Presentation is loading. Please wait.

Presentation is loading. Please wait.

Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish:

Published byEthelbert Watson Modified over 9 years ago

Similar presentations

Presentation on theme: "Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish:"— Presentation transcript:

1 Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish: Usenix Security Symposium 2001 Presenter: Xingbo Gao

2 Outline Contribution Motivation Introduction of Denial-of-Service (DoS) Attacks Basic Methodology Attack Classification Results Strengths, Weakness and Improvements

3 Contribution Presented a novel technique “backscatter analysis” to estimate the worldwide DoS activity Performed three-week long real experiments on /8 network and classified the DoS attacks quantitatively

4 Motivation How prevalent are DoS attacks in the Internet today?  How often?  What attack protocols used?  Attack rate?  Attack duration?  Victim names and domains?  And more …

5 DoS Attack Introduction Devastating  Feb. 2000 “fast” and “intense” assault took down Yahoo, Ebay and E*trade  Yahoo main site were unreachable for around three hours on Monday  "This was so fast and so intense that we couldn't even redirect our traffic," Yahoo spokesperson said. (CNN)  Jan. 2001 manual mis-configuration of a router caused Microsoft websites unreachable for Tue and Wed; inaccessible throughout Thursday due to a DoS attack (PC World)  FBI investigated both incidents …

6 DoS Attack Introduction - contd Logic attacks: software flaws  Ping-of-Death Flooding attacks: overwhelm CPU, memory or network resources  SYN flood  TCP ACK, NUL, RST and DATA floods  ICMP Echo Request floods  And so on …

7 DoS Attack Introduction - contd SYN flood TCP RST SD SYN x SYN y, ACK x+1 ACK y+1 LISTEN SYN_RECVD CONNECTED AD Non-existent spoofed SYN LISTEN SYN_RECVD SYN+ACK Port flooding occurs

8 DoS Attack Introduction - contd Distributed denial-of-service attack (DDoS)  Control a group of “zombie” hosts to launch assault on specific target(s)  A botnet can perform the DDoS attacks IP spoofing  Attackers forge IP source addresses  Simple technique but very difficult to trace-back  “Backscatter” is based on IP spoofing

9 Basic Methodology - Backscatter AttackerVictim E B D backscatter

10 Experimental Platform Internet Hub /8 network Monitor n - # distinct IP addresses monitored m - # attacking packets R’ – measured average inter-arrival rate of backscatter

11 Attack Classification Flow-based classification  A flow is a series of consecutive packets sharing the same target IP address and IP protocol  Flow lifetime: fixed five-minute approach  Reduce noise and misconfiguration traffic by setting thresholds  Extract packet information from flows Event-based classification  Flow-based obscures time-domain characteristics  An attack event is defined by a victim emitting at least ten backscatter packets in one minute

12 Experimental Results Breakdown of attack protocols

13 Attack Frequency Estimated number of attacks per hour as a function of time (UTC)

14 Attack Rate and Duration Cumulative distribution of estimated attack rates in packets per second Probability density of attack durations

15 Strengths of the Paper Presented a novel technique “backscatter analysis” to estimate the worldwide DoS activity Performed three-week long real experiments on /8 network and classified the DoS attacks quantitatively Data is still available for public research

16 Weakness of the Paper Analysis Limitations  Uniformity of spoofed source addresses  Reliable delivery of backscatter  Backscatter hypothesis Difficult to validate Unable to explain some scenarios presented in resulted graphs

17 How to Improve the Paper? Find and create a theoretic model to model DoS attacks like worm propagation? Take geography into consideration Take more researches and experiments to fully explain the figures presented

18 Questions ?

Download ppt "Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish:"

Similar presentations

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.

(Distributed) Denial of Service Nick Feamster CS 4251 Spring 2008.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage Presented by Qian.

Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, and Stefan Savage Presented by Qian.
Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July.

Analysis of a Denial of Service Attack on TCP Christoph L.Schuba, Ivan V.Krsul, Markus G. Kuhn, Eugene H.Spafford, Aurobindo Sundaram, Diego Zamboni July.
Use of Measurements in Anomaly Detection CS 8803: Network Measurements Seminar Instructor: Constantinos Dovrolis Fall 2003 Presenter: Buğra Gedik.

Use of Measurements in Anomaly Detection CS 8803: Network Measurements Seminar Instructor: Constantinos Dovrolis Fall 2003 Presenter: Buğra Gedik.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Security (Continued) V.T. Raja, Ph.D., Oregon State University.

Security (Continued) V.T. Raja, Ph.D., Oregon State University.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan Savage Presented by Thangam.

Inferring Internet Denial-of- Service Activity David Moore, Colleen Shannon, Douglas J. Brown, Geoffrey M. Voelker, Stefan Savage Presented by Thangam.
A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.

A Framework for Classifying Denial of Service Attacks Alefiya Hussain, John Heidemann and Christos Papadopoulos presented by Nahur Fonseca NRG, June, 22.
Outline Definition Point-to-point network denial of service

Outline Definition Point-to-point network denial of service
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.

Lan Nguyen Mounika Namburu 1.  DDoS Defense Research  A2D2 Design ◦ Subnet Flooding Detection using Snort ◦ Class -Based Queuing ◦ Multi-level Rate.
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.

Detecting SYN-Flooding Attacks Aaron Beach CS 395 Network Secu rity Spring 2004.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Similar presentations

Ads by Google