Download presentation
Presentation is loading. Please wait.
Published byEthelbert Watson Modified over 9 years ago
1
Inferring Internet Denial-of-Service Activity Authors: David Moore, Geoffrey M. Voelker and Stefan Savage; University of California, San Diego Publish: Usenix Security Symposium 2001 Presenter: Xingbo Gao
2
Outline Contribution Motivation Introduction of Denial-of-Service (DoS) Attacks Basic Methodology Attack Classification Results Strengths, Weakness and Improvements
3
Contribution Presented a novel technique “backscatter analysis” to estimate the worldwide DoS activity Performed three-week long real experiments on /8 network and classified the DoS attacks quantitatively
4
Motivation How prevalent are DoS attacks in the Internet today? How often? What attack protocols used? Attack rate? Attack duration? Victim names and domains? And more …
5
DoS Attack Introduction Devastating Feb. 2000 “fast” and “intense” assault took down Yahoo, Ebay and E*trade Yahoo main site were unreachable for around three hours on Monday "This was so fast and so intense that we couldn't even redirect our traffic," Yahoo spokesperson said. (CNN) Jan. 2001 manual mis-configuration of a router caused Microsoft websites unreachable for Tue and Wed; inaccessible throughout Thursday due to a DoS attack (PC World) FBI investigated both incidents …
6
DoS Attack Introduction - contd Logic attacks: software flaws Ping-of-Death Flooding attacks: overwhelm CPU, memory or network resources SYN flood TCP ACK, NUL, RST and DATA floods ICMP Echo Request floods And so on …
7
DoS Attack Introduction - contd SYN flood TCP RST SD SYN x SYN y, ACK x+1 ACK y+1 LISTEN SYN_RECVD CONNECTED AD Non-existent spoofed SYN LISTEN SYN_RECVD SYN+ACK Port flooding occurs
8
DoS Attack Introduction - contd Distributed denial-of-service attack (DDoS) Control a group of “zombie” hosts to launch assault on specific target(s) A botnet can perform the DDoS attacks IP spoofing Attackers forge IP source addresses Simple technique but very difficult to trace-back “Backscatter” is based on IP spoofing
9
Basic Methodology - Backscatter AttackerVictim E B D backscatter
10
Experimental Platform Internet Hub /8 network Monitor n - # distinct IP addresses monitored m - # attacking packets R’ – measured average inter-arrival rate of backscatter
11
Attack Classification Flow-based classification A flow is a series of consecutive packets sharing the same target IP address and IP protocol Flow lifetime: fixed five-minute approach Reduce noise and misconfiguration traffic by setting thresholds Extract packet information from flows Event-based classification Flow-based obscures time-domain characteristics An attack event is defined by a victim emitting at least ten backscatter packets in one minute
12
Experimental Results Breakdown of attack protocols
13
Attack Frequency Estimated number of attacks per hour as a function of time (UTC)
14
Attack Rate and Duration Cumulative distribution of estimated attack rates in packets per second Probability density of attack durations
15
Strengths of the Paper Presented a novel technique “backscatter analysis” to estimate the worldwide DoS activity Performed three-week long real experiments on /8 network and classified the DoS attacks quantitatively Data is still available for public research
16
Weakness of the Paper Analysis Limitations Uniformity of spoofed source addresses Reliable delivery of backscatter Backscatter hypothesis Difficult to validate Unable to explain some scenarios presented in resulted graphs
17
How to Improve the Paper? Find and create a theoretic model to model DoS attacks like worm propagation? Take geography into consideration Take more researches and experiments to fully explain the figures presented
18
Questions ?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.