Distinguishing between single and multi-source attacks using signal processing☆
Introduction
The Internet connects hundreds of millions of computers across the world running on multiple hardware and software platforms. It serves uncountable personal and professional needs for people and corporations. However, this interconnectivity among computers also enables malicious users to misuse resources and mount denial of service (DoS) attacks against arbitrary sites.
In a denial of service attack, a malicious user exploits the connectivity of the Internet to cripple the services offered by a victim site, often simply by flooding a victim with many requests. A DoS attack can be either a single-source attack, originating at only one host, or a multi-source, where multiple hosts coordinate to flood the victim with a barrage of attack packets. The latter is called a distributed denial of service (DDoS) attack. Sophisticated attack tools that automate the procedure of compromising hosts and launching attacks are readily available on the Internet, and detailed instructions allow even an amateur to use them effectively.
Denial of service attacks cause significant financial damage every year, making it essential to devise techniques to detect and respond to attacks quickly. Development of effective response techniques requires intimate knowledge of attack dynamics, yet little information about attacks in the wild is published in the research community. Moore et al. provide insight into the prevalence of DoS activity on the Internet [26], but their analysis is based on back-scatter packets and lacks the level of detail required to study attack dynamics or generate high-fidelity models needed for DoS research. Monitoring tools today can detect an attack and identify basic properties such as traffic rates and packet types. However, because attackers can forge most packet information, characterizing attacks as single- or multi-source and identifying the number of attackers is difficult.
In this paper, we develop a framework to classify attacks based on header analysis, ramp-up behavior and spectral analysis. First, we analyze the header content to get a rapid characterization of the attackers. Since headers can be forged by the attacker, we develop two new techniques to analyze packet stream dynamics using the ramp-up behavior and the spectral characteristics of the attack traffic. The absence of an initial ramp-up suggests a single attacker, whereas a slow ramp-up (several hundred milliseconds or more) suggests a multi-source attack. Since ramp-up is also easily spoofed, we identify spectral characteristics that distinguish single- from multi-source attacks and show that attackers cannot easily spoof spectral content without reducing attack effectiveness. We describe the algorithms used in our framework in Section 4 and discuss robustness to counter-measures in Section 7.
The contribution of this paper is an automated methodology for characterizing DoS attacks that adds new techniques of ramp-up and spectral analysis, building on the existing approach of header analysis. In addition to providing a better understanding of DoS attack dynamics, our work has several direct applications. This identification framework can be used as part of an automated DoS detection and response system. It can provide the classification component of a real-time attack analysis system to aid network administrators in selecting an appropriate response depending on the type of ongoing DoS attack. For example, if an attack consists of only a single source using traceback to identify the culprit is trivial, but as the number of attackers increase traceback becomes rapidly intractable. Thus one application of our framework is to judiciously decide if activation of traceback is appropriate during a particular attack. This analysis can also be used to create and validate models of DoS and DDoS attacks for simulation and experimentation. Finally, long-term automated measurements of DoS attacks can be used to estimate the level of DoS attack activity in the Internet. We describe these applications in Section 8.
We evaluated our framework on traffic collected from two peering links at Los Nettos, a regional ISP in Los Angeles. Over a period of five months we observed and analyzed 80 attacks. We could classify 67 attacks as single- or multi-source with header analysis; the remaining 13 attacks were classified based on ramp-up and spectral behavior. We validate our algorithm and conclusions in three ways. First, we monitor a second site at University of Southern California and compare the observed attack dynamics. Second, to understand the spectral characteristics of attacks we conduct a series of experiments with synthetically generated attack traffic sent over a wide-area network and with real attack traffic generated using attack tools on an isolated testbed. Finally, we use simple numerical simulations to improve and confirm our understanding of the underlying causes for differences in spectral behavior. Our validation methodology is detailed in Section 6.
This paper is an extended version of the original paper that was published in SIGCOMM 2003 [17]. This version has been extended to add additional details about attack rate distributions (Section 5.3), WAN experiments (Section 6.2), and experiments to understand the causes behind our observations (Section 6.3).
Section snippets
Related work
Denial of service attacks attempt to exhaust or disable access to resources at the victim. These resources are either network bandwidth, computing power, or operating system data structures. Research on denial of service attacks is primarily focused on attack detection and response mechanisms. Attack detection identifies an ongoing attack using either anomaly-detection [15], [27], [41] or signature-scan techniques [29], [31]. Most response mechanisms attempt to alleviate the damage caused due
Attack taxonomy
To launch a DDoS attack, a malicious user first compromises Internet hosts by exploiting security holes, many of which are openly disclosed by software vendors. The malicious user then installs attack tools on the compromised host (also known as a zombie), that now becomes available to attack any victim on command. With full control of the zombie the attacker can construct any packet including illegal packets, such as packets with incorrect checksums, incorrect header field values, or an
Attack classification
Our framework classifies attacks using header contents, transient ramp-up behavior, and spectral characteristics. This three-pronged approach is necessary to deal with an increasing level of difficulty in classifying attacks depending on the level of IP header spoofing present in an attack. If the source address in the attack packets is not spoofed, classifying an attack as single- or multi-source becomes a simple matter of counting the distinct sources present in the attack stream. When the
Evaluation
In this section we present our trace collection infrastructure and our experimental analysis based on attack captured at Los Nettos. Validation of these results is presented the next section.
Validation
We use three techniques to validate our classification algorithms and understand the nature of our observations. First, we analyze DoS attacks from a second site to confirm that the numbers and types of attacks we identified were not unique to our original observation point. Then we conduct controlled experiments and use simple numerical simulations to understand the physical characteristics behind our classification techniques.
Sensitivity analysis
Network security is an arms race: both attack tools and defenses evolve in relation to each other. Thus an important consideration of our framework is its robustness to improved attack tools. In fact, our ramp-up and spectral analysis techniques were motivated by limitations of header analysis in the face of packet spoofing.
Although header analysis was successful at classifying 83% of the attacks we observed, this percentage may drop as more sophisticated tools become available. Even though
Applications
There are several applications of our results, including automated attack detection, developing synthetic models of attack traffic and inferring the amount of DoS attack activity in the Internet. Although details of these applications are outside the scope of this paper, we briefly discuss each next.
Conclusion
This paper presented a framework to classify DoS attacks into single- and multi-source attacks. In addition to using packet headers to classify the attacks, we develop two new approaches: initial ramp-up transients and spectral analysis. These approaches depend only on information in the attack packet stream, and we believe the spectral characteristics of attacks cannot be altered without reducing attack rates.
We evaluated our framework on 80 attacks captured from two peering links at a
Acknowledgements
We would like to thank Jim Pepin, Walter Prue and Sanford George of Los Nettos, and Brian Yamaguchi of USC, for helping us obtain traces, and for discussions about handling DoS attacks. We would like to thank Kimberley Claffy, David Moore, Elizabeth Belding-Royer, Bing Wang, Don Towsley, Deborah Estrin, and Colin Perkins for providing access to their lab machines for our WAN experiments. Rohit Agarwal helped with the testbed experiments and identifying attack tools. In addition we would like to
Alefiya Hussain is a Ph.D. candidate in the Computer Science Department at the University of Southern California. She received a Bachelor of Engineering degree from Pune Institute of Computer Technology and a Master of Computer Science from University of Southern California in 1997 and 2001 respectively. Her current research interests include passive network measurements and security. She is a member of ACM, IEEE, and Upsilon Pi Epsilon.
References (43)
Bro: A system for detecting network intruders in real-time
Computer Networks
(1999)- M. Allman, V. Paxson, W. Stevens, TCP congestion control, RFC 2581, Internet Request For Comments, April...
- Incident Detection Analysis and Response. Available from...
- P. Barford, J. Kline, D. Plonka, R. Amos, A signal analysis of network traffic anomalies, in: Proceedings of the ACM...
- S. Bellovin, ICMP traceback messages, Work in Progress,...
- S. Bellovin, A technique for counting nated hosts, in: Proceedings of the ACM SIGCOMM Internet Measurement Workshop,...
- et al.
Time Series Analysis: Forecasting and Control
(1994) The Fourier Transform and its Applications
(1986)- A. Broido, E. Nemeth, Claffy, Spectroscopy of DNS update traffic, in: Proceedings of the ACM SIGMETRICS, San Diego, CA,...
- et al.
Tracing anonymous packets to their approximate source
Flow synchronization protocol
ACM/IEEE Transactions on Networking
Generation of high bandwidth network traffic traces
Cited by (5)
Evaluating a migration-based response to DoS attacks in a system of distributed auctions
2012, Computers and SecurityCitation Excerpt :DoS attack detection consists of either the identification of behavioral changes in peers (anomaly-based detection (Hussain et al., 2003; Mirkovic and Reiher, 2005)) or attack patterns (signature-based detection). Most machine learning and signal processing techniques could be applied for this purpose, such as neural networks (Jalili et al., 2005), neuro-fuzzy inference (He et al., 2005), radial basis functions (Gavrilis and Dermatas, 2005), genetic algorithms (Gavrilis et al., 2004), statistical signal analysis (Li et al., 2004; Li, 2004; Xiang et al., 2004; Gu et al., 2005; Kulkarni and Bush, 2006; Hussain et al., 2004) and wavelets (Li and Lee, 2005; Yang et al., 2004). Once an attack is recognized, specific actions could be applied to its associated messages, ranging from simply dropping packets to coordinating a joint response with other systems.
Intrusion detection taxonomy and data preprocessing mechanisms
2018, Journal of Intelligent and Fuzzy SystemsA stochastic model with an adaptive proportional controller for the evolution of user-router bandwidth demand for quality of service (QoS) aspects
2016, Ad-Hoc and Sensor Wireless NetworksDetection and response of low-rate TCP-targeted denial of service attacks
2008, Zhejiang Daxue Xuebao (Gongxue Ban)/Journal of Zhejiang University (Engineering Science)A novel mechanism to defend against low-rate denial-of-service attacks
2006, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Alefiya Hussain is a Ph.D. candidate in the Computer Science Department at the University of Southern California. She received a Bachelor of Engineering degree from Pune Institute of Computer Technology and a Master of Computer Science from University of Southern California in 1997 and 2001 respectively. Her current research interests include passive network measurements and security. She is a member of ACM, IEEE, and Upsilon Pi Epsilon.
John Heidemann is a project leader at USC/ISI and a research assistant professor at USC. At ISI he leads I-LENSE, the ISI Laboratory for Embedded Networked Sensor Experimentation, and investigates networking protocols and simulation as part of the SAMAN and CONSER projects. He received his B.S. from University of Nebraska-Lincoln and his M.S. and Ph.D. from UCLA, and is a member of ACM, IEEE, and Usenix.
Christos Papadopoulos received his Ph.D. degree from Washington University in St. Louis MO. He is an Assistant Professor at the University of Southern California, where he does research on network security and multimedia communications. He is also affiliated with the Information Sciences Institute (ISI) and the Integrated Media Systems Center (IMSC) at USC. He received his NSF Career award in 2002.
- ☆
This paper is an extended version of the original paper that was published in SIGCOMM 2003, Karlsruhe, Germany. The research is based on work supported by DARPA via the Space and Naval Warfare Systems Center San Diego under Contract no. N66001-00-C-8066 (“SAMAN”), by NSF under grant number ANI-9986208 (“CONSER”), by DARPA via the Fault Tolerant Networks program under grant number N66001-01-1-8939 (“COSSACK”) and by Los Alamos National Laboratory under grant number 53272-001.