John Heidemann/ PAPERS/ Identification of Repeated Denial of Service Attacks

Identification of Repeated Denial of Service Attacks

Alefiya Hussain, John Heidemann, and Christos Papadopoulos
USC/Information Sciences Institute

Abstract

 Denial of Service attacks have become a weapon for extortion and vandalism causing damages in the millions of dollars to commercial and government sites. Legal prosecution is a powerful deterrent, but requires attribution of attacks, currently a difficult task. In this paper we propose a method to automatically fingerprint and identify repeated attack scenarios--a combination of attacking hosts and attack tool. Such fingerprints not only aid in attribution for criminal and civil prosecution of attackers, but also help justify and focus response measures. Since packet contents can be easily manipulated, we base our fingerprints on the \emphspectral characteristics of the attack stream which are hard to forge. We validate our methodology by applying it to real attacks captured at a regional ISP and comparing the outcome with header-based classification. Finally, we conduct controlled experiments to identify and isolate factors that affect the attack fingerprint.

Availability

This paper is available in several formats: abstract web page with pointers and cites, PDF, paper copies can be obtained by mail to the authors. Copyright terms for this paper appear below.

Reference

Hussain06a
Alefiya Hussain, John Heidemann, and Christos Papadopoulos. Identification of Repeated Denial of Service Attacks. In Proceedings of the IEEE Infocom, p. to appear. Barcelona, Spain, IEEE. April, 2006. <http://www.isi.edu/~johnh/PAPERS/Hussain06a.html>. 
@inproceedings{Hussain06a,
	author = "Alefiya Hussain and John Heidemann and Christos Papadopoulos",
	title = "Identification of Repeated Denial of Service Attacks",
	booktitle = "Proceedings of the  {IEEE} Infocom",
	year = "2006",
	publisher = "{IEEE}",
	address = "Barcelona, Spain",
	month = "April",
	pages = "to appear",
	keywords = "network forensics, network traffic
                         fingerprinting, spectral analysis, DDoS",
	url = "http://www.isi.edu/~johnh/PAPERS/Hussain06a.html",
	pdfurl = "http://www.isi.edu/~johnh/PAPERS/Hussain06a.pdf",
	myorganization = "USC/Information Sciences Institute",
	copyrightholder = "{IEEE}",
}

Copyright

This paper is copyright © 2006 by IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.