Identification of Repeated Denial of Service Attacks

Denial of Service attacks have become a weapon for extortion and vandalism causing damages in the millions of dollars to commercial and government sites. Legal prosecution is a powerful deterrent, but requires attribution of attacks, currently a difficult task. In this paper we propose a method to automatically fingerprint and identify repeated attack scenarios—a combination of attacking hosts and attack tool. Such fingerprints not only aid in attribution for criminal and civil prosecution of attackers, but also help justify and focus response measures. Since packet contents can be easily manipulated, we base our fingerprints on the spectral characteristics of the attack stream which are hard to forge. We validate our methodology by applying it to real attacks captured at a regional ISP and comparing the outcome with header-based classification. Finally, we conduct controlled experiments to identify and isolate factors that affect the attack fingerprint.

[1]  Edward Ashpole,et al.  The Search For Extraterrestrial Intelligence , 1989 .

[2]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[3]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[4]  David G. Stork,et al.  Pattern Classification , 1973 .

[5]  H. T. Kung,et al.  Use of spectral analysis in defense against DoS attacks , 2002, Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE.

[6]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[7]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[8]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[9]  Rajesh Krishnan,et al.  Using signal processing to analyze wireless data traffic , 2002, WiSE '02.

[10]  Anja Feldmann,et al.  Packet trace manipulation rramework for test labs , 2004, IMC '04.

[11]  Dina Katabi,et al.  Inferring Congestion Sharing and Path Characteristics from Packet Interarrival Times , 2001 .

[12]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[13]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[14]  Kun-Chan Lan,et al.  Generation of high bandwidth network traffic traces , 2002, Proceedings. 10th IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunications Systems.

[15]  Donald F. Towsley,et al.  Network Delay Tomography from End-to-End Unicast Measurements , 2001, IWDC.

[16]  kc claffy,et al.  The nature of the beast: Recent traffic measurements from an Internet backbone , 1998 .

[17]  Evi Nemeth,et al.  Spectroscopy of DNS update traffic , 2003, SIGMETRICS '03.

[18]  Riccardo Bettati,et al.  Empirical and Theoretical Evaluation of Active Probing Attacks and Their Countermeasures , 2004, Information Hiding.

[19]  Anil K. Jain,et al.  Statistical Pattern Recognition: A Review , 2000, IEEE Trans. Pattern Anal. Mach. Intell..

[20]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[21]  Anna R. Karlin,et al.  Network support for IP traceback , 2001, TNET.

[22]  Ramesh Govindan,et al.  COSSACK: Coordinated Suppression of Simultaneous Attacks , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[23]  Anja Feldmann,et al.  Dynamics of IP traffic: a study of the role of variability and the impact of control , 1999, SIGCOMM '99.