John Heidemann

Identification of Repeated Denial of Service Attacks

TitleIdentification of Repeated Denial of Service Attacks
Publication TypeConference Paper
Year of Publication2006
AuthorsA. Hussain, J. Heidemann, and C. Papadopoulos
Date Publishedapr
Conference LocationBarcelona, Spain

Denial of Service attacks have become a weapon for extortion and vandalism causing damages in the millions of dollars to commercial and government sites. Legal prosecution is a powerful deterrent, but requires attribution of attacks, currently a difficult task. In this paper we propose a method to \emphautomatically fingerprint and \emphidentify repeated attack scenarios–-a combination of attacking hosts and attack tool. Such fingerprints not only aid in attribution for criminal and civil prosecution of attackers, but also help justify and focus response measures. Since packet contents can be easily manipulated, we base our fingerprints on the \emphspectral characteristics of the attack stream which are hard to forge. We validate our methodology by applying it to real attacks captured at a regional ISP and comparing the outcome with header-based classification. Finally, we conduct controlled experiments to identify and isolate factors that affect the attack fingerprint.