John Heidemann/ PAPERS/ Identification of Repeated DoS Attacks using Network Traffic Forensics

Identification of Repeated DoS Attacks using Network Traffic Forensics

Alefiya Hussain, John Heidemann, and Christos Papadopoulos
USC/Information Sciences Institute

Abstract

 Denial-of-service attacks on the Internet today are often launched from zombies, multiple compromised machines controlled by an attacker. Attackers often take control of a number of zombies and then repeatedly use this army to attack a target several times, or to attack several targets. In this paper, we propose a method to identify repeated attack scenarios, that is, the combination of a particular set of hosts and attack tool. Such identification would help a victim coordinate response to an attack, and ideally would be a useful part of legal actions. Because packet contents can be forged by the attacker, we identify an attack scenario by spectral analysis of the arrival stream of attack traffic. The attack spectrum is derived from the characteristics of the attack machines and can therefore be obscured only by reducing attack effectiveness. We designed a multi-dimensional maximum-likelihood classifier to identify repeated attack scenarios. To validate this procedure we apply our approach on real-world attacks captured at a regional ISP, identifying similar attacks first by header contents (when possible) and comparing these results to our process. We conduct controlled experiments to identify and isolate factors that affect the attack fingerprint.

Availability

This paper is available in several formats: abstract web page with pointers and cites, PDF, paper copies can be obtained by mail to the authors. Copyright terms for this paper appear below.

Reference

Hussain03c
Alefiya Hussain, John Heidemann, and Christos Papadopoulos. Identification of Repeated DoS Attacks using Network Traffic Forensics. Technical Report ISI-TR-2003-577b, USC/Information Sciences Institute, August, 2003. Originally released August 2003, updated June 2004. <http://www.isi.edu/~johnh/PAPERS/Hussain03c.html>. 
@techreport{Hussain03c,
	author = "Alefiya Hussain and John Heidemann and Christos Papadopoulos",
	title = "Identification of Repeated DoS Attacks using
                         Network Traffic Forensics",
	institution = "USC/Information Sciences Institute",
	year = "2003",
	number = "ISI-TR-2003-577b",
	note = "Originally released August 2003, updated June 2004",
	month = "August",
	keywords = "network forensics, network traffic
                         fingerprinting, spectral analysis, DDoS",
	otherurl = "http://www.isi.edu/~hussain/pubs/Hussain03c.pdf",
	url = "http://www.isi.edu/~johnh/PAPERS/Hussain03c.html",
	pdfurl = "http://www.isi.edu/~johnh/PAPERS/Hussain03c.pdf",
	myorganization = "USC/Information Sciences Institute",
	copyrightholder = "authors",
}

Copyright

This paper is copyright © 2003 by its authors. Permission to make digital or hard copies of part or all of this work for personal use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that new copies bear this notice and the full citation on the first page. Abstracting with credit is permitted.

To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission of the authors.