Inferring Internet Denial-of-Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005
Feb 25, 2016
Inferring Internet Denial-of-Service Activity
David Moore, Geoffrey M Voelker, Stefan Savage
Presented by Yuemin Yu – CS290F – Winter 2005
Outline
Motivation Attack types Backscatter analysis Results Conclusion
Motivation
“How to prevalent are DOS attacks today on the internet?”
Nature of the current treats Longer term analyses of trends and recurring
patterns of attacks Publish quantitative data about attacks
Attack Types
Logic attacks Exploit software vulnerabilities Software patches
Flooding attacks Distributed DoS Spoof source IP address randomly Exhaust system resources
Backscatter
Attacker uses randomly selected source IP address
Victim reply to spoofed source IP Results in unsolicited response from victim to
third party IP addresses
Backscatter
Backscatter Analysis m attack packets sent n distinct IP address
monitored Expectation of
observing an attack:
R’ Actual rate of attack: R extrapolated attack
rate
Analysis Assumptions
Address uniformity Spoof at random Uniformly distributed
Reliable delivery Attack and backscatter traffic delivered reliably
Backscatter hypothesis Unsolicited packets observed represent
backscatter
Attack classifications
Flow-based Based on target IP address and protocol Fixed time frame (Within 5mins of most recent
packet) Event-based
Based on target IP address only Fixed time frame
Data collection
/8 network 2^24 IP 1/256 of internet address space
Data collections
Collect data extract following information TCP flags ICMP payload Address uniformity Port settings DNS information Routing information
Response/Used Protocols
Rate of attack
Victims by ports
Attack Duration Cumulative - Probability
Cumulative probability density
Top level domain
Victims by Hostnames
Autonomous System
Repeated Attacks
Conclusion
Observed 12,000 attacks against more than 5,000 distinct targets.
Distributed over many different domains and ISP
Small # long attacks with large % of attack volume
An unexpected amount of attacks targeting home, foreign, specific ISP
Thanks
Questions?