Transcript Inferring Internet Denial-of

Inferring Internet Denial-ofService Activity
David Moore, Geoffrey M Voelker,
Stefan Savage
Presented by Yuemin Yu – CS290F – Winter 2005
Outline





Motivation
Attack types
Backscatter analysis
Results
Conclusion
Motivation




“How to prevalent are DOS attacks today on
the internet?”
Nature of the current treats
Longer term analyses of trends and recurring
patterns of attacks
Publish quantitative data about attacks
Attack Types

Logic attacks



Exploit software vulnerabilities
Software patches
Flooding attacks



Distributed DoS
Spoof source IP address randomly
Exhaust system resources
Backscatter



Attacker uses randomly selected source IP
address
Victim reply to spoofed source IP
Results in unsolicited response from victim to
third party IP addresses
Backscatter
Backscatter Analysis





m attack packets sent
n distinct IP address
monitored
Expectation of
observing an attack:
R’ Actual rate of attack:
R extrapolated attack
rate
Analysis Assumptions

Address uniformity



Reliable delivery


Spoof at random
Uniformly distributed
Attack and backscatter traffic delivered reliably
Backscatter hypothesis

Unsolicited packets observed represent
backscatter
Attack classifications

Flow-based



Based on target IP address and protocol
Fixed time frame (Within 5mins of most recent
packet)
Event-based


Based on target IP address only
Fixed time frame
Data collection
/8 network 2^24 IP 1/256 of internet address space
Data collections

Collect data extract following information






TCP flags
ICMP payload
Address uniformity
Port settings
DNS information
Routing information
Response/Used Protocols
Rate of attack
Victims by ports
Attack Duration Cumulative - Probability
Cumulative
probability density
Top level domain
Victims by Hostnames
Autonomous System
Repeated Attacks
Conclusion




Observed 12,000 attacks against more than
5,000 distinct targets.
Distributed over many different domains and
ISP
Small # long attacks with large % of attack
volume
An unexpected amount of attacks targeting
home, foreign, specific ISP
Thanks

Questions?