Finding DDoS attack sources: Searchlight localization algorithm for network tomography

Omer Demir, Bilal Khan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

4 Citations (Scopus)

Abstract

Among the challenges facing the Internet, DoS/DDoS are a critical concern for Internet Service Providers. DDoS attacks can cause country-wide infrastructure problems, and can disrupt communications on a national level. Frequently, Botnets are used to carry out source-spoofed DDoS attacks. The problem of tracing such attacks has been the subject of significant inquiry. Here, we leverage the fact that a Botnet requires significant exposure to risk, and investments of time and resources. Thus, as a capital resource, it is likely that a Botnet will, over its lifespan, be used to execute multiple criminal DDoS attacks on different targets. Here, we report on new techniques that leverage information obtained over sequences of source spoofed Botnetled DDoS attacks, demonstrating the efficacy of these techniques at pinpointing potential attacker locations. DDoS attack flow descriptions can be collected in many ways, using a coordinated DDoS sensor agents (e.g. as described by the authors previously in [1]). Here, as a theoretical contribution, we provide formal statement of the attacker localization problem. We develop an new algorithm for localizing attack sources from sequences of DDoS attacks.

Original languageEnglish (US)
Title of host publicationIWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference
Pages418-423
Number of pages6
DOIs
StatePublished - Sep 12 2011
Event7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011 - Istanbul, Turkey
Duration: Jul 4 2011Jul 8 2011

Publication series

NameIWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference

Other

Other7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011
CountryTurkey
CityIstanbul
Period7/4/117/8/11

Fingerprint

Searchlights
Tomography
Internet
Internet service providers
life-span
service provider
communications
infrastructure
cause
Communication
Sensors
resources
Botnet

Keywords

  • DDoS
  • source localization
  • source spoofing

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Communication

Cite this

Demir, O., & Khan, B. (2011). Finding DDoS attack sources: Searchlight localization algorithm for network tomography. In IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference (pp. 418-423). [5982570] (IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference). https://doi.org/10.1109/IWCMC.2011.5982570

Finding DDoS attack sources : Searchlight localization algorithm for network tomography. / Demir, Omer; Khan, Bilal.

IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference. 2011. p. 418-423 5982570 (IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Demir, O & Khan, B 2011, Finding DDoS attack sources: Searchlight localization algorithm for network tomography. in IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference., 5982570, IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference, pp. 418-423, 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011, Istanbul, Turkey, 7/4/11. https://doi.org/10.1109/IWCMC.2011.5982570
Demir O, Khan B. Finding DDoS attack sources: Searchlight localization algorithm for network tomography. In IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference. 2011. p. 418-423. 5982570. (IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference). https://doi.org/10.1109/IWCMC.2011.5982570
Demir, Omer ; Khan, Bilal. / Finding DDoS attack sources : Searchlight localization algorithm for network tomography. IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference. 2011. pp. 418-423 (IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference).
@inproceedings{a9d20dc92f0241e8b53df13e17291f98,
title = "Finding DDoS attack sources: Searchlight localization algorithm for network tomography",
abstract = "Among the challenges facing the Internet, DoS/DDoS are a critical concern for Internet Service Providers. DDoS attacks can cause country-wide infrastructure problems, and can disrupt communications on a national level. Frequently, Botnets are used to carry out source-spoofed DDoS attacks. The problem of tracing such attacks has been the subject of significant inquiry. Here, we leverage the fact that a Botnet requires significant exposure to risk, and investments of time and resources. Thus, as a capital resource, it is likely that a Botnet will, over its lifespan, be used to execute multiple criminal DDoS attacks on different targets. Here, we report on new techniques that leverage information obtained over sequences of source spoofed Botnetled DDoS attacks, demonstrating the efficacy of these techniques at pinpointing potential attacker locations. DDoS attack flow descriptions can be collected in many ways, using a coordinated DDoS sensor agents (e.g. as described by the authors previously in [1]). Here, as a theoretical contribution, we provide formal statement of the attacker localization problem. We develop an new algorithm for localizing attack sources from sequences of DDoS attacks.",
keywords = "DDoS, source localization, source spoofing",
author = "Omer Demir and Bilal Khan",
year = "2011",
month = "9",
day = "12",
doi = "10.1109/IWCMC.2011.5982570",
language = "English (US)",
isbn = "9781424495399",
series = "IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference",
pages = "418--423",
booktitle = "IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference",

}

TY - GEN

T1 - Finding DDoS attack sources

T2 - Searchlight localization algorithm for network tomography

AU - Demir, Omer

AU - Khan, Bilal

PY - 2011/9/12

Y1 - 2011/9/12

N2 - Among the challenges facing the Internet, DoS/DDoS are a critical concern for Internet Service Providers. DDoS attacks can cause country-wide infrastructure problems, and can disrupt communications on a national level. Frequently, Botnets are used to carry out source-spoofed DDoS attacks. The problem of tracing such attacks has been the subject of significant inquiry. Here, we leverage the fact that a Botnet requires significant exposure to risk, and investments of time and resources. Thus, as a capital resource, it is likely that a Botnet will, over its lifespan, be used to execute multiple criminal DDoS attacks on different targets. Here, we report on new techniques that leverage information obtained over sequences of source spoofed Botnetled DDoS attacks, demonstrating the efficacy of these techniques at pinpointing potential attacker locations. DDoS attack flow descriptions can be collected in many ways, using a coordinated DDoS sensor agents (e.g. as described by the authors previously in [1]). Here, as a theoretical contribution, we provide formal statement of the attacker localization problem. We develop an new algorithm for localizing attack sources from sequences of DDoS attacks.

AB - Among the challenges facing the Internet, DoS/DDoS are a critical concern for Internet Service Providers. DDoS attacks can cause country-wide infrastructure problems, and can disrupt communications on a national level. Frequently, Botnets are used to carry out source-spoofed DDoS attacks. The problem of tracing such attacks has been the subject of significant inquiry. Here, we leverage the fact that a Botnet requires significant exposure to risk, and investments of time and resources. Thus, as a capital resource, it is likely that a Botnet will, over its lifespan, be used to execute multiple criminal DDoS attacks on different targets. Here, we report on new techniques that leverage information obtained over sequences of source spoofed Botnetled DDoS attacks, demonstrating the efficacy of these techniques at pinpointing potential attacker locations. DDoS attack flow descriptions can be collected in many ways, using a coordinated DDoS sensor agents (e.g. as described by the authors previously in [1]). Here, as a theoretical contribution, we provide formal statement of the attacker localization problem. We develop an new algorithm for localizing attack sources from sequences of DDoS attacks.

KW - DDoS

KW - source localization

KW - source spoofing

UR - http://www.scopus.com/inward/record.url?scp=80052514268&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=80052514268&partnerID=8YFLogxK

U2 - 10.1109/IWCMC.2011.5982570

DO - 10.1109/IWCMC.2011.5982570

M3 - Conference contribution

AN - SCOPUS:80052514268

SN - 9781424495399

T3 - IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference

SP - 418

EP - 423

BT - IWCMC 2011 - 7th International Wireless Communications and Mobile Computing Conference

ER -