Inferring internet denial of service activity
Download
1 / 29

Inferring Internet Denial-of-Service activity - PowerPoint PPT Presentation


  • 71 Views
  • Uploaded on

Inferring Internet Denial-of-Service activity. David Moore 1 , Geoffrey M. Voelker 2 and Stefan Savage 2 1 San Diego Supercomputer Center University of California, San Diego 2 Department of Computer Science and Engineering University of California, San Diego

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Inferring Internet Denial-of-Service activity' - tania


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Inferring internet denial of service activity

Inferring Internet Denial-of-Service activity

David Moore1, Geoffrey M. Voelker2

and Stefan Savage2

1San Diego Supercomputer Center

University of California, San Diego

2 Department of Computer Science and Engineering

University of California, San Diego

Presented by YannisKlonatos


Outline
Outline

  • Introduction & Motivation

  • How Denial-of-Service (DOS) attacks work?

  • Backscatter technique

  • Classifying DOS attacks

  • Results

  • Conclusions


Outline1
Outline

  • Introduction & Motivation

  • How Denial-of-Service (DOS) attacks work?

  • Backscatter technique

  • Classifying DOS attacks

  • Results

  • Conclusions


Introduction
Introduction

  • First, a personal remark:

    • If I were asked about Denial-of-Service (DOS) attacks before reading this paper I would in short argue:

      “Why the hell care? Let Yahoo, Ebay, E-trade and

      Microsoft figure out the mess. Nobody cares about DoS”

    • However, soon I learned that most victims is in fact smaller commercial sites and educational instructions.

    • And that these attacks seem to be not well publicized

    • So, the main question is “How prevalent are Denial-of-Service attacks in the Internet Today?”

    • This paper answers exactly this question…


Motivation
Motivation

  • There is currently not much quantitative data

    • neither about their prevalence

    • nor their characteristic behavior.

  • Moreover, there are multiple obstacles hampering the collection of an authoritative DoS traffic dataset:

    • Service and content providers consider such data sensitive and private.

    • Monitoring traffic at enough sites to obtain a representative measure of Internet-wide attacks presents a significant logistical challenge.


  • Outline2
    Outline

    • Introduction & Motivation

    • How Denial-of-Service (DOS) attacks work?

    • Backscatter technique

    • Classifying DOS attacks

    • Results

    • Conclusions


    How denial of service dos attacks work
    How Denial-of-Service (DOS) attacks work?

    • So, let’s say that I am:

    • And, (since I am Sith), I want to cause harm to all the PCs of the world using DOS attacks.

    • “What must I do?” (I won’t use the force don’t worry )

    • Well… The first step always is to locate one (Windows) PC to attack.

    • So I choose the computer of…


    How denial of service dos attacks work1
    How Denial-of-Service (DOS) attacks work?

    • I have two ways to attack George’s PC:

      • First, I could exploit the numerous (Windows) bugs in his OS (logic attack).

        • No fun, since George will just call Microsoft and they will patch the bug up (NO! they won’t but ok…).

      • However, I could also perform a flooding attack and try to overwhelm the CPU, memory or network of George’s PC.

        • How? Well, I will send George a HUGE amount of spurious small requests as fast as I can, so that he loses the ability to process them.

    • But… Remember that George is also a master of security in DCS Lab at FORTH (advertisement…)


    How denial of service dos attacks work2
    How Denial-of-Service (DOS) attacks work?

    • So what I really want is to transform George from this state:

    • To this state:

    • And thus a War for victory and survival begins…


    How denial of service dos attacks work3
    How Denial-of-Service (DOS) attacks work?

    • Round 1: George says:

      “If I lack the resources to manage the huge amount of requests you send me, let’s double the resources in my machine”

    • But this is not enough since:

    • Score: Me (Sith) 1 – George 0

    Distributed DoS attack (DDOS)


    How denial of service dos attacks work4
    How Denial-of-Service (DOS) attacks work?

    • Round 2: George (now a bit frustrated) shouts with anger to me :

      “ I will catch you. I have a masters Degree in Computer Science, so I will find your IP and report you to the police… (a.k.a. admins)”

    • But this is not enough either since:

      • I am able to change the source IP address to a random address before sending you the request…

      • … So that when you receive it, you MUST answer to a random host and not be able to detect me!

    • This is called IP spoofing

    • Score: Me (Sith) 2 – George 0


    How denial of service dos attacks work5
    How Denial-of-Service (DOS) attacks work?

    • Round 3: Now, It can get even better for me (and worse for George):

    • Suppose that when using IP spoofing, I specifically choose the IP of a machine that I know it constantly broadcasts

      • This machine is called reflector machine.

    • Then, when George replies to the reflector machine, the reply is broadcasted to a bunch of other nodes also.

      • Thus, we the help of George, the attack is amplified even further (network gets congested).

    • Final Score: Me (Sith) 3 – George 0

    • George disappointed leaves DCS and joins CARV .


    Outline3
    Outline

    • Introduction & Motivation

    • How Denial-of-Service (DOS) attacks work?

    • Backscatter technique

    • Classifying DOS attacks

    • Results

    • Conclusions


    Backscatter technique
    Backscatter technique

    • So what George can do? Well, he has a way of knowing when and where a DoS attack takes place.

    • A key observation is that George MUST answer to all the requests I send him…

    • These unneeded “reply” packets are called backscatter.

    • George can measure DoS attacks through backscatter,

      • By observing many nodes like B,C,D for unsolicited responses.


    Assumptions limitations of backscatter technique
    Assumptions & limitations of backscatter technique

    • Assumption 1:

      • Address uniformity  attackers spoof source addresses at random.

    • Limitations 1:

      • Many attacks do not use address spoofing

      • “Reflector attacks”  Source address is specifically selected.

      • ISPs increasingly employ ingress filtering

      • Since automated methods exist for compromising many hosts quickly, DDOS attacks use true IP addresses


    Assumptions limitations of backscatter technique1
    Assumptions & limitations of backscatter technique

    • Assumption 2:

      • Reliable delivery Attack traffic and backscatter is delivered reliably

    • Limitations 2:

      • Packets from attacker and responses may be queued and dropped,

      • Traffic may be filtered and rate limited by a firewall.

      • Some protocols do not elicit a response.


    Assumptions limitations of backscatter technique2
    Assumptions & limitations of backscatter technique

    • Assumption 3:

      • Backscatter hypothesis  Unsolicited packets observed by the monitor represent backscatters.

    • Limitations 3:

      • Any server in the Internet can send unsolicited packets,

      • Misinterpretation of random port scans as backscatters,

      • Vast majority attacks can be differentiated from typical scanning activity


    Outline4
    Outline

    • Introduction & Motivation

    • How Denial-of-Service (DOS) attacks work?

    • Backscatter technique

    • Classifying DOS attacks

    • Results

    • Conclusions


    Classifying dos attacks
    Classifying DOS attacks

    • So George (having rebooted his system after my attack ) now asks:

      “I can live with these hypothesis. How do I classify the DoS attacks in order to get a quantitative estimation about their prevalence and characteristic behavior?”

    • Solution : A three step algorithm:

      • First, identify and extract backscatter packets from raw trace

      • Combine related packets into attack flows

        • Based on victims IP address  flow based classification

  • Filter out some attack flows based on intensity, duration and rate  event based classification


  • Classifying dos attacks what to measure
    Classifying DOS attacksWhat to Measure

    • TCP flag Settings

    • ICMP payload

    • Address uniformity (distribution of source addresses)

    • Port settings

    • DNS & Routing information

    • Number of simultaneous attacks

    • Distribution of attack rates

    • Number of victims

    • Intensity of attacks


    Outline5
    Outline

    • Introduction & Motivation

    • How Denial-of-Service (DOS) attacks work?

    • Backscatter technique

    • Classifying DOS attacks

    • Results

    • Conclusions


    Results
    Results

    • “Enough with George! (we don’t like him anyway , kidding…). Show us some results NOW”

    • Ok people, don’t shout! Here we go:

    • (Note: For anyone that worries, don’t! George will play along in the other paper too :P)



    Results 1 4 attack frequency statistics
    Results (1/4)Attack frequency & Statistics

    • Rate of attack doesn’t change significantly over the period of time.

    No strong diurnal patterns, as seen in Web or P2P file sharing.

    Attacks were not clustered on particular subnets..


    Results 2 4 protocols packet statistics
    Results (2/4) – Protocols & Packet statistics

    • 500 SYN packets are enough to overwhelm a server.

    • 46% attacks had 500 packets or higher.

    • 2.4% attacks had ≥ 14,000 packets, being enough to compromise attack-resistant firewalls.


    Results 3 4 attack distributions
    Results (3/4)-Attack distributions

    • 50% attacks less than 10 min

    • 80% are less than 30 min

    • 90% last less than an hour

    • 2% are greater than 5 hrs

    • 1% are greater than 10 hrs

    • dozens span multiple days

    • Right graph shows peak is at 5, 10 and 20 minutes.


    Results (4/4)

    Attacks on autonomous system are not frequent

    • Most victims (69%) were attacked in only one trace.

    • Most of the remaining victims (18%) appear in two traces.

    • 95% of victims were attacked five or fewer times.

    • A host was attacked 48 times for durations between 72seconds and 5 hours.


    Outline6
    Outline

    • Introduction & Motivation

    • How Denial-of-Service (DOS) attacks work?

    • Backscatter technique

    • Classifying DOS attacks

    • Results

    • Conclusions


    Conclusions
    Conclusions

    • Well…George in this presentation had :

      • Discovered a new technique called “backscatter analysis” for estimating DoS attack activity on the Internet.

      • Observed widespread DoS attacks distributed among many domains and ISPs.

      • Noticed that size and length of attacks were heavy tailed.

      • Been surprised in learning the number of attacks directed at a few foreign countries.

        But… most importantly ::

        HE HAD BEEN ATTACKED 


    ad