Identification of Repeated DoS Attacks using Network Traffic Forensics

Hussain, Alefiya and Heidemann, John and Papadopoulos, Christos
USC/Information Sciences Institute


Alefiya Hussain, John Heidemann and Christos Papadopoulos 2003. Identification of Repeated DoS Attacks using Network Traffic Forensics. Technical Report ISI-TR-2003-577b. USC/Information Sciences Institute. [PDF]


Denial-of-service attacks on the Internet today are often launched from zombies, multiple compromised machines controlled by an attacker. Attackers often take control of a number of zombies and then repeatedly use this army to attack a target several times, or to attack several targets. In this paper, we propose a method to identify repeated attack scenarios, that is, the combination of a particular set of hosts and attack tool. Such identification would help a victim coordinate response to an attack, and ideally would be a useful part of legal actions. Because packet contents can be forged by the attacker, we identify an attack scenario by spectral analysis of the arrival stream of attack traffic. The attack spectrum is derived from the characteristics of the attack machines and can therefore be obscured only by reducing attack effectiveness. We designed a multi-dimensional maximum-likelihood classifier to identify repeated attack scenarios. To validate this procedure we apply our approach on real-world attacks captured at a regional ISP, identifying similar attacks first by header contents (when possible) and comparing these results to our process. We conduct controlled experiments to identify and isolate factors that affect the attack fingerprint.


  author = {Hussain, Alefiya and Heidemann, John and Papadopoulos, Christos},
  title = {Identification of Repeated DoS Attacks using
                           Network Traffic Forensics},
  institution = {USC/Information Sciences Institute},
  year = {2003},
  sortdate = {2003-08-01},
  project = {ant, nocredit, saman, conser, cossack},
  jsubject = {network_security},
  number = {ISI-TR-2003-577b},
  note = {Originally released August 2003, updated June 2004},
  month = aug,
  jlocation = {johnh: pafile},
  keywords = {network forensics, network traffic
                           fingerprinting, spectral analysis, DDoS},
  otherurl = {},
  url = {},
  pdfurl = {},
  myorganization = {USC/Information Sciences Institute},
  copyrightholder = {authors}