John Heidemann/ PAPERS/ A Framework for Classifying Denial of Service Attacks-extended

A Framework for Classifying Denial of Service Attacks-extended

Alefiya Hussain, John Heidemann, and Christos Papadopoulos
USC/Information Sciences Institute

Abstract

 Launching a denial of service (DoS) attack is trivial, but detection and response is a painfully slow and often a manual process. Automatic classification of attacks as single- or multi-source can help focus a response, but current packet-header-based approaches are susceptible to spoofing. This paper introduces a framework for classifying DoS attacks based on header content, transient ramp-up behavior and novel techniques such as spectral analysis. Although headers are easily forged, we show that characteristics of attack ramp-up and attack spectrum are more difficult to spoof. To evaluate our framework we monitored access links of a regional ISP detecting 80 live attacks. Header analysis identified the number of attackers in 67 attacks, while the remaining 13 attacks were classified based on ramp-up and spectral analysis. We validate our results through monitoring at a second site, controlled experiments, and simulation. We use experiments and simulation to understand the underlying reasons for the characteristics observed. In addition to helping understand attack dynamics, classification mechanisms such as ours are important for the development of realistic models of DoS traffic, can be packaged as an automated tool to aid in rapid response to attacks, and can also be used to estimate the level of DoS activity on the Internet.

Availability

This paper is available in several formats: abstract web page with pointers and cites, PDF, paper copies can be obtained by mail to the authors. Copyright terms for this paper appear below.

Reference

Hussain03a
Alefiya Hussain, John Heidemann, and Christos Papadopoulos. A Framework for Classifying Denial of Service Attacks-extended. Technical Report ISI-TR-2003-569b, USC/Information Sciences Institute, June, 2003. (Original TR, February 2003, updated June 2003). <http://www.isi.edu/~johnh/PAPERS/Hussain03a.html>. 
@techreport{Hussain03a,
	author = "Alefiya Hussain and John Heidemann and Christos Papadopoulos",
	title = "A Framework for Classifying Denial of Service Attacks-extended",
	institution = "USC/Information Sciences Institute",
	year = "2003",
	number = "ISI-TR-2003-569b",
	month = "June",
	note = "(Original TR, February 2003, updated June 2003)",
	keywords = "ddos classification, spectral analysis",
	otherurl = "ftp://ftp.isi.edu/isi-pubs/tr-569.pdf",
	url = "http://www.isi.edu/~johnh/PAPERS/Hussain03a.html",
	pdfurl = "http://www.isi.edu/~johnh/PAPERS/Hussain03a.pdf",
	myorganization = "USC/Information Sciences Institute",
	copyrightholder = "authors",
}

Copyright

This paper is copyright © 2003 by its authors. Permission to make digital or hard copies of part or all of this work for personal use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that new copies bear this notice and the full citation on the first page. Abstracting with credit is permitted.

To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission of the authors.