Use of spectral analysis in defense against DoS attacks

Author

Cheng, Chen-Mou ; Kung, H.T. ; Tan, Koan-Sin

Author_Institution

Div. of Eng. & Appl. Sci., Harvard Univ., Boston, MA, USA

Volume

3

fYear

2002

fDate

17-21 Nov. 2002

Firstpage

2143

Abstract

We propose using spectral analysis to identify normal TCP traffic so that it will not be dropped or rate-limited in defense against denial of service (DoS) attacks. The approach can reduce false positives of attacker identification schemes and thus decrease the associated unnecessary slowdown or stoppage of legitimate traffic. For the spectral analysis, we use the number of packet arrivals of a flow in fixed-length time intervals as the signal. We then estimate the power spectral density of the signal, in which information of periodicity, or lack thereof, in the signal reveals itself. A normal TCP flow should exhibit strong periodicity around its round-trip time in both flow directions, whereas an attack flow usually does not. We validate the effectiveness of the approach with simulation and trace analysis. We argue that the approach complements existing DoS defense mechanisms that focus on identifying attack traffic.

Keywords

Internet; message authentication; spectral analysis; telecommunication traffic; transport protocols; DoS attacks; Internet; TCP traffic; attacker identification schemes; denial of service; fixed-length time intervals; packet arrivals; periodicity; power spectral density; round-trip time; simulation; spectral analysis; trace analysis; Analytical models; Bandwidth; Buffer overflow; Computer crime; Internet; Network servers; Spectral analysis; Telecommunication traffic; Traffic control; Transport protocols;

fLanguage

English

Publisher

ieee

Conference_Titel

Global Telecommunications Conference, 2002. GLOBECOM '02. IEEE

Print_ISBN

0-7803-7632-3

Type

conf

DOI

10.1109/GLOCOM.2002.1189011

Filename

1189011