Attack profiling for DDoS benchmarks
Date
2006
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of Delaware
Abstract
Distributed denial-of-service is a serious problem and many defenses have been proposed to handle this threat. A common evaluation platform is needed to comparatively evaluate these solutions. This master's thesis is a part of work on the DDoS benchmarks project, which develops such an evaluation platform. The benchmarks contain three components: a) the set of typical attack scenarios that consist of attack, legitimate traffic and target network resource dimensions, b) the performance metrics that capture the impact of the attack and the defense effectiveness, and c) the testing methodology specification. This thesis describes the work on developing the attack dimension of DDoS benchmarks that summarizes typically seen attacks in today's Internet. ☐ We harvest typical attack information from public packet traces. This approach is challenging due to short length of the traces, the presence of asymmetric traffic in the traces, random anonymization of addresses that hinders understanding of traffic's context and the unknown model of a legitimate user's behavior. An additional challenge lies in our goal to capture sophisticated attacks that are hard to detect, while minimizing false positives. We overcome these challenges through careful trace profiling and multiple-step processing. The attack samples are collected from traces in several steps: (1) we detect and filter one-way legitimate traffic from the traffic identified as likely attack, (2) we detect the attacks using multiple detection criteria, (3) we separate the legitimate from the attack traffic, and finally (4) we create attack samples from attack traffic and summarize attack features in a human-readable format and in a machine-readable format, convenient for application of clustering approaches. All these steps are automatized via a set of tools, which facilitates easy collection of attack samples from a large number of public traces. ☐ Our tools are tested on a set of synthetic attacks, on labeled traces (known to contain an attack) and on unlabeled traces, and we present the results of these tests in the thesis. In the case of the synthetic attacks, we manage to accurately identify all the attacks, even when they are stealthy or they have a small rate. Our tests on labeled traces detect all the attacks identified and labeled by other researchers, and a few more attacks that existed in the traces, but were not detected by other researchers. The tests on unlabeled 2 weeks long trace accurately identify several types of attacks including SYN floods, ICMP floods, UDP floods, TCP floods and attacks with invalid protocol types. We present detailed statistics on these attacks that indicate that the attackers are shifting from high-volume, easily noticed attacks to low-rate, stealthy attacks to avoid simple detection and defense approaches.