David Moore
Stefan Savage
Abstract
In this article, we seek to address a simple question: “How prevalent are denial-of-service attacks in the Internet?” Our motivation is to quantitatively understand the nature of the current threat as well as to enable longer-term analyses of trends and recurring patterns of attacks. We present a new technique, called “backscatter analysis,” that provides a conservative estimate of worldwide denial-of-service activity. We use this approach on 22 traces (each covering a week or more) gathered over three years from 2001 through 2004. Across this corpus we quantitatively assess the number, duration, and focus of attacks, and qualitatively characterize their behavior. In total, we observed over 68,000 attacks directed at over 34,000 distinct victim IP addresses---ranging from well-known e-commerce companies such as Amazon and Hotmail to small foreign ISPs and dial-up connections. We believe our technique is the first to provide quantitative estimates of Internet-wide denial-of-service activity and that this article describes the most comprehensive public measurements of such activity to date.
- Banga, G., Druschel, P., and Mogul, J. 1999. Resource Containers: A New Facility for Resource Management in Server Systems. In Proceedings of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation. 45--58.]] Google Scholar
- Bellovin, S. M. 2000. ICMP Traceback Messages. Internet Draft: draft-bellovin-itrace-00.txt.]]Google Scholar
- Burch, H. and Cheswick, B. 2000. Tracing Anonymous Packets to Their Approximate Source. In Proceedings of the 2000 USENIX LISA Conference. New Orleans, LA, 319--327.]] Google Scholar
- Cisco Systems. 1997. Configuring TCP Intercept (Prevent Denial-of-Service Attacks). Cisco IOS Documentation.]]Google Scholar
- Cisco Systems. 1999. Unicast Reverse Path Forwarding. Cisco IOS Documentation.]]Google Scholar
- Cisco Systems. 2004. Cisco NetFlow. Cisco IOS Documentation. http://www.cisco.com/warp/public/732/Tech/netflow.]]Google Scholar
- Claffy, K. C. 1994. Internet Traffic Characterization. Ph.D. thesis, UC San Diego.]]Google Scholar
- Computer Emergency Response Team. 1996. CERT Advisory CA-1996-21 TCP SYN Flooding Attacks. http://www.cert.org/advisories/CA-1996-21.html.]]Google Scholar
- Computer Security Institute and Federal Bureau of Investigation. 2004. 2004 CSI/FBI Computer Crime and Security Survey. Computer Security Institute report.]]Google Scholar
- Darmohray, T. and Oliver, R. 2000. Hot Spares For DoS Attacks. ;login: 25, 7 (July).]]Google Scholar
- Dean, D., Franklin, M., and Stubblefield, A. 2001. An Algebraic Approach to IP Traceback. In Proceedings of the 2001 Network and Distributed System Security Symposium. San Diego, CA.]]Google Scholar
- Ferguson, P. and Senie, D. 2000. Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing. RFC 2827.]] Google Scholar
- Fullmer, M. and Romig, S. 2000. The OSU Flow-tools Package and Cisco Netflow logs. In Proceedings of the 2000 USENIX LISA Conference. New Orleans, LA.]] Google Scholar
- Gilgor, V. 1983. A Note on the Denial-of-Service Problem. In Proceedings of the 1983 IEEE Symposium on Security and Privacy. Oakland, CA.]] Google Scholar
- Howard, J. D. 1998. An Analysis of Security Incidents on the Internet. Ph.D. thesis, Carnegie Mellon University.]] Google Scholar
- Hussain, A., Heidemann, J., and Papadopoulos, C. 2003. A Framework for Classifying Denial-of-Service Attacks. Karlsruhe, Germany, 99--110.]]Google Scholar
- Karn, P. and Simpson, W. 1999. Photuris: Session-Key Management Protocol. RFC 2522.]] Google Scholar
- Moore, D. and Shannon, C. 2003. Network Telescopes: Technical report. http://www.caida.org/analysis/security/sco-dos/.]]Google Scholar
- Moore, D., Shannon, C., Voelker, G. M., and Savage, S. 2004. Network Telescopes: Tech. Rep. CS2004-0795, UC San Diego. July.]]Google Scholar
- Needham, R. 1994. Denial of Service: An Example. Commun. ACM 37, 11 (Nov.), 42--47.]] Google Scholar
- Postel, Editor, J. 1981. Internet Control Message Protocol. RFC 792.]] Google Scholar
- Poulsen, K. 2004. FBI busts alleged DDoS Mafia. http://www.securityfocus.com/news/9411.]]Google Scholar
- Romig, S. and Ramachandran, S. 1999. Cisco Flow Logs and Intrusion Detection at the Ohio State university. login; magazine, 23--26.]]Google Scholar
- Saroiu, S., Gummadi, K. P., Dunn, R. J., Gribble, S. D., and Levy, H. M. 2002. An Analysis of internet content delivery systems. In Proceedings of the 2002 USENIX/ACM Symposium on Operating System Design and Implementation.]] Google Scholar
- Savage, S., Wetherall, D., Karlin, A., and Anderson, T. 2000. Practical Network Support for IP Traceback. In Proceedings of the 2000 ACM SIGCOMM Conference. Stockholm, Sweden, 295--306.]] Google Scholar
- Song, D. and Perrig, A. 2001. Advanced and Authenticated Marking Schemes for IP Traceback. In Proceedings of the 2001 IEEE INFOCOM Conference. Anchorage, AK.]]Google Scholar
- Spatscheck, O. and Peterson, L. 1999. Defending Against Denial of Service Attacks in Scout. In Proceedings of the 1999 USENIX/ACM Symposium on Operating System Design and Implementation. 59--72.]] Google Scholar
- Stone, R. 2000. CenterTrack: An IP Overlay Network for Tracking DoS Floods. In Proceedings of the 2000 USENIX Security Symposium. Denver, CO, 199--212.]] Google Scholar
- Vijayan, J. 2004. E-Biz sites hit with targetedattacks, extortion threats. http://www.computerworld.com/securitytopics/security/story/0,10801,96%9,00.html?SKC=security-96149.]]Google Scholar
- Wolman, A., Voelker, G. M., Sharma, N., Cardwell, N., Brown, M., Landray, T., Pinnel, D., Karlin, A., and Levy, H. 1999. Organization-based analysis of web-object sharing and Caching. In Proceedings of the 2nd USENIX Symposium on Internet Technologies and Systems (USITS). Boulder, CO.]] Google Scholar
- Yegneswaran, V., Barford, P., and Ullrich, J. 2003. Internet Intrusions: Global Characteristics and Prevalence. San Diego, CA.]]Google Scholar
Index Terms
- Inferring Internet denial-of-service activity
Recommendations
Mitigating denial of service attacks: a tutorial
This tutorial describes what Denial of Service (DOS) attacks are. how they can be carried out in IP networks, and how one can defend against them. Distributed DoS (DDoS) attacks are included here as a subset of DoS attacks. A DoS attack has two phases: ...
Quantifying the Spectrum of Denial-of-Service Attacks through Internet Backscatter
ARES '17: Proceedings of the 12th International Conference on Availability, Reliability and SecurityDenial of Service (DoS) attacks are a major threat currently observable in computer networks and especially the Internet. In such an attack a malicious party tries to either break a service, running on a server, or exhaust the capacity or bandwidth of ...
A Queuing Analysis of Tolerating for Denial-of-Service (DoS) Attacks with a Proxy Network
ICCET '09: Proceedings of the 2009 International Conference on Computer Engineering and Technology - Volume 02Denial of Service is becoming a growing concern. As our systems communicate more and more with other that we know less and less, they become increasingly vulnerable to hostile intruders who may take advantage of the very protocols intended for the ...
Comments