310 likes | 443 Views
Inferring Internet Denial-of-Service activity. David Moore 1 , Geoffrey M. Voelker 2 and Stefan Savage 2 1 San Diego Supercomputer Center University of California, San Diego 2 Department of Computer Science and Engineering University of California, San Diego
E N D
Inferring Internet Denial-of-Service activity David Moore1, Geoffrey M. Voelker2 and Stefan Savage2 1San Diego Supercomputer Center University of California, San Diego 2 Department of Computer Science and Engineering University of California, San Diego Presented by YannisKlonatos
Outline • Introduction & Motivation • How Denial-of-Service (DOS) attacks work? • Backscatter technique • Classifying DOS attacks • Results • Conclusions
Outline • Introduction & Motivation • How Denial-of-Service (DOS) attacks work? • Backscatter technique • Classifying DOS attacks • Results • Conclusions
Introduction • First, a personal remark: • If I were asked about Denial-of-Service (DOS) attacks before reading this paper I would in short argue: “Why the hell care? Let Yahoo, Ebay, E-trade and Microsoft figure out the mess. Nobody cares about DoS” • However, soon I learned that most victims is in fact smaller commercial sites and educational instructions. • And that these attacks seem to be not well publicized • So, the main question is “How prevalent are Denial-of-Service attacks in the Internet Today?” • This paper answers exactly this question…
Motivation • There is currently not much quantitative data • neither about their prevalence • nor their characteristic behavior. • Moreover, there are multiple obstacles hampering the collection of an authoritative DoS traffic dataset: • Service and content providers consider such data sensitive and private. • Monitoring traffic at enough sites to obtain a representative measure of Internet-wide attacks presents a significant logistical challenge.
Outline • Introduction & Motivation • How Denial-of-Service (DOS) attacks work? • Backscatter technique • Classifying DOS attacks • Results • Conclusions
How Denial-of-Service (DOS) attacks work? • So, let’s say that I am: • And, (since I am Sith), I want to cause harm to all the PCs of the world using DOS attacks. • “What must I do?” (I won’t use the force don’t worry ) • Well… The first step always is to locate one (Windows) PC to attack. • So I choose the computer of…
How Denial-of-Service (DOS) attacks work? • I have two ways to attack George’s PC: • First, I could exploit the numerous (Windows) bugs in his OS (logic attack). • No fun, since George will just call Microsoft and they will patch the bug up (NO! they won’t but ok…). • However, I could also perform a flooding attack and try to overwhelm the CPU, memory or network of George’s PC. • How? Well, I will send George a HUGE amount of spurious small requests as fast as I can, so that he loses the ability to process them. • But… Remember that George is also a master of security in DCS Lab at FORTH (advertisement…)
How Denial-of-Service (DOS) attacks work? • So what I really want is to transform George from this state: • To this state: • And thus a War for victory and survival begins…
How Denial-of-Service (DOS) attacks work? • Round 1: George says: “If I lack the resources to manage the huge amount of requests you send me, let’s double the resources in my machine” • But this is not enough since: • Score: Me (Sith) 1 – George 0 Distributed DoS attack (DDOS)
How Denial-of-Service (DOS) attacks work? • Round 2: George (now a bit frustrated) shouts with anger to me : “ I will catch you. I have a masters Degree in Computer Science, so I will find your IP and report you to the police… (a.k.a. admins)” • But this is not enough either since: • I am able to change the source IP address to a random address before sending you the request… • … So that when you receive it, you MUST answer to a random host and not be able to detect me! • This is called IP spoofing • Score: Me (Sith) 2 – George 0
How Denial-of-Service (DOS) attacks work? • Round 3: Now, It can get even better for me (and worse for George): • Suppose that when using IP spoofing, I specifically choose the IP of a machine that I know it constantly broadcasts • This machine is called reflector machine. • Then, when George replies to the reflector machine, the reply is broadcasted to a bunch of other nodes also. • Thus, we the help of George, the attack is amplified even further (network gets congested). • Final Score: Me (Sith) 3 – George 0 • George disappointed leaves DCS and joins CARV .
Outline • Introduction & Motivation • How Denial-of-Service (DOS) attacks work? • Backscatter technique • Classifying DOS attacks • Results • Conclusions
Backscatter technique • So what George can do? Well, he has a way of knowing when and where a DoS attack takes place. • A key observation is that George MUST answer to all the requests I send him… • These unneeded “reply” packets are called backscatter. • George can measure DoS attacks through backscatter, • By observing many nodes like B,C,D for unsolicited responses.
Assumptions & limitations of backscatter technique • Assumption 1: • Address uniformity attackers spoof source addresses at random. • Limitations 1: • Many attacks do not use address spoofing • “Reflector attacks” Source address is specifically selected. • ISPs increasingly employ ingress filtering • Since automated methods exist for compromising many hosts quickly, DDOS attacks use true IP addresses
Assumptions & limitations of backscatter technique • Assumption 2: • Reliable delivery Attack traffic and backscatter is delivered reliably • Limitations 2: • Packets from attacker and responses may be queued and dropped, • Traffic may be filtered and rate limited by a firewall. • Some protocols do not elicit a response.
Assumptions & limitations of backscatter technique • Assumption 3: • Backscatter hypothesis Unsolicited packets observed by the monitor represent backscatters. • Limitations 3: • Any server in the Internet can send unsolicited packets, • Misinterpretation of random port scans as backscatters, • Vast majority attacks can be differentiated from typical scanning activity
Outline • Introduction & Motivation • How Denial-of-Service (DOS) attacks work? • Backscatter technique • Classifying DOS attacks • Results • Conclusions
Classifying DOS attacks • So George (having rebooted his system after my attack ) now asks: “I can live with these hypothesis. How do I classify the DoS attacks in order to get a quantitative estimation about their prevalence and characteristic behavior?” • Solution : A three step algorithm: • First, identify and extract backscatter packets from raw trace • Combine related packets into attack flows • Based on victims IP address flow based classification • Filter out some attack flows based on intensity, duration and rate event based classification
Classifying DOS attacksWhat to Measure • TCP flag Settings • ICMP payload • Address uniformity (distribution of source addresses) • Port settings • DNS & Routing information • Number of simultaneous attacks • Distribution of attack rates • Number of victims • Intensity of attacks
Outline • Introduction & Motivation • How Denial-of-Service (DOS) attacks work? • Backscatter technique • Classifying DOS attacks • Results • Conclusions
Results • “Enough with George! (we don’t like him anyway , kidding…). Show us some results NOW” • Ok people, don’t shout! Here we go: • (Note: For anyone that worries, don’t! George will play along in the other paper too :P)
Results (1/4)Attack frequency & Statistics • Rate of attack doesn’t change significantly over the period of time. No strong diurnal patterns, as seen in Web or P2P file sharing. Attacks were not clustered on particular subnets..
Results (2/4) – Protocols & Packet statistics • 500 SYN packets are enough to overwhelm a server. • 46% attacks had 500 packets or higher. • 2.4% attacks had ≥ 14,000 packets, being enough to compromise attack-resistant firewalls.
Results (3/4)-Attack distributions • 50% attacks less than 10 min • 80% are less than 30 min • 90% last less than an hour • 2% are greater than 5 hrs • 1% are greater than 10 hrs • dozens span multiple days • Right graph shows peak is at 5, 10 and 20 minutes.
Results (4/4) Attacks on autonomous system are not frequent • Most victims (69%) were attacked in only one trace. • Most of the remaining victims (18%) appear in two traces. • 95% of victims were attacked five or fewer times. • A host was attacked 48 times for durations between 72seconds and 5 hours.
Outline • Introduction & Motivation • How Denial-of-Service (DOS) attacks work? • Backscatter technique • Classifying DOS attacks • Results • Conclusions
Conclusions • Well…George in this presentation had : • Discovered a new technique called “backscatter analysis” for estimating DoS attack activity on the Internet. • Observed widespread DoS attacks distributed among many domains and ISPs. • Noticed that size and length of attacks were heavy tailed. • Been surprised in learning the number of attacks directed at a few foreign countries. But… most importantly :: HE HAD BEEN ATTACKED