DDoS/Traceback
Paper Group # 23: Characterization

Slide Presentation

Paper List

1- “Inferring Internet Denial-of-Service Activity” [MOORE]

2- Characteristics of Network Traffic Flow Anomalies [Flow Anomaly]

3- An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks [Reflector]

Summaries

1- MOORE

This paper looks for the answer to the question “How prevalent are denial-of-service attacks in the Internet to-day?”. A new technique, called “backscatter analysis” is presented. It provides an estimate of worldwide denial-of-service activity. We use this approach on three week-long datasets to assess the number, duration and focus of attacks, and to characterize their behavior. During this period, more than 12,000 attacks against more than 5,000 distinct targets, ranging from well known e-commerce companies such as Amazon and Hotmail to small foreign ISPs and dial-up connections are observed. The authors argue that that this work is the only publically available data quantifying denial-of-service activity in the Internet.

2- Flow Anomaly

A project focused on precise characterization of anomalous network traffic behavior like (1)anomalous traffic Outages. (2)Configuration changes, (3)Flash crowds, (4)Abuse...

They gather passive measurements of network traffic at the IP flow level using FlowScan open source Software.Their focus is toidentify similarity and differences among each anomaly group precisely.

3- Reflector

Attackers can render distributed denial-of-service attacks more difficult to defend against by bouncing

their flooding traffic off of reflectors; that is, by spoofing requests from the victim to a large set of Internet servers that will in turn send their combined replies to the victim. The resulting dilution of locality in the flooding stream complicates the victim’s abilities both to isolate the attack traffic

in order to block it, and to use traceback techniques for locating the source of streams of packets with spoofed source addresses, such as ITRACE, probabilistic packet marking, and SPIE. This paper discusses a number of possible defenses against reflector attacks, finding that most prove impractical, and then assess the degree to which different forms of reflector traffic will have characteristic signatures that the victim can use to identify and filter out the attack traffic. Their analysis indicates that three types of reflectors pose particularly significant threats: DNS and Gnutella servers, and TCP-based servers (particularly Web servers) running on TCP implementations that suffer from predictable initial sequence numbers. It is argued in conclusion in support of “reverse ITRACE” and for the utility of packet traceback techniques that work even for low volume flows, such as SPIE.

 

References

1- MOORE

  1. Gaurav Banga, Peter Druschel, and Jeffrey Mogul. Resource Containers: A New Facility for Resource Management in Server Systems. In Proceedings of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation, pages 45–58, February 1999.
  2. Steven M. Bellovin. ICMP Traceback Messages. Internet Draft: draft-bellovin-itrace-00.txt, March 2000.
  3. Hal Burch and Bill Cheswick. Tracing Anonymous Packets to Their Approximate Source. In Proceed-ings of the 2000 USENIX LISA Conference, pages 319–327, New Orleans, LA, December 2000.
  4.  Cisco Systems. Configuring TCP Intercept (Pre-vent Denial-of-Service Attacks). Cisco IOS Docu-mentation, December 1997. [5] Cisco Systems. Unicast Reverse Path Forwarding. Cisco IOS Documentation, May 1999.

2- Flow Anomaly

  1. K. Claffy, G. Polyzos, and H.-W. Braun, “Internet traffic flow profiling,” Tech. Rep. TR-CS93-328, University of California San Diego, November 1989.
  2. D. Plonka, “Flowscan: A network traffic flow reporting and visu-alization tool,” in Proceedings of the USENIX Fourteenth System Administration Conference LISA XIV, New Orleans, LA, Decem-ber 2000.
  3. Cisco’s IOS Netflow Feature, ,” http://www.cisco.com/wrap/public/732/netflow.

3- Reflector

  1. C. Barros, “[LONG] A Proposal for ICMP Traceback Mes-sages,” http://www.research.att.com/lists/ ietf-itrace/2000/09/msg00044.html, Sept. 18, 2000.
  2. S. Bellovin, “Defending Against Sequence Number At-tacks,” RFC 1948, May 1996.
  3. S. Bellovin, “ICMP Traceback Messages,” Internet Draft, http://www.research.att.com/˜smb/ papers/draft-bellovin-itrace-00.txt, March 2000.
  4. S. Bellovin, “Security Aspects of Napster and Gnutella,” http://www.research.att.com/˜smb/talks/ NapsterGnutella/index.htm, June 2000. and F. Tchakountio, “Hash-Based IP Traceback,” Proc. ACM/SIGCOMM, to appear, August 2001.
  5. D. Song and A. Perrig, “Advanced and Authenticated Marking Schemes for IP Traceback,” Proc. IEEE INFO-COM, April 2001.