cse715 presentation project fall 2004 by michael alexandrou and rusty coleman
TRANSCRIPT
![Page 1: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/1.jpg)
CSE715 Presentation ProjectCSE715 Presentation ProjectFall 2004Fall 2004bybyMichael Alexandrou and Michael Alexandrou and Rusty ColemanRusty Coleman
![Page 2: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/2.jpg)
TheThe paperpaper……
• A Framework for Classifying Denial of A Framework for Classifying Denial of Service AttacksService Attacks
Authors:Authors:
• Alefiya HussainAlefiya Hussain
• John HeidemanJohn Heideman
• Christos PapadopoulosChristos Papadopoulos
![Page 3: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/3.jpg)
Basis for Basis for classifyingclassifying DoS attacks DoS attacks
Why classify the attack?Why classify the attack?
• Helps to counter the attackHelps to counter the attack
Attack Analysis:Attack Analysis:
• Header contentHeader content
• Ramp up behaviorRamp up behavior
• Spectral analysisSpectral analysis
![Page 4: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/4.jpg)
Contribution of the paperContribution of the paper
• Automated methodology Automated methodology • A real time attack analysis A real time attack analysis • Use of a traceback to identify the Use of a traceback to identify the
attacker is trivia in single sourceattacker is trivia in single source• New techniques of ramp up and New techniques of ramp up and
spectral analysisspectral analysis
![Page 5: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/5.jpg)
Taxonomy of DoS attacksTaxonomy of DoS attacks
To launch a Distributed DoS attack a To launch a Distributed DoS attack a malicious user :malicious user :
• Compromises Internet hosts by Compromises Internet hosts by exploiting security holes.exploiting security holes.
• Installs attack tools on the Installs attack tools on the compromised host also known as a compromised host also known as a zombiezombie..
![Page 6: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/6.jpg)
Taxonomy of DoS attacksTaxonomy of DoS attacks
• Software exploitsSoftware exploitsSoftware exploits. These attacks Software exploits. These attacks
exploit specific bugs in the victim’s exploit specific bugs in the victim’s OS or applications. These cases are OS or applications. These cases are not considered in this paper.not considered in this paper.
• Flooding attacksFlooding attacks
![Page 7: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/7.jpg)
Flooding attacksFlooding attacks
• One or more attackers One or more attackers
• Streams of packets aimed at Streams of packets aimed at overwhelming link bandwidth or overwhelming link bandwidth or computing resources at the victim.computing resources at the victim.
• Single source attacksSingle source attacks
• Multi-source attacksMulti-source attacks
• Reflector attackReflector attack
![Page 8: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/8.jpg)
Taxonomy of DoS attacksTaxonomy of DoS attacks
![Page 9: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/9.jpg)
Flooding attacksFlooding attacks
![Page 10: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/10.jpg)
Flooding attacksFlooding attacks
![Page 11: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/11.jpg)
Flooding attacksFlooding attacks
![Page 12: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/12.jpg)
ExamplesExamples
• Ping of deathPing of death
A modified version of a regular ping A modified version of a regular ping request.request.
• Land attackLand attack
A packet with source host/port equal to A packet with source host/port equal to destination host/port.destination host/port.
![Page 13: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/13.jpg)
Attack toolsAttack tools
• Several canned attack tools are Several canned attack tools are available on the Internet, such as available on the Internet, such as Stacheldraht, Trinoo, Tribal Flood Stacheldraht, Trinoo, Tribal Flood Network 2000, and Mstream that Network 2000, and Mstream that generate flooding attacks using a generate flooding attacks using a combination of TCP, UDP, and ICMP combination of TCP, UDP, and ICMP packets packets
![Page 14: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/14.jpg)
Attack ClassificationAttack Classification
• Header ContentsHeader Contents
• Ramp up behaviorRamp up behavior
• Spectral AnalysisSpectral Analysis
![Page 15: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/15.jpg)
Header ContentsHeader Contents
• Most attacks spoof the source IP Most attacks spoof the source IP addressaddress
• ID and TTL fields can give hints of the ID and TTL fields can give hints of the attackersattackers
• Difficult for attackers to coordinate the Difficult for attackers to coordinate the ID fields. ID fields.
![Page 16: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/16.jpg)
Header ContentsHeader Contents
![Page 17: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/17.jpg)
Header ContentsHeader Contents
• Some attack tools forge all header contents.
• Impossible to distinguish between a single or multiple sources based on header information
• Need to use another technique
![Page 18: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/18.jpg)
Ramp-up BehaviorRamp-up Behavior
• Observation point near the victimObservation point near the victim
• Master triggers zombies with trigger Master triggers zombies with trigger messagemessage
• Results in a ramp up behaviorResults in a ramp up behavior
![Page 19: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/19.jpg)
Spectral analysisSpectral analysis
• The attack stream is treated as a The attack stream is treated as a discrete function of time x(t)discrete function of time x(t)
• The autocorrelation function r(k) of The autocorrelation function r(k) of x(t) is examinedx(t) is examined
![Page 20: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/20.jpg)
Autocorrelation functionAutocorrelation function
![Page 21: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/21.jpg)
Discrete-time Fourier Discrete-time Fourier TransformTransform
![Page 22: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/22.jpg)
Spectral analysisSpectral analysis
• We define two functionsWe define two functions
• The power of the attack stream P(f)The power of the attack stream P(f)
• The quantile of the attack stream F(p)The quantile of the attack stream F(p)
![Page 23: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/23.jpg)
The cumulative power P(f) & C(f)The cumulative power P(f) & C(f)
![Page 24: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/24.jpg)
The quantile F(p)The quantile F(p)
![Page 25: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/25.jpg)
Sample Graphs Single Sample Graphs Single SourceSource
![Page 26: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/26.jpg)
Sample Graph Two SourcesSample Graph Two Sources
![Page 27: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/27.jpg)
Sample Graph Three Sample Graph Three SourcesSources
![Page 28: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/28.jpg)
Sample Graph Multiple Sample Graph Multiple SourcesSources
![Page 29: CSE715 Presentation Project Fall 2004 by Michael Alexandrou and Rusty Coleman](https://reader035.vdocuments.net/reader035/viewer/2022062518/5697bf8e1a28abf838c8cb79/html5/thumbnails/29.jpg)
ConclusionConclusion
• Possible to determine type of DoS Possible to determine type of DoS attackattack
• Analysis can be performed on the Analysis can be performed on the attack to determine if it is single or attack to determine if it is single or multi sourcedmulti sourced
• Need for automated tool to produce Need for automated tool to produce these analysesthese analyses