Transcript ppt

Inferring Internet
Denial-of-Service
Activity
Authors:
David Moore, Geoffrey M. Voelker and Stefan Savage;
University of California, San Diego
Publish: Usenix Security Symposium 2001
Presenter: Xingbo Gao
Outline







Contribution
Motivation
Introduction of Denial-of-Service (DoS) Attacks
Basic Methodology
Attack Classification
Results
Strengths, Weakness and Improvements
Contribution
Presented a novel technique “backscatter
analysis” to estimate the worldwide DoS
activity
 Performed three-week long real
experiments on /8 network and classified
the DoS attacks quantitatively

Motivation

How prevalent are DoS
attacks in the Internet
today?
 How
often?
 What attack protocols
used?
 Attack rate?
 Attack duration?
 Victim names and
domains?
 And more …
Computer
DoS Attack Introduction

Devastating
 Feb.
2000 “fast” and “intense” assault took down
Yahoo, Ebay and E*trade
 Yahoo main site were unreachable for around three
hours on Monday
 "This was so fast and so intense that we couldn't even
redirect our traffic," Yahoo spokesperson said. (CNN)
 Jan. 2001 manual mis-configuration of a router
caused Microsoft websites unreachable for Tue and
Wed; inaccessible throughout Thursday due to a DoS
attack (PC World)
 FBI investigated both incidents …
DoS Attack Introduction - contd

Logic attacks: software flaws
 Ping-of-Death

Flooding attacks: overwhelm CPU,
memory or network resources
 SYN
flood
 TCP ACK, NUL, RST and DATA floods
 ICMP Echo Request floods
 And so on …
DoS Attack Introduction - contd

SYN flood
S

D
SYNx
SYNy, ACKx+1
LISTEN
TCP RST
A
D
Non-existent spoofed SYN
LISTEN
SYN_RECVD
SYN_RECVD
SYN+ACK
ACKy+1
CONNECTED
Port flooding occurs
DoS Attack Introduction - contd

Distributed denial-of-service attack (DDoS)
 Control
a group of “zombie” hosts to launch assault
on specific target(s)
 A botnet can perform the DDoS attacks

IP spoofing
 Attackers
forge IP source addresses
 Simple technique but very difficult to trace-back
 “Backscatter” is based on IP spoofing
Basic Methodology - Backscatter
E
Attacker
Victim
backscatter
B
D
Experimental Platform
Internet
nm
m
E ( x )  32 
2
256
n - # distinct IP addresses monitored
m - # attacking packets
32
Hub
Monitor
/8 network
2
R  R'
 256 R'
n
R’ – measured average inter-arrival
rate of backscatter
Attack Classification

Flow-based classification
 A flow
is a series of consecutive packets sharing the
same target IP address and IP protocol
 Flow lifetime: fixed five-minute approach
 Reduce noise and misconfiguration traffic by setting
thresholds
 Extract packet information from flows

Event-based classification
 Flow-based
obscures time-domain characteristics
 An attack event is defined by a victim emitting at least
ten backscatter packets in one minute
Experimental Results
Breakdown of attack protocols
2.80% 0.05%
2.60%
5%
TCP
UDP
ICMP
Proto 0
Other
90%
Attack Frequency
Estimated number of attacks per hour as a function of time (UTC)
Attack Rate and Duration
Cumulative distribution of estimated
attack rates in packets per second
Probability density of attack durations
Strengths of the Paper
Presented a novel technique “backscatter
analysis” to estimate the worldwide DoS
activity
 Performed three-week long real
experiments on /8 network and classified
the DoS attacks quantitatively
 Data is still available for public research

Weakness of the Paper

Analysis Limitations
 Uniformity
of spoofed source addresses
 Reliable delivery of backscatter
 Backscatter hypothesis
Difficult to validate
 Unable to explain some scenarios
presented in resulted graphs

How to Improve the Paper?
Find and create a theoretic model to
model DoS attacks like worm
propagation?
 Take geography into consideration
 Take more researches and experiments to
fully explain the figures presented

Questions ?