Use of spectral analysis in defense against DoS attacks

We propose using spectral analysis to identify normal TCP traffic so that it will not be dropped or rate-limited in defense against denial of service (DoS) attacks. The approach can reduce false positives of attacker identification schemes and thus decrease the associated unnecessary slowdown or stoppage of legitimate traffic. For the spectral analysis, we use the number of packet arrivals of a flow in fixed-length time intervals as the signal. We then estimate the power spectral density of the signal, in which information of periodicity, or lack thereof, in the signal reveals itself. A normal TCP flow should exhibit strong periodicity around its round-trip time in both flow directions, whereas an attack flow usually does not. We validate the effectiveness of the approach with simulation and trace analysis. We argue that the approach complements existing DoS defense mechanisms that focus on identifying attack traffic.

[1]  Walter Willinger,et al.  On the Self-Similar Nature of Ethernet Traffic ( extended version ) , 1995 .

[2]  J. P. Ed,et al.  Transmission control protocol- darpa internet program protocol specification , 1981 .

[3]  Allen D. Householder,et al.  Managing the Threat of Denial-of-Service Attacks , 2001 .

[4]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[5]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[6]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[7]  Petre Stoica,et al.  Introduction to spectral analysis , 1997 .

[8]  Anja Feldmann,et al.  A non-instrusive, wavelet-based approach to detecting network performance problems , 2001, IMW '01.

[9]  Van Jacobson,et al.  Traffic phase effects in packet-switched gateways , 1991, CCRV.

[10]  V. Jacobson,et al.  Congestion avoidance and control , 1988, CCRV.

[11]  C. Chatfield,et al.  Fourier Analysis of Time Series: An Introduction , 1977, IEEE Transactions on Systems, Man, and Cybernetics.

[12]  Chris Chatfield,et al.  The Analysis of Time Series: An Introduction , 1981 .

[13]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[14]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.