Inferring internet denial of service activity
This presentation is the property of its rightful owner.
Sponsored Links
1 / 29

Inferring Internet Denial-of-Service activity PowerPoint PPT Presentation


  • 50 Views
  • Uploaded on
  • Presentation posted in: General

Inferring Internet Denial-of-Service activity. David Moore 1 , Geoffrey M. Voelker 2 and Stefan Savage 2 1 San Diego Supercomputer Center University of California, San Diego 2 Department of Computer Science and Engineering University of California, San Diego

Download Presentation

Inferring Internet Denial-of-Service activity

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Inferring internet denial of service activity

Inferring Internet Denial-of-Service activity

David Moore1, Geoffrey M. Voelker2

and Stefan Savage2

1San Diego Supercomputer Center

University of California, San Diego

2 Department of Computer Science and Engineering

University of California, San Diego

Presented by YannisKlonatos


Outline

Outline

  • Introduction & Motivation

  • How Denial-of-Service (DOS) attacks work?

  • Backscatter technique

  • Classifying DOS attacks

  • Results

  • Conclusions


Outline1

Outline

  • Introduction & Motivation

  • How Denial-of-Service (DOS) attacks work?

  • Backscatter technique

  • Classifying DOS attacks

  • Results

  • Conclusions


Introduction

Introduction

  • First, a personal remark:

    • If I were asked about Denial-of-Service (DOS) attacks before reading this paper I would in short argue:

      “Why the hell care? Let Yahoo, Ebay, E-trade and

      Microsoft figure out the mess. Nobody cares about DoS”

    • However, soon I learned that most victims is in fact smaller commercial sites and educational instructions.

    • And that these attacks seem to be not well publicized

    • So, the main question is “How prevalent are Denial-of-Service attacks in the Internet Today?”

    • This paper answers exactly this question…


Motivation

Motivation

  • There is currently not much quantitative data

    • neither about their prevalence

    • nor their characteristic behavior.

  • Moreover, there are multiple obstacles hampering the collection of an authoritative DoS traffic dataset:

    • Service and content providers consider such data sensitive and private.

    • Monitoring traffic at enough sites to obtain a representative measure of Internet-wide attacks presents a significant logistical challenge.


  • Outline2

    Outline

    • Introduction & Motivation

    • How Denial-of-Service (DOS) attacks work?

    • Backscatter technique

    • Classifying DOS attacks

    • Results

    • Conclusions


    How denial of service dos attacks work

    How Denial-of-Service (DOS) attacks work?

    • So, let’s say that I am:

    • And, (since I am Sith), I want to cause harm to all the PCs of the world using DOS attacks.

    • “What must I do?” (I won’t use the force don’t worry )

    • Well… The first step always is to locate one (Windows) PC to attack.

    • So I choose the computer of…


    How denial of service dos attacks work1

    How Denial-of-Service (DOS) attacks work?

    • I have two ways to attack George’s PC:

      • First, I could exploit the numerous (Windows) bugs in his OS (logic attack).

        • No fun, since George will just call Microsoft and they will patch the bug up (NO! they won’t but ok…).

      • However, I could also perform a flooding attack and try to overwhelm the CPU, memory or network of George’s PC.

        • How? Well, I will send George a HUGE amount of spurious small requests as fast as I can, so that he loses the ability to process them.

    • But… Remember that George is also a master of security in DCS Lab at FORTH (advertisement…)


    How denial of service dos attacks work2

    How Denial-of-Service (DOS) attacks work?

    • So what I really want is to transform George from this state:

    • To this state:

    • And thus a War for victory and survival begins…


    How denial of service dos attacks work3

    How Denial-of-Service (DOS) attacks work?

    • Round 1: George says:

      “If I lack the resources to manage the huge amount of requests you send me, let’s double the resources in my machine”

    • But this is not enough since:

    • Score: Me (Sith) 1 – George 0

    Distributed DoS attack (DDOS)


    How denial of service dos attacks work4

    How Denial-of-Service (DOS) attacks work?

    • Round 2: George (now a bit frustrated) shouts with anger to me :

      “ I will catch you. I have a masters Degree in Computer Science, so I will find your IP and report you to the police… (a.k.a. admins)”

    • But this is not enough either since:

      • I am able to change the source IP address to a random address before sending you the request…

      • … So that when you receive it, you MUST answer to a random host and not be able to detect me!

    • This is called IP spoofing

    • Score: Me (Sith) 2 – George 0


    How denial of service dos attacks work5

    How Denial-of-Service (DOS) attacks work?

    • Round 3: Now, It can get even better for me (and worse for George):

    • Suppose that when using IP spoofing, I specifically choose the IP of a machine that I know it constantly broadcasts

      • This machine is called reflector machine.

    • Then, when George replies to the reflector machine, the reply is broadcasted to a bunch of other nodes also.

      • Thus, we the help of George, the attack is amplified even further (network gets congested).

    • Final Score: Me (Sith) 3 – George 0

    • George disappointed leaves DCS and joins CARV .


    Outline3

    Outline

    • Introduction & Motivation

    • How Denial-of-Service (DOS) attacks work?

    • Backscatter technique

    • Classifying DOS attacks

    • Results

    • Conclusions


    Backscatter technique

    Backscatter technique

    • So what George can do? Well, he has a way of knowing when and where a DoS attack takes place.

    • A key observation is that George MUST answer to all the requests I send him…

    • These unneeded “reply” packets are called backscatter.

    • George can measure DoS attacks through backscatter,

      • By observing many nodes like B,C,D for unsolicited responses.


    Assumptions limitations of backscatter technique

    Assumptions & limitations of backscatter technique

    • Assumption 1:

      • Address uniformity  attackers spoof source addresses at random.

    • Limitations 1:

      • Many attacks do not use address spoofing

      • “Reflector attacks”  Source address is specifically selected.

      • ISPs increasingly employ ingress filtering

      • Since automated methods exist for compromising many hosts quickly, DDOS attacks use true IP addresses


    Assumptions limitations of backscatter technique1

    Assumptions & limitations of backscatter technique

    • Assumption 2:

      • Reliable delivery Attack traffic and backscatter is delivered reliably

    • Limitations 2:

      • Packets from attacker and responses may be queued and dropped,

      • Traffic may be filtered and rate limited by a firewall.

      • Some protocols do not elicit a response.


    Assumptions limitations of backscatter technique2

    Assumptions & limitations of backscatter technique

    • Assumption 3:

      • Backscatter hypothesis  Unsolicited packets observed by the monitor represent backscatters.

    • Limitations 3:

      • Any server in the Internet can send unsolicited packets,

      • Misinterpretation of random port scans as backscatters,

      • Vast majority attacks can be differentiated from typical scanning activity


    Outline4

    Outline

    • Introduction & Motivation

    • How Denial-of-Service (DOS) attacks work?

    • Backscatter technique

    • Classifying DOS attacks

    • Results

    • Conclusions


    Classifying dos attacks

    Classifying DOS attacks

    • So George (having rebooted his system after my attack ) now asks:

      “I can live with these hypothesis. How do I classify the DoS attacks in order to get a quantitative estimation about their prevalence and characteristic behavior?”

    • Solution : A three step algorithm:

      • First, identify and extract backscatter packets from raw trace

      • Combine related packets into attack flows

        • Based on victims IP address  flow based classification

  • Filter out some attack flows based on intensity, duration and rate  event based classification


  • Classifying dos attacks what to measure

    Classifying DOS attacksWhat to Measure

    • TCP flag Settings

    • ICMP payload

    • Address uniformity (distribution of source addresses)

    • Port settings

    • DNS & Routing information

    • Number of simultaneous attacks

    • Distribution of attack rates

    • Number of victims

    • Intensity of attacks


    Outline5

    Outline

    • Introduction & Motivation

    • How Denial-of-Service (DOS) attacks work?

    • Backscatter technique

    • Classifying DOS attacks

    • Results

    • Conclusions


    Results

    Results

    • “Enough with George! (we don’t like him anyway , kidding…). Show us some results NOW”

    • Ok people, don’t shout! Here we go:

    • (Note: For anyone that worries, don’t! George will play along in the other paper too :P)


    Experimental setup

    Experimental Setup


    Results 1 4 attack frequency statistics

    Results (1/4)Attack frequency & Statistics

    • Rate of attack doesn’t change significantly over the period of time.

    No strong diurnal patterns, as seen in Web or P2P file sharing.

    Attacks were not clustered on particular subnets..


    Results 2 4 protocols packet statistics

    Results (2/4) – Protocols & Packet statistics

    • 500 SYN packets are enough to overwhelm a server.

    • 46% attacks had 500 packets or higher.

    • 2.4% attacks had ≥ 14,000 packets, being enough to compromise attack-resistant firewalls.


    Results 3 4 attack distributions

    Results (3/4)-Attack distributions

    • 50% attacks less than 10 min

    • 80% are less than 30 min

    • 90% last less than an hour

    • 2% are greater than 5 hrs

    • 1% are greater than 10 hrs

    • dozens span multiple days

    • Right graph shows peak is at 5, 10 and 20 minutes.


    Inferring internet denial of service activity

    Results (4/4)

    Attacks on autonomous system are not frequent

    • Most victims (69%) were attacked in only one trace.

    • Most of the remaining victims (18%) appear in two traces.

    • 95% of victims were attacked five or fewer times.

    • A host was attacked 48 times for durations between 72seconds and 5 hours.


    Outline6

    Outline

    • Introduction & Motivation

    • How Denial-of-Service (DOS) attacks work?

    • Backscatter technique

    • Classifying DOS attacks

    • Results

    • Conclusions


    Conclusions

    Conclusions

    • Well…George in this presentation had :

      • Discovered a new technique called “backscatter analysis” for estimating DoS attack activity on the Internet.

      • Observed widespread DoS attacks distributed among many domains and ISPs.

      • Noticed that size and length of attacks were heavy tailed.

      • Been surprised in learning the number of attacks directed at a few foreign countries.

        But… most importantly ::

        HE HAD BEEN ATTACKED 


  • Login