Inferring Internet denial-of-service activity

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Inferring Internet denial-of-service activity

Full text

Pdf (790 KB)

Source

ACM Transactions on Computer Systems (TOCS) archive
Volume 24 , Issue 2 (May 2006) table of contents

Pages: 115 - 139

Year of Publication: 2006

ISSN:0734-2071

Authors

David Moore	University of California San Diego, La Jolla, CA
Colleen Shannon	University of California San Diego, La Jolla, CA
Douglas J. Brown	University of California San Diego, La Jolla, CA
Geoffrey M. Voelker	University of California San Diego, La Jolla, CA
Stefan Savage	University of California San Diego, La Jolla, CA

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 92, Downloads (12 Months): 416, Citation Count: 10

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1132026.1132027 What is a DOI?

ABSTRACT

In this article, we seek to address a simple question: “How prevalent are denial-of-service attacks in the Internet?” Our motivation is to quantitatively understand the nature of the current threat as well as to enable longer-term analyses of trends and recurring patterns of attacks. We present a new technique, called “backscatter analysis,” that provides a conservative estimate of worldwide denial-of-service activity. We use this approach on 22 traces (each covering a week or more) gathered over three years from 2001 through 2004. Across this corpus we quantitatively assess the number, duration, and focus of attacks, and qualitatively characterize their behavior. In total, we observed over 68,000 attacks directed at over 34,000 distinct victim IP addresses---ranging from well-known e-commerce companies such as Amazon and Hotmail to small foreign ISPs and dial-up connections. We believe our technique is the first to provide quantitative estimates of Internet-wide denial-of-service activity and that this article describes the most comprehensive public measurements of such activity to date.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Banga, G., Druschel, P., and Mogul, J. 1999. Resource Containers: A New Facility for Resource Management in Server Systems. In Proceedings of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation. 45--58.
	2	Bellovin, S. M. 2000. ICMP Traceback Messages. Internet Draft: draft-bellovin-itrace-00.txt.
	3	Burch, H. and Cheswick, B. 2000. Tracing Anonymous Packets to Their Approximate Source. In Proceedings of the 2000 USENIX LISA Conference. New Orleans, LA, 319--327.
	4	Cisco Systems. 1997. Configuring TCP Intercept (Prevent Denial-of-Service Attacks). Cisco IOS Documentation.
	5	Cisco Systems. 1999. Unicast Reverse Path Forwarding. Cisco IOS Documentation.
	6	Cisco Systems. 2004. Cisco NetFlow. Cisco IOS Documentation. http://www.cisco.com/warp/public/732/Tech/netflow.
	7	Claffy, K. C. 1994. Internet Traffic Characterization. Ph.D. thesis, UC San Diego.
	8	Computer Emergency Response Team. 1996. CERT Advisory CA-1996-21 TCP SYN Flooding Attacks. http://www.cert.org/advisories/CA-1996-21.html.
	9	Computer Security Institute and Federal Bureau of Investigation. 2004. 2004 CSI/FBI Computer Crime and Security Survey. Computer Security Institute report.
	10	Darmohray, T. and Oliver, R. 2000. Hot Spares For DoS Attacks. ;login: 25, 7 (July).
	11	Dean, D., Franklin, M., and Stubblefield, A. 2001. An Algebraic Approach to IP Traceback. In Proceedings of the 2001 Network and Distributed System Security Symposium. San Diego, CA.
	12	Ferguson, P. and Senie, D. 2000. Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing. RFC 2827.
	13	Fullmer, M. and Romig, S. 2000. The OSU Flow-tools Package and Cisco Netflow logs. In Proceedings of the 2000 USENIX LISA Conference. New Orleans, LA.
	14	Gilgor, V. 1983. A Note on the Denial-of-Service Problem. In Proceedings of the 1983 IEEE Symposium on Security and Privacy. Oakland, CA.
	15	Howard, J. D. 1998. An Analysis of Security Incidents on the Internet. Ph.D. thesis, Carnegie Mellon University.
	16	Hussain, A., Heidemann, J., and Papadopoulos, C. 2003. A Framework for Classifying Denial-of-Service Attacks. Karlsruhe, Germany, 99--110.
	17	Karn, P. and Simpson, W. 1999. Photuris: Session-Key Management Protocol. RFC 2522.
	18	Moore, D. and Shannon, C. 2003. Network Telescopes: Technical report. http://www.caida.org/analysis/security/sco-dos/.
	19	Moore, D., Shannon, C., Voelker, G. M., and Savage, S. 2004. Network Telescopes: Tech. Rep. CS2004-0795, UC San Diego. July.
	20	Roger M. Needham, Denial of service: an example, Communications of the ACM, v.37 n.11, p.42-46, Nov. 1994 [doi>10.1145/188280.188294]
	21	Postel, Editor, J. 1981. Internet Control Message Protocol. RFC 792.
	22	Poulsen, K. 2004. FBI busts alleged DDoS Mafia. http://www.securityfocus.com/news/9411.
	23	Romig, S. and Ramachandran, S. 1999. Cisco Flow Logs and Intrusion Detection at the Ohio State university. login; magazine, 23--26.
	24	Saroiu, S., Gummadi, K. P., Dunn, R. J., Gribble, S. D., and Levy, H. M. 2002. An Analysis of internet content delivery systems. In Proceedings of the 2002 USENIX/ACM Symposium on Operating System Design and Implementation.
	25	Savage, S., Wetherall, D., Karlin, A., and Anderson, T. 2000. Practical Network Support for IP Traceback. In Proceedings of the 2000 ACM SIGCOMM Conference. Stockholm, Sweden, 295--306.
	26	Song, D. and Perrig, A. 2001. Advanced and Authenticated Marking Schemes for IP Traceback. In Proceedings of the 2001 IEEE INFOCOM Conference. Anchorage, AK.
	27	Spatscheck, O. and Peterson, L. 1999. Defending Against Denial of Service Attacks in Scout. In Proceedings of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation. 59--72.
	28	Stone, R. 2000. CenterTrack: An IP Overlay Network for Tracking DoS Floods. In Proceedings of the 2000 USENIX Security Symposium. Denver, CO, 199--212.
	29	Vijayan, J. 2004. E-Biz sites hit with targetedattacks, extortion threats. http://www.computerworld.com/securitytopics/security/story/0,10801,96%9,00.html?SKC=security-96149.
	30	Wolman, A., Voelker, G. M., Sharma, N., Cardwell, N., Brown, M., Landray, T., Pinnel, D., Karlin, A., and Levy, H. 1999. Organization-based analysis of web-object sharing and Caching. In Proceedings of the 2nd USENIX Symposium on Internet Technologies and Systems (USITS). Boulder, CO.
	31	Yegneswaran, V., Barford, P., and Ullrich, J. 2003. Internet Intrusions: Global Characteristics and Prevalence. San Diego, CA.

CITED BY 10

	David S. Anderson , Chris Fleizach , Stefan Savage , Geoffrey M. Voelker, Spamscatter: characterizing internet scam hosting infrastructure, Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, p.1-14, August 06-10, 2007, Boston, MA
	Warren Harrop , Grenville Armitage, Real-time collaborative network monitoring and control using 3D game engines for representation and interaction, Proceedings of the 3rd international workshop on Visualization for computer security, November 03-03, 2006, Alexandria, Virginia, USA
	Haining Wang , Cheng Jin , Kang G. Shin, Defense against spoofed IP traffic using hop-count filtering, IEEE/ACM Transactions on Networking (TON), v.15 n.1, p.40-53, February 2007
	Vrizlynn L. L. Thing , Morris Sloman , Naranker Dulay, Non-intrusive IP traceback for DDoS attacks, Proceedings of the 2nd ACM symposium on Information, computer and communications security, March 20-22, 2007, Singapore
	Warren Harrop , Grenville Armitage, Modifying first person shooter games to perform real time network monitoring and control tasks, Proceedings of 5th ACM SIGCOMM workshop on Network and system support for games, October 30-31, 2006, Singapore
	Alex Wun , Alex Cheung , Hans-Arno Jacobsen, A taxonomy for denial of service attacks in content-based publish/subscribe systems, Proceedings of the 2007 inaugural international conference on Distributed event-based systems, June 20-22, 2007, Toronto, Ontario, Canada
	Craig A. Shue , Minaxi Gupta , Matthew P. Davy, Packet forwarding with source verification, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.52 n.8, p.1567-1582, June, 2008
	Rhiannon Weaver , M. Patrick Collins, Fishing for phishes: applying capture-recapture methods to estimate phishing populations, Proceedings of the anti-phishing working groups 2nd annual eCrime researchers summit, p.14-25, October 04-05, 2007, Pittsburgh, Pennsylvania
	André O. Castelucio , Ronaldo M. Salles , Artur Ziviani, Evaluating the partial deployment of an AS-level IP traceback system, Proceedings of the 2008 ACM symposium on Applied computing, March 16-20, 2008, Fortaleza, Ceara, Brazil
	Ramakrishna Gummadi , Hari Balakrishnan , Petros Maniatis , Sylvia Ratnasamy, Not-a-Bot: improving service availability in the face of botnet attacks, Proceedings of the 6th USENIX symposium on Networked systems design and implementation, p.307-320, April 22-24, 2009, Boston, Massachusetts