A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22 nd, 2004
This paper is NOT about… Detecting DoS attacks, although they suggest an application for it in the end. Responding to DoS attacks. Dealing with smart attacks which explore software bugs or protocol synchronization. (so don’t worry Mina, you can continue your plans to take over the World).
Problem and Motivation Problem: Need a robust and automatic way of classifying DoS attacks into these two classes: single- and multi-source. Because: Different types of attacks (single- or multi-source) are handled differently. Classification is not easy. For instance, packets can be spoofed by attacker.
Preliminaries Zombie x Reflectors Single- x Multi-source Direct x Reflection
Discussion DWE Quiz: 1)Is this problem interesting at all ? 2)What could make it a SIGCOMM paper ? 3)[Optional] What is the related work ? 4)What should be the OUTLINE of the rest of the presentation ?
Outline Description of traces used Four Classification Techniques Evaluation of Results Conclusion & Discussion & Validation
Data Collection Monitored two links at moderate size ISP. Captured packet header in both directions using tcpdump, and saved every two mins. Attack detected when: a)# of sources to the same destination > 60 in 1s, or b)Traffic rate > 40K packets/s. Manually verify detected attacks. False positive rate of 25 – 35 %. Resulting in a total of 80 attacks in 5 months.
T1: Packet Header Analysis Based on ID and TTL fields filled by OS. Idea: identify sequences of increasing ID number with a fixed TTL. Classified 67 / 80. Some statistics: 87% evidence of root access TCP prevalence flwd by ICMP Attack# Single37 Multi10 Reflected20 Unclassified13
T2: Arrival Rate Analysis Single-sourceMulti-sourceReflected Single-, multi-source and reflected attacks have different mean. Kruskal-Wallis one-way ANOVA test F=37 (>> 1) p=1.7 x (<< 1) Attack rate (pkt/s)
T3: Ramp-Up Behavior Single-source attacks start at full throttle. All multi-source attacks presented ramp-up due to synchronization of zombies. (Left) one of the 13 unclassified attacks (Right) agree with header analysis Time (seconds) Attack rate (pkt/s)
T4: Spectral Content Analysis Trace as time series. Consider segments in steady-state only. Compute Power Spectral Density S(f) C(f) is the normalized cumulative power up to frequency f. F(p) = C(f) Frequency (Hz) a) Single-Source Frequency (Hz) b) Multi-Source S(f) C(f) S(f) C(f)
The F(60%) Spectral Test Single-source F(60%) [ ] Hz Multi-source F(60%) [ ] Hz Wilcoxon rank sum test used to verify the 2 classes have different F(.) ranges.
Validation of F(60%) Test Observations in a smaller alternate site. Controlled experiments over the Internet with varying topology (cluster x distributed) and # of attackers (1 to 5 Iperf clients). Use of attack tools (punk, stream and synful) in testbed network.
Effect of Topology
Effect of Increasing # of Attackers Similar curve for controlled experiment and testbed attack using hacker tools.
Why ? Aggregation of two scaled sources? No! a 1 (t) = a(t) + a((s+ )t) Bunch of traffic (lika ACK compression)? No! a 2 (t) delay the arrival of packets until 5-15 have accumulated and send all at once Aggregation of two shifted sources? No! a 3 (t) = a(t) + a(t + + ) Aggregation of multiple slightly shifted sources? Yes! a 3b (t) = a(t + i ), 2 < i < n
Conclusions ‘Network security is an arms race.’ Thus the need for more robust techniques. Once detection is done, spectral analysis can be used to identify type of attack and trigger appropriate response. Contribution to model attack traffic pattern. Use of statistical tests to make inference about attack patterns.
Discussion How a single-source could try to foul the spectral analysis tool ? What is the spectral face of normal traffic? What other type of patterns could we identify and design statistical tests for it ? More thoughts ?