Characterization and Implications of Flash Crowds and DoS attacks on websites Dixit Verma Department of Electrical & Computer Engineering Missouri University of Science and Technology dv6cb@mst.edu 9 Feb 2017
Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 2
Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 3
Introduction Flash crowds and DoS attacks often overload web sites to a point when their services are degraded or disrupted entirely Flash events are created by unusual but legitimate traffic e.g.? DoS attacks contain malicious requests with the intention of disrupting normal operation of the site 9 Feb 2017 Presentation Overview 4
Introduction Sometimes the occurrence of events is known in advance An on-line play-along website for a popular TV program may receive more visitors during a broadcast URL s advertised during an event (football games) e.g.? but that s not the case always Due to the September 2011 terrorist attack, cnn.com observed dramatic increase in requests 9 Feb 2017 Presentation Overview 5
Introduction DoS attacks contain malicious requests with the intention of disrupting normal operation of the site e.g. TCP SYN, http flooding Attackers generally use multiple compromised hosts Effects on a website: Website unable to server the legitimate users In most cases the server crashes or the website has to be taken offline 9 Feb 2017 Presentation Overview 6
Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 7
Characteristics Traffic Patterns Let s us know how much resources are needed Helps articulate when the server is overwhelmed and defensive measures are required Client Characteristics Can help in distinguishing legitimate and malicious users Client clustering : aggregate clients into groups belonging to a same administrative domain Uses a set of network prefixes obtained from BGP tables 9 Feb 2017 Presentation Overview 8
Characteristics File Reference Additional differentiator to rule out suspicious activities Aggregation of reference patterns of users and client clusters 9 Feb 2017 Presentation Overview 9
Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 10
Analysis of Flash Events HTTP traces from two events were analysed One from a popular TV show (Play-along) and another from Chilean election site at the time of presidential election 9 Feb 2017 Presentation Overview 11
Analysis of Flash Events Traffic Volume: The below table summarizes the number of request, documents and clients found in the traces 9 Feb 2017 Presentation Overview 12
Analysis of Flash Events Characterizing Clients The below figure shows the number of distinct clients and client clusters accessing the site in 10 sec interval change 9 Feb 2017 Presentation Overview 13
Analysis of Flash Events The spikes in request volumes during an flash event correspond closely with the number of clients accessing the site 9 Feb 2017 Presentation Overview 14
Analysis of Flash Events Characterizing File Reference For the two traces, over 60% of the documents were accessed during the flash events 9 Feb 2017 Presentation Overview 15
Analysis of Flash Events The figure plots the cumulative fraction of the requests for the documents listing most popular first Less than 10% of the most popular documents account for more than 90% of requests Intelligent caching of these documents can solve the Flash Event problem 9 Feb 2017 Presentation Overview 16
Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 17
Analysis of DoS Attacks Password cracking and DoS attacks are considered similar as the end goal is to discard these requests Two log files were analyzed, esg and ol recorded more than 1 million request within 60 days 9 Feb 2017 Presentation Overview 18
Analysis of DoS Attacks The figure shows request rates in password cracking DoS attacks to esg and ol 9 Feb 2017 Presentation Overview 19
Analysis of DoS Attacks 401 requests are considered as password cracking attempts 9 Feb 2017 Presentation Overview 20
Analysis of DoS Attacks In figure each peak was made by the same IP address sending 600-1000 requests per second Increase in request rate occurs due to increase in per-client request rate Increase in number of new client clusters not seen by site before the attack but found during the attack For esg trace 0.6% of the clusters seen during the attack were old clusters and for ol they were 0.1% 9 Feb 2017 Presentation Overview 21
Code Red Trace Researchers studied trace of Code Red where log file recorded access from infected computers Attack started with few requests with a surge of requests later as new clusters join the attack Different from flash events as FE s do not have increase in new cluster arrivals 9 Feb 2017 Presentation Overview 22
Code Red Trace 9 Feb 2017 Presentation Overview 23
Code Red Trace Requests per client Cluster distribution of requests 9 Feb 2017 Presentation Overview 24
Flash events vs DoS attacks Characteristic Flash Events DoS Attacks Traffic Volume No. of clients and their distribution Cluster overlap Both have a noticeable increase in terms of number of requests. The length peaks can be large or small depending on the episode. Caused mostly by an increase in number of users accessing the website. Significant overlap between clusters a site sees before and during FE. Caused either by an increase in no. of clients or per client requests. Cluster overlap is very small. Per client Per client request rates are Some DoS attacks involve a few Request rates lower as number of clients emitting very high request legitimate clients access the rates and some involve large Web Site. amount of clients generating a low request rate. But per client request rate remains abnormal. 9 Feb 2017 Presentation Overview 25
Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 26
Server Strategy Differentiate between malicious and normal requests Monitor the clients and their request rate Periodic clustering over the client set accumulated in past without DoS or FE s. When performance degrades, discard packets from clients not belonging to old clusters 9 Feb 2017 Presentation Overview 27
Presentation Overview Introduction Characteristics Analysis of Flash Events Analysis of DoS Attacks Server Strategy Conclusion 9 Feb 2017 Presentation Overview 28
Conclusion Flash crowd and DoS may exhibit similar traffic pattern but can be differentiated by Per client request rates Cluster overlap These metrics can help distinguish legitimate traffic from malicious traffic which can be blocked accordingly 9 Feb 2017 Presentation Overview 29
References Jaeyeon Jung, Balachander Krishnamurthy, and Michael Rabinovich, Flash Crowds and Denial of Service attacks: Characterization and implications for CDN s and Web Sites in Proceedings of the ACM WWW, Honolulu, HI, May 2002, pp. 293 304. http://www.webopedia.com/term/c/cdn.html Nishi-Waseda, Shinjuku-ku, Methods of Distinguishing Flash Crowds from Spoofed DoS Attacks, Next Generation Internet Networks, 3rd EuroNGI Conference https://en.wikipedia.org/wiki/code_red_(computer_worm)#cite_note- 5 9 Feb 2017 Presentation Overview 30