C.3. A Framework for Classifying Denial-of-Service Attacks

This paper, written by Alefiya Hussain, John Heidemann, and Christos Papadopoulos, of the USC/Information Sciences Institute, analyzes data obtained from observing traffic in a particular ISP over the course of five months. The researchers used automated methods to pull possible DoS attacks from the observed traffic, then analyzed these flagged portions of the traffic by hand to remove any false positives. They acknowledge that the results are not a perfect count of all DoS attacks that occurred, but that was not the point of their research, anyway. Their goal was to analyze actual DoS traffic using various methods, statistical and otherwise, to deduce interesting information, such as whether the attack originated at a single site or at multiple sites and whether it was a direct attack from a set of DDoS agents or a reflector attack.

They observed 80 separate attacks. The first method they used to analyze the attacks was to examine the headers of the attack packets. Using techniques such as checking the ID and TTL fields of packets, they were able to make strong inferences about which of the attacks were distributed and which came from a single source in 67 of the 80 cases. They then used statistical techniques (primarily arrival rate analysis, ramp-up behavior, and spectral analysis) to further examine their data.

Header examination allowed them to determine that 37 of the attacks appeared to be single sourced, 10 multisourced, and 20 were reflector attacks. They could make no firm determination on the other 13 attacks. As in the backscatter experiments, they determined that TCP was the most popular protocol to use in the attack, followed by ICMP. UDP and protocol 0 were less frequently used. Five of the attacks used more than one protocol.

The rates of the attacks that they observed varied from 300 packets per second to 98,000 packets per second. Not surprisingly, the high-rate attacks tended to be distributed, with the low-rate attacks being more commonly single sourced. Reflector attacks had intermediate rates.

Ramp-up analysis looked at how quickly the attack reached its peak. The researchers' hypothesis was that single-sourced attacks would usually reach their peak quickly, while multisourced attacks would increase more gradually, based on variations in the attack start times at different agents and varying amounts of time for the first packets from different agents to reach the target. The paper presents sample graphs from two of the 67 they analyzed, showing ramp-up times of three seconds and fourteen seconds, respectively. The former is classified with high confidence as a distributed attack in which IP spoofing was not used, while the researchers postulated that the latter was an attack from multiple machines on the same subnetwork, using subnet spoofing.

The researchers then applied spectral analysis on the packet arrival times to their data, on the hypothesis that it would allow them to distinguish single-sourced attacks from multisourced attacks, despite the use of spoofing. To simplify their idea, spectral analysis measures how similar the traffic is to itself over time. Single-sourced attacks were hypothesized to show a high similarity under spectral analysis for the entire course of the attack, even at very high data sampling rates, while multisourced attacks would show variations at high enough sampling rates of the data.

Using the 67 previously classified attacks, the researchers determined that there were indeed characteristically different spectra for the two types of attacks. Single-sourced attacks had dominant high frequencies, while multisourced attacks had dominant low frequencies. Reflector attacks showed their own characteristic spectral behavior. They confirmed these results by applying the techniques to a smaller second set of data gathered from USC's network, and by running experimental DoS attacks, capturing the packets, and using the techniques on these.

The paper discusses use of the techniques for detecting attacks and characterizing them in a live detection and defense system. For the purposes of this appendix, the important points are that they give a per-ISP view of the frequency of significant DoS attacks (around 80 in three months) and they point out that single-sited DoS attacks were still common at the time they performed their study, five months between mid-2002 and early 2003.