Blogs - DDoS classification

How to Classify DDoS

Motivation

Distributed Denial of Service (DDoS) is a network attack, in which attackers intentionally orchestrate a (large) set of devices to overload the network or processing capacity of a target system. Anyone connected to the Internet can be a target of a DDoS attack, and the economic damage consequence of attacks has increased over the years. In 2015, Kaspersky [1] reported that small and medium companies spent more than 50K Dollars to recover from a DDoS attack, while big enterprises reported more than 410K Dollars. In 2017, the economic damage increased six times, 2.5M Dollars in revenue loss, surveyed by Neustar [2].

There are dozens of types of DDoS attacks. The classification of attacks facilitates a more efficient and effective reaction. In addition to this, the classification of attacks allows network operators to account and estimate the level of DDoS activity on their networks. As a consequence, those network operators can focus their resources to develop tools and approaches targeting attack types that cause more damage.

Ways to classify DDoS attacks

Many aspects can be taken into consideration for classifying DDoS attacks. The most cited academic work on the taxonomy of attack, by Jelena and Reiher [4], presents eight aspects and dozens of sub-aspects to take into considerations. Although that proposal is comprehensive and timeless, it is not much practical for network operators that need a simpler approach to label attacks and reacts against them. There is the work by Peng et al. [5] that highlights the main features of four categories of attacks. Although that is also a great work, they describe dozens of attack types and do not propose an attack classification methodology. Hussain et al. [3], instead, presents a practical framework that automatically classifies (D)DoS attacks based on packet header analysis, ramp-up behavior, and spectral analysis. One of the main limitations of this work is that does not consider payload information and focus more on differentiate DoS from DDoS. Nowadays, the great majority of attacks are from multiple sources (DDoS), and half of them depend on payload information to be correctly classified (e.g., HTTP GET and POST).

Security network companies classify attacks based on groups of attack vectors, which is the set of network characteristics of the attack traffic sent by the set of IP address that composes the DDoS attack. For example, Akamai, Imperva Incapsula, A10, FireEye, and CloudFlare, classify attack vectors in two groups: infrastructure DDoS layer (e.g., UDP fragment, ACK, CHARGEN, DNS, ICMP, and SSDP) and application DDoS layer (e.g., HTTP GET, HEAD, HTTP POST, and PUSH). Arbor Networks classifies attack vectors in four main classes (TCP connection, volumetric, fragmentation, and application attacks), dozens of subclasses, and provides some additional information on the attacks, such as the set of source and destination ports used in the attack. In general, network security companies use a similar label of attacks that is composed of the name of the network protocol used to perform the attack.

Our step-by-step DDoS attack classification

Our approach to classifying DDoS attacks combines the methods from academia and industry. Our approach is based on a recursive filtering of most frequent network field values from different network layers, which we apply to passive network measurements containing DDoS attacks (i.e., the input trace). There are three types of passive network measurements: packet-based, log-based, and flow-based. The main difference between them is the detail level of information. While packet-based contain a more granular level of information, flow-based provide only aggregated information (less granular). Log-based measurement is similar to packet-based, but it is specific to the application that is recording the logs. Although our step-by-step methodology is intended for being used with packet-based traces, it also classifies flow-based and log-based traces, excluding some steps.

To avoid that our recursive filtering approach does not include multiple targets of attacks and multiple attack vectors, we re-run our entire methodology excluding the parts that were already classified. As the classification in each step is not mutual exclusive, the final label of attack is related to the most detailed level of information

Example: in our approach, a possible attack will be classified as an HTTP-based attack, although it is also classified as a TCP-based attack. Similarly, a possible attack will be classified as a DNS-based attack, although it is also an UDP-based attack.

Following we present the nine steps of our methodology, organized in three layers of the TCP/IP architecture, with practical examples of hypothetical attack labels.

Internet layer: looking into the IP protocol header

Step 1 - Destination IP address: in this first step, we determine which destination IP address on the input trace was the attack target, i.e., received the majority of the traffic (bytes and/or packets). This step enables performing all the following steps.

Step 2 - IP protocol: in this step, we determine which IP protocol was the most common used against the attack target (defined in step 1). A complete list of IP protocols is defined by IANA [6].

Example(s) of possible attack labels: IGMP-based attack, ICMP-based attack, TCP-based attack, and UDP-based attack.

*Step 7 – Source IP addresses: after performing the previous and some of the following steps, we consider that the remaining source IP addresses are the actual attack sources. Although this observation is taken from the Internet layer, which is the first to be investigated, it is one of the last steps in our classification approach. This set of attack source is used to examine spoofed, reflected, and fragmented attack.

*Step 8 – Time To Live (TTL): in this step, for each source IP address that sent traffic (step 7) to the attack target using the IP protocol found in the previous step, we calculated the variation of the TTL (maximum minus the minimum values). This information is used to determine spoofed attacks, in which attackers craft the IP header manipulating the source IP address. According to de Vries et al. [7] it is not expected a variation greater than 4. Therefore, if a percentage of source IP addresses have a TTL variation greater than 4, we consider that the attack is spoofed. We also investigate if the TTL values of all source IP address (considering from different networks) have the same value. If positive we also consider the attack as spoofed. We only consider spoofed attack if the packets send to the target machine are spoofed, instead of in some cases that attackers send spoofed packets to intermediary systems (reflection attacks).

Example(s) of possible attack labels: spoofed TCP-based attack and spoofed UDP-based attack.

*Step 9 – More-fragments flag: similarly the previous step, for each source IP address that sent traffic to the attack target using the most frequent IP protocol, we calculate whether the percentage of packets marked with the more-fragments flag is greater that 50%. Then, if a percentage of source IP addresses have the majority of fragmented packets, we consider the attack as fragmented.

Example(s) of possible attack labels: spoofed & fragmented UDP-based attack.

Transport layer: looking into the transport protocol header

Step 3 – Source and Destination ports: in this step, we determine which source and destination port numbers are part of the attack in combination with the most frequent IP protocol against the attack target (defined in the steps 1 and 2). While the source port defines the attack vector, the destination port defines the service(s) under attack. We use the name of the services running on the ports (source and destination) based on IANA [8]. There are four combination cases for the source and destination ports:

-    Case 1: one source port to one destination port, both appearing in more than 50% of the total number of packets;

Example(s) of possible attack labels:  DNS-based attack against HTTP; attack from port 9879 against NTP; and attack from port 1987 against port 1945; Note that in the last two examples IANA does not assigned a service to this port numbers.

-    Case 2: one source port (appearing in more than 50% of the total number of packets) to a set of destination ports;

Example(s) of possible attack labels: DNS-based attack against HTTP and HTTPS; attack from port 9879 against NTP, DNS, and HTTP; and attack from port 1987 against port(s)1945, 9879, and 2995;

-    Case 3: a set of source ports targeting one destination port (appearing in more than 50% of the total number of packets);

Example(s) of possible attack labels:  attack from DNS, HTTP, and NTP service(s) against HTTP; attack from port 9879, 9876, and 9999 against DNS; and attack from port 1987, 9876, and 9999 against port 9879.

-    Case 4: a pair of ports that appear involving most source IP addresses or multiple pairs of ports appearing in the same number of source IP addresses;

Example(s) of possible attack labels:  a DNS-based attack against HTTP; a NTP-based attack against HTTPS; attack from port 9879 against DNS; and attack from port 1987 against port 9879.

Note: Every time this step is performed an additional attack vector will be defined composing a multi-vector attack.

Step 4* Active Measurement - In both cases of step 3 that there is only one source port (cases 1 and 2), we investigate the possibility of reflection attacks. For such, we perform an active measurement to test if at least half of the source IP addresses have that port open. In a positive case, we consider that the attack was a reflection (and amplification). Instead of performing an active measurement, this step can be substituted using large-scale port-scanning initiatives, such as http://shodan.io or http://sencys.io, find that open port related to the source IPs.

Example(s) of possible attack labels:  reflection DNS-based attack against HTTP; and reflection NTP-based attack against HTTPS.

Step 5 – TCP flags: in case the most frequent IP protocol is TCP (step 2) and the source port(s) is not assigned by IANA, then we determine which TCP flag(s) were the most frequent and use this information to classify the attack.

Example(s) of possible attack labels:  TCP SYN+ACK attack (from port 9879) against HTTP; and TCP FIN attack (from port 6543 and 9874) against port 9863.

Application layer: looking into the header (payload) of applications

Step 6: if the source port is HTTP (port 80) or HTTPs (port 443), then we use the HTTP-request method to classify the attack.

Example(s) of possible attack labels:  HTTP GET attack against HTTP; HTTP POST attack against port 9863; and HTTP HEAD against port 9723.

After step 6, you must to return to the Internet layer and analyze the source IPs, step 7, 8, and 9.

Final Considerations

In this tutorial, we describe a novel practical approach to classify DDoS attacks. We propose nine steps that reveal the primary vector of a DDoS attack. To extend this classification to multi-vector attacks, we run the nine steps multiple times, filtering every next round what was already classified.

Example(s) of possible attack labels:  hypothetically, in the first round was observed a TCP SYN+ACK attack (from port 9879) against HTTP; in the second round (after filtering packets from source port 9879 and destination port 80) it was observed a second attack vector as HTTP POST attack against HTTPS.

Besides, if the open ports of the target are known, then we filter those ports before the first time that we run the nine steps. After that, we re-include what was filtered and re-run the nine steps. We use this approach to highlight first the most different attack from what is running on the machine.

If you have any question, suggestion or consideration, do not hesitate to contact us (j.j.santanna@utwente.nl; gerald@nbip.nl)

References

[1] Kaspersky Lab. (2015). Denial of Service: How Businesses Evaluate the Threat of DDoS Attacks. https://press.kaspersky.com/files/2015/09/IT_Risks_Survey_Report_Threat_of_DDoS_Attacks.pdf. Accessed on 15-May-2017.

[2] Neustar. (2017). Worldwide DDoS Attacks & Cyber Insights Research Report. https://ns-cdn.neustar.biz/creative_services/biz/neustar/www/resources/whitepapers/it-security/ddos/neustar-2017-worldwide-ddos-attacks-cyber-insights-research-report.pdf. Accessed on 15-May-2017.

[3] Hussain, A. and, Heidemann, J. and, & Papadopoulos, C. (2003). A framework for classifying denial of service attacks. In ACM SIGCOMM.

[4] Mirkovic, J., & Reiher, P. (2004). A Taxonomy of DDoS Attack and DDoS Defense Mechanisms. SIGCOMM Computer Communications Review (CCR), 34(2), 39–53.

[5] Peng, T. and, Leckie, C. and, & Ramamohanarao, K. (2007). Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Computing Surveys (CSUR), 39(1).

[6] IANA. Protocol Numbers. https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml. Accessed on 15-May-2017.

[7] de Vries, W., Santanna, J. J., Sperotto, A., & Pras, A. (2015). How Asymmetric Is the Internet? A Study to Support the Use of Traceroute. In International Conference on Autonomous Infrastructure, Management and Security (AIMS).

[8] IANA. Service Name and Transport Protocol Port Number Registry. https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml. Accessed on 15-May-2017.

0 Reacties