A Framework for Classifying Denial of Service Attacks∗Alefiya Hussain John Heidemann Christos PapadopoulosUSC/Information Sciences Institute{hussain,johnh,christos}@isi.eduABSTRACTLaunching a denial of service (DoS) attack is trivial, but detec-tion and response is a painfully slow and often a manual process.Automatic classification of attacks as single- or multi-source canhelp focus a response, but current packet-header-based approachesare susceptible to spoofing. This paper introduces a framework forclassifying DoS attacks based on header content, transient ramp-upbehavior and novel techniques such as spectral analysis. Althoughheaders are easily forged, we show that characteristics of attackramp-up and attack spectrum are more difficult to spoof. To eval-uate our framework we monitored access links of a regional ISPdetecting 80 live attacks. Header analysis identified the number ofattackers in 67 attacks, while the remaining 13 attacks were clas-sified based on ramp-up and spectral analysis. We validate our re-sults through monitoring at a second site, controlled experiments,and simulation. We use experiments and simulation to understandthe underlying reasons for the characteristics observed. In additionto helping understand attack dynamics, classification mechanismssuch as ours are important for the development of realistic modelsof DoS traffic, can be packaged as an automated tool to aid in rapidresponse to attacks, and can also be used to estimate the level ofDoS activity on the Internet.Categories and Subject DescriptorsC.2.0 [COMPUTER-COMMUNICATION NETWORKS]:General–Security and Protection G.3 [PROBABILITY ANDSTATISTICS]: Time series AnalysisGeneral TermsMeasurement, SecurityKeywordsSecurity, Measurement, Denial of Service Attacks, Time SeriesAnalysis.∗This material is based upon work supported by DARPA via theSpace and Naval Warfare Systems Center San Diego under Con-tract No. N66001-00-C-8066 (“SAMAN”), by NSF under grantnumber ANI-9986208 (“CONSER”), by DARPA via the Fault Tol-erant Networks program under grant number N66001-01-1-8939(“COSSACK”) and by Los Alamos National Laboratory undergrant number 53272-001.Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.SIGCOMM’03, August 25–29, 2003, Karlsruhe, Germany.Copyright 2003 ACM 1-58113-735-4/03/0008 ...$5.00.1. INTRODUCTIONThe Internet connects hundreds of millions of computers acrossthe world running on multiple hardware and software platforms.It serves uncountable personal and professional needs for peopleand corporations. However, this interconnectivity among comput-ers also enables malicious users to misuse resources and mount de-nial of service (DoS) attacks against arbitrary sites.In a denial of service attack, a malicious user exploits the con-nectivity of the Internet to cripple the services offered by a victimsite, often simply by flooding a victim with many requests. A DoSattack can be either a single-source attack, originating at only onehost, or a multi-source, where multiple hosts coordinate to flood thevictim with a barrage of attack packets. The latter is called a dis-tributed denial of service (DDoS) attack. Sophisticated attack toolsthat automate the procedure of compromising hosts and launchingattacks are readily available on the Internet, and detailed instruc-tions allow even an amateur to use them effectively.Denial of service attacks cause significant financial damage ev-ery year, making it essential to devise techniques to detect and re-spond to attacks quickly. Development of effective response tech-niques requires intimate knowledge of attack dynamics, yet littleinformation about attacks in the wild is published in the researchcommunity. Moore et al provide insight into the prevalence ofDoS activity on the Internet [24], but their analysis is based onback-scatter packets and lacks the level of detail required to studyattack dynamics or generate high-fidelity models needed for DoSresearch. Monitoring tools today can detect an attack and identifybasic properties such as traffic rates and packet types. However,because attackers can forge most packet information, characteriz-ing attacks as single- or multi-source and identifying the number ofattackers is difficult.In this paper, we develop a framework to classify attacks basedon header analysis, ramp-up behavior and spectral analysis. First,we analyze the header content to get a rapid characterization ofthe attackers. Since headers can be forged by the attacker, we de-velop two new techniques to analyze packet stream dynamics us-ing the ramp-up behavior and the spectral characteristics of the at-tack traffic. The absence of an initial ramp-up suggests a singleattacker, whereas a slow ramp-up (several hundred milliseconds ormore) suggests a multi-source attack. Since ramp-up is also easilyspoofed, we identify spectral characteristics that distinguish single-from multi-source attacks and show that attackers cannot easilyspoof spectral content without reducing attack effectiveness. Wedescribe the algorithms used in our framework in Section 4 anddiscuss robustness to counter-measures in Section 7.The contribution of this paper is an automated methodology forcharacterizing DoS attacks that adds new techniques of ramp-upand spectral analysis, building on the existing approach of headeranalysis. In addition to providing a better understanding of DoSattack dynamics, our work has several direct applications. Thisidentification framework can be used as part of an automated DoSdetection and response system. It can provide the classificationcomponent of a real-time attack analysis system to aid network ad-199ministrators in selecting an appropriate response depending on thetype of ongoing DoS attack. For example, if an attack consists ofonly a single source using traceback to identify the culprit is trivial,but as the number of attackers increase traceback becomes rapidlyintractable. Thus one application of our framework is to judiciouslydecide if activation of traceback is appropriate during a particularattack. This analysis can also be used to create and validate mod-els of DoS and DDoS