ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
A framework for classifying denial of service attacks
Full text PdfPdf (622 KB)
Source Applications, Technologies, Architectures, and Protocols for Computer Communication archive
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications table of contents
Karlsruhe, Germany
SESSION: Denial-of-service table of contents
Pages: 99 - 110  
Year of Publication: 2003
ISBN:1-58113-735-4
Authors
Alefiya Hussain  USC/Information Sciences Institute
John Heidemann  USC/Information Sciences Institute
Christos Papadopoulos  USC/Information Sciences Institute
Sponsors
ACM: Association for Computing Machinery
SIGCOMM: ACM Special Interest Group on Data Communication
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 33,   Downloads (12 Months): 347,   Citation Count: 45
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/863955.863968
What is a DOI?

ABSTRACT

Launching a denial of service (DoS) attack is trivial, but detection and response is a painfully slow and often a manual process. Automatic classification of attacks as single- or multi-source can help focus a response, but current packet-header-based approaches are susceptible to spoofing. This paper introduces a framework for classifying DoS attacks based on header content, and novel techniques such as transient ramp-up behavior and spectral analysis. Although headers are easily forged, we show that characteristics of attack ramp-up and attack spectrum are more difficult to spoof. To evaluate our framework we monitored access links of a regional ISP detecting 80 live attacks. Header analysis identified the number of attackers in 67 attacks, while the remaining 13 attacks were classified based on ramp-up and spectral analysis. We validate our results through monitoring at a second site, controlled experiments, and simulation. We use experiments and simulation to understand the underlying reasons for the characteristics observed. In addition to helping understand attack dynamics, classification mechanisms such as ours are important for the development of realistic models of DoS traffic, can be packaged as an automated tool to aid in rapid response to attacks, and can also be used to estimate the level of DoS activity on the Internet.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
M. Allman, V. Paxson, and W. Stevens. TCP congestion control. RFC 2581, Internet Request For Comments, April 1999.
2
Paul Barford , Jeffery Kline , David Plonka , Amos Ron, A signal analysis of network traffic anomalies, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637210]
 
3
Steven Bellovin. ICMP traceback messages. Work in Progress: draft-bellovin-itrace-00.txt.
4
Steven M. Bellovin, A technique for counting natted hosts, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637243]
 
5
George Edward Pelham Box , Gwilym M. Jenkins, Time Series Analysis: Forecasting and Control, Prentice Hall PTR, Upper Saddle River, NJ, 1994
 
6
Ronald Bracewell. The Fourier Transform and Its Applications. Series in Electrical Engineering. McGraw-Hill, New York, NY, 1986.
7
Andre Broido , Evi Nemeth , K. C. Claffy, Spectroscopy of DNS update traffic, Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, June 11-14, 2003, San Diego, CA, USA
 
8
Hal Burch, Tracing Anonymous Packets to Their Approximate Source, Proceedings of the 14th USENIX conference on System administration, December 03-08, 2000, New Orleans, Louisiana
 
9
Chen-Mou Cheng, H.T. Kung, and Koan-Sin Tan. Use of spectral analysis in defense against DoS attacks. In Proceedings of the IEEE GLOBECOM, Taipei, Taiwan, 2002.
 
10
David Dittirch. DDoS Attacks and Tools. http://staff.washington.edu/dittrich/misc/ddos.
 
11
Julio Escobar , Craig Partridge , Debra Deutsch, Flow synchronization protocol, IEEE/ACM Transactions on Networking (TON), v.2 n.2, p.111-121, April 1994  [doi>10.1109/90.298430]
 
12
Fyodor. Remote OS detection via TCP/IP stack fingerprinting. http://www.insecure.org/nmap/, October 1998.
 
13
Thomer M. Gil and Massimiliano Poletto. MULTOPS: A Data-Structure for bandwidth attack detection. In Proceedings of the USENIX Security Symposium, pages 23--38, Washington, DC, July 2001.
 
14
Hevin Houle and George Weaver. Trends in denial of service technology. CERT Coordination Center at Carnegie-Mellon University, October 2001.
 
15
Alefiya Hussain, John Heidemann, and Christos Papadopoulos. A Framework for Classifying Denial of Service Attacks. Technical Report ISI-TR-2003-569, USC/Information Sciences Institute, February 2003.
 
16
Van Jacobson, Craig Leres, and Steven McCanne. tcpdump - the protocol packet cpature and dumper program. http://www.tcpdmp.org.
 
17
Jelena Mirkovic , Gregory Prier , Peter L. Reiher, Attacking DDoS at the Source, Proceedings of the 10th IEEE International Conference on Network Protocols, p.312-321, November 12-15, 2002
 
18
P. Kamath , K. Lan , J. Heidemann , J. Bannister , J. Touch, Generation of High Bandwidth Network Traffic Traces, Proceedings of the 10th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems (MASCOTS'02), p.401, October 11-16, 2002
19
Angelos D. Keromytis , Vishal Misra , Dan Rubenstein, SOS: secure overlay services, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
 
20
Los nettos-passing packets since 1988. http://www.ln.net.
21
Ratul Mahajan , Steven M. Bellovin , Sally Floyd , John Ioannidis , Vern Paxson , Scott Shenker, Controlling high bandwidth aggregates in the network, ACM SIGCOMM Computer Communication Review, v.32 n.3, p.62-73, July 2002  [doi>10.1145/571697.571724]
 
22
D. Meyer. University of oregon Route Views Project. Advanced Network Technology Center web site, http://www.antc.uoregon.edu/route-views.
 
23
Jeffrey C. Mogul. Observing TCP dynamics in real networks. Technical Report 92.2, DEC Western Research Laboratory, April 1992.
 
24
David Moore, Geoffrey Voelker, and Stefan Savage. Inferring Internet denial of service activity. In Proceedings of the USENIX Security Symposium, Washington, DC, USA, August 2001. USENIX.
 
25
Christos Papadopoulos, Robert Lindell, John Mehringer, Alefiya Hussain, and Ramesh Govindan. COSSACK: Coordinated Suppression of Simultaneous Attacks. In In Proceeding of Discex III, Washington, DC, USC, April 2003.
26
Kihong Park , Heejo Lee, On the effectiveness of route-based packet filtering for distributed DoS attack prevention in power-law internets, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.15-26, August 2001, San Diego, California, United States
27
Craig Partridge , David Cousins , Alden W. Jackson , Rajesh Krishnan , Tushar Saxena , W. Timothy Strayer, Using signal processing to analyze wireless data traffic, Proceedings of the 3rd ACM workshop on Wireless security, p.67-76, September 28-28, 2002, Atlanta, GA, USA  [doi>10.1145/570681.570689]
 
28
Vern Paxson, Bro: a system for detecting network intruders in real-time, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.31 n.23-24, p.2435-2463, Dec. 1999  [doi>10.1016/S1389-1286(99)00112-7]
29
Vern Paxson, An analysis of using reflectors for distributed denial-of-service attacks, ACM SIGCOMM Computer Communication Review, v.31 n.3, July 2001  [doi>10.1145/505659.505664]
 
30
Martin Roesch. Snort - lightweight intrusion detection for networks. http://www.snort.org.
31
Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
32
Alex C. Snoeren, Hash-based IP traceback, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.3-14, August 2001, San Diego, California, United States
 
33
Dawn X. Song and Adrian Perrig. Advanced and authenticated marking schemes for IP traceback. In Proceedings of the IEEE Infocom, Anchorage, Alaska, April 2001.
34
Neil Spring , Ratul Mahajan , David Wetherall, Measuring ISP topologies with rocketfuel, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
 
35
Robert Stone. Centertrack: An IP overlay network for tracking DoS floods. In Proceedings of the USENIX Security Symposium, pages 199--212, Denver, CO, USA, July 2000. USENIX.
 
36
Ajay Tirumala, Feng Qin, Jon Dugan, Jim Ferguson, and Kevin Gibbs. Iperf Version 1.6.5. http://dast.nlanr.net/Projects/Iperf/.
 
37
Gene Trent and Mark Sake. WebSTONE: The first generation in HTTP server benchmarking.
 
38
Haining Wang, Danlu Zhang, and Kang Shin. Detecting SYN flooding attacks. In Proceedings of the IEEE Infocom, New York, NY, June 2002. IEEE.
 
39
Zhi-Li Zhang, Vinay Ribeiro, Sue Moon, and Christophe Diot. Small-time scaling behaviors of Internet backbone traffic: An empirical study. In Proceedings of the IEEE Infocom, San Francisco, CA, April 2003.

CITED BY  48
Alefiya Hussain , John Heidemann , Christos Papadopoulos, Distinguishing between single and multi-source attacks using signal processing, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.46 n.4, p.479-503, 15 November 2004
Tadayoshi Kohno , Andre Broido , K. C. Claffy, Remote Physical Device Fingerprinting, IEEE Transactions on Dependable and Secure Computing, v.2 n.2, p.93-108, April 2005
Tom Anderson , Timothy Roscoe , David Wetherall, Preventing Internet denial-of-service with capabilities, ACM SIGCOMM Computer Communication Review, v.34 n.1, January 2004
Jelena Mirkovic , Peter Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communication Review, v.34 n.2, April 2004
Ramana Rao Kompella , Sumeet Singh , George Varghese, On scalable attack detection in the network, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy
Christos Papadopoulos , Chris Kyriakakis , Alexander Sawchuk , Xinming He, CyberSeer: 3D audio-visual immersion for network security and management, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA
Anukool Lakhina , Mark Crovella , Christiphe Diot, Characterization of network-wide anomalies in traffic flows, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy
Antonio Magnaghi , Takeo Hamada , Tsuneo Katsuyama, A wavelet-based framework for proactive detection of network misconfigurations, Proceedings of the ACM SIGCOMM workshop on Network troubleshooting: research, theory and operations practice meet malfunctioning reality, September 03-03, 2004, Portland, Oregon, USA
David A. Rolls , George Michailidis , Felix Hernández-Campos, Queueing analysis of network traffic: methodology and visualization tools, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.48 n.3, p.447-473, 21 June 2005
Anukool Lakhina , Mark Crovella , Christophe Diot, Mining anomalies using traffic feature distributions, ACM SIGCOMM Computer Communication Review, v.35 n.4, October 2005
Angelos Stavrou , Debra L. Cook , William G. Morein , Angelos D. Keromytis , Vishal Misra , Dan Rubenstein, WebSOS: an overlay-based system for protecting web servers from denial of service attacks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.48 n.5, p.781-807, 5 August 2005
Haining Wang , Danlu Zhang , Kang G. Shin, Change-Point Monitoring for the Detection of DoS Attacks, IEEE Transactions on Dependable and Secure Computing, v.1 n.4, p.193-208, October 2004
Brent Waters , Ari Juels , J. Alex Halderman , Edward W. Felten, New client puzzle outsourcing techniques for DoS resistance, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA
Kejie Lu , Dapeng Wu , Jieyan Fan , Sinisa Todorovic , Antonio Nucci, Robust and efficient detection of DDoS attacks for large-scale internet, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.18, p.5036-5056, December, 2007
Yogesh Prem Swami , Hannes Tschofenig, Protecting mobile devices from TCP flooding attacks, Proceedings of first ACM/IEEE international workshop on Mobility in the evolving internet architecture, December 01-01, 2006, San Francisco, California
Xinming He , Christos Papadopoulos , Pavlin Radoslavov, Incremental deployment strategies for router-assisted reliable multicast, IEEE/ACM Transactions on Networking (TON), v.14 n.4, p.779-792, August 2006
Bin Xiao , Wei Chen , Yanxiang He, A novel approach to detecting DDoS Attacks at an Early Stage, The Journal of Supercomputing, v.36 n.3, p.235-248, June 2006
Christos Siaterlis , Vasilis Maglaris, One step ahead to multisensor data fusion for DDoS detection, Journal of Computer Security, v.13 n.5, p.779-806, October 2005
Anmol Sheth , Christian Doerr , Dirk Grunwald , Richard Han , Douglas Sicker, MOJO: a distributed physical layer anomaly detection system for 802.11 WLANs, Proceedings of the 4th international conference on Mobile systems, applications and services, June 19-22, 2006, Uppsala, Sweden
Yu Chen , Kai Hwang, Collaborative detection and filtering of shrew DDoS attacks using spectral analysis, Journal of Parallel and Distributed Computing, v.66 n.9, p.1137-1151, September 2006
Zhiqiang Gao , Nirwan Ansari, A practical and robust inter-domain marking scheme for IP traceback, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.3, p.732-750, February, 2007
Ramana Rao Kompella , Sumeet Singh , George Varghese, On scalable attack detection in the network, IEEE/ACM Transactions on Networking (TON), v.15 n.1, p.14-25, February 2007
Haining Wang , Cheng Jin , Kang G. Shin, Defense against spoofed IP traffic using hop-count filtering, IEEE/ACM Transactions on Networking (TON), v.15 n.1, p.40-53, February 2007
Erol Gelenbe , George Loukas, A self-aware approach to denial of service defence, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.5, p.1299-1314, April, 2007
Yang Wang , Chuang Lin , Quan-Lin Li , Yuguang Fang, A queueing analysis for the denial of service (DoS) attacks in computer networks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.51 n.12, p.3564-3573, August, 2007
Mina Guirguis , Azer Bestavros , Ibrahim Matta , Yuting Zhang, Adversarial exploits of end-systems adaptation dynamics, Journal of Parallel and Distributed Computing, v.67 n.3, p.318-335, March, 2007
Lei Qi , Marjan Zandi , Miguel Vargas Martin, A network mitigation system against distributed denial of service: a linux-based prototype, IASTED European Conference on Proceedings of the IASTED European Conference: internet and multimedia systems and applications, p.141-147, March 14-16, 2007, Chamonix, France
Lanier Watkins , Raheem Beyah , Cherita Corbett, Using network traffic to passively detect under utilized resources in high performance cluster grid computing environments, Proceedings of the first international conference on Networks for grid applications, October 17-19, 2007, Lyon, France
Guillaume Dewaele , Kensuke Fukuda , Pierre Borgnat , Patrice Abry , Kenjiro Cho, Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures, Proceedings of the 2007 workshop on Large scale attack defense, August 27-27, 2007, Kyoto, Japan
Terry Benzel , Robert Braden , Dongho Kim , Clifford Neuman , Anthony Joseph , Keith Sklower , Ron Ostrenga , Stephen Schwab, Design, deployment, and use of the DETER testbed, Proceedings of the DETER Community Workshop on Cyber Security Experimentation and Test on DETER Community Workshop on Cyber Security Experimentation and Test 2007, p.1-1, August 06-07, 2007, Boston, MA
Lukas Kencl , Christian Schwarzer, Traffic-Adaptive Packet Filtering of Denial of Service Attacks, Proceedings of the 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks, p.485-489, June 26-29, 2006
Seong Soo Kim , A. L. Narasimha Reddy, Statistical techniques for detecting traffic anomalies through packet header data, IEEE/ACM Transactions on Networking (TON), v.16 n.3, p.562-575, June 2008
Antoine Scherrer , Nicolas Larrieu , Philippe Owezarski , Pierre Borgnat , Patrice Abry, Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies, IEEE Transactions on Dependable and Secure Computing, v.4 n.1, p.56-70, January 2007
Ge Zhang , Sven Ehlert , Thomas Magedanz , Dorgham Sisalem, Denial of service attack and prevention on SIP VoIP infrastructures using DNS flooding, Proceedings of the 1st international conference on Principles, systems and applications of IP telecommunications, July 19-20, 2007, New York City, New York
Wei Li , Andrew W Moore, Learning for accurate classification of real-time traffic, Proceedings of the 2006 ACM CoNEXT conference, December 04-07, 2006, Lisboa, Portugal
Abbass Asosheh, Dr. , Naghmeh Ramezani, A comprehensive taxonomy of DDOS attacks and defense mechanism applying in a smart classification, WSEAS Transactions on Computers, v.7 n.4, p.281-290, April 2008
Abbass Asosheh, Dr. , Naghmeh Ramezani, A comprehensive taxonomy of DDOS attacks and defense mechanism applying in a smart classification, WSEAS Transactions on Computers, v.7 n.4, p.281-290, April 2008
Partha Kanuparthy , Constantine Dovrolis , Mostafa Ammar, Spectral probing, crosstalk and frequency multiplexing in internet paths, Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, October 20-22, 2008, Vouliagmeni, Greece
Dongqing Yuan , Jiling Zhong, A lab implementation of SYN flood attack and defense, Proceedings of the 9th ACM SIGITE conference on Information technology education, October 16-18, 2008, Cincinnati, OH, USA
Minho Sung , Jun Xu , Jun Li , Li Li, Large-scale IP traceback in high-speed internet: practical techniques and information-theoretic foundation, IEEE/ACM Transactions on Networking (TON), v.16 n.6, p.1253-1266, December 2008
Xiaowei Yang , David Wetherall , Thomas Anderson, TVA: a DoS-limiting network architecture, IEEE/ACM Transactions on Networking (TON), v.16 n.6, p.1267-1280, December 2008
Xinming He , Christos Papadopoulos , John Heidemann , Urbashi Mitra , Usman Riaz, Remote detection of bottleneck links using spectral and statistical methods, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.53 n.3, p.279-298, February, 2009
Ping Du , Shunji Abe, IP Packet Size Entropy-Based Scheme for Detection of DoS/DDoS Attacks, IEICE - Transactions on Information and Systems, v.E91-D n.5, p.1274-1281, May 2008
Tao Peng , Christopher Leckie , Kotagiri Ramamohanarao, Survey of network-based defense mechanisms countering the DoS and DDoS problems, ACM Computing Surveys (CSUR), v.39 n.1, p.3-es, 2007
Basheer Al-Duwairi , Manimaran Govindarasu, Novel Hybrid Schemes Employing Packet Marking and Logging for IP Traceback, IEEE Transactions on Parallel and Distributed Systems, v.17 n.5, p.403-418, May 2006
Li Zonglin , Hu Guangmin , Yao Xingmiao , Yang Dan, Detecting distributed network traffic anomaly with network-wide correlation analysis, EURASIP Journal on Advances in Signal Processing, 2009, p.1-11, January 2009
Chin-Tser Huang , Jeff Janies, An adaptive approach to granular real-time anomaly detection, EURASIP Journal on Advances in Signal Processing, 2009, p.1-13, January 2009
Xiapu Luo , Edmond W. W. Chan , Rocky K. C. Chang, Detecting pulsing denial-of-service attacks with nondeterministic attack intervals, EURASIP Journal on Advances in Signal Processing, 2009, p.1-13, January 2009

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  G. Mathematics of Computing
  G.3 PROBABILITY AND STATISTICS
      Subjects: Time series analysis


General Terms:
Measurement, Security


Keywords:
denial of service attacks, measurement, security, time series analysis

Collaborative Colleagues:
Alefiya Hussain: colleagues
John Heidemann: colleagues
Christos Papadopoulos: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player