F(p)The quantile F(p)
Sample Graphs Single Sample Graphs Single SourceSource
Sample Graph Two SourcesSample Graph Two Sources
Sample Graph Three Sample Graph Three SourcesSources
Sample Graph Multiple Sample Graph Multiple SourcesSources
ConclusionConclusion
• Possible to determine type of DoS Possible to determine type of DoS attackattack
• Analysis can be performed on the Analysis can be performed on the attack to determine if it is single or attack to determine if it is single or multi sourcedmulti sourced
• Need for automated tool to produce Need for automated tool to produce these analysesthese analyses
