Table of Contents

1. Background 2. Introduction 3. Denial of Service Attack 4. Project Scope 4.1. Objectives 4.2. Deliverables 4.3. Milestones 4.4. Limitations 5. References 2 2 3 4 4 4 5 5 5

Topics in Internet Research

Project Proposal

1. Background
In February 2000, the famous sites like Yahoo, eBay, Amazon.com, E*Trade.com, ZDNet.com, Buy.com and several other web sites fell victim to denial of service (DoS) attacks. Later in May 2000, the same fate befell Slashdot.org [1]. According to Analysts [1], Yahoo suffered a loss of e-commerce and advertising revenue worth $500,000 during the three hours it remained down. Amazon.com was down for 10 hours which resulted in a loss of $600,000. During the DoS attacks, Buy.com went from 100% availability to 9.4% while CNN.com users went down to below 5% of normal volume. ZDnet.com and E*Trade.com were virtually unreachable. It was estimated that total impact of DoS attacks in year 2000 exceeded $1.7 billion.

2. Introduction
Internet connects millions of computers across the globe running on various hardware and software platforms. It serves uncountable needs of individuals and corporations. The increase of interconnectivity among computers through internet makes it highly vulnerable to different types of attacks. Using a backscatter analysis [1], scientists observed 12,805 attacks on over 5000 distinct Internet hosts belonging to more than 2000 distinct organizations during a 3 week period the most common being DoS attack. It causes significant financial damage every year, which makes it essential to devise techniques to detect and respond to attacks quickly. Vulnerabilities appear to be increasing rapidly. The graph below shows vulnerabilities reported by CERT [2].

Aamir Islam. 2004

page 2 of 5

Topics in Internet Research

Project Proposal

Launching a DoS attack is trivial, but detecting an Intrusion is a difficult task. Intrusion Detection (ID) is the art of detecting inappropriate, incorrect, or anomalous activity. The need for ID arises due to the fact that security is not always perfect. Not every system administrator can always install every security patch on every computer. Firewalls can be mis-configured and sometimes previously unknown vulnerabilities can crop up in softwares. Even heavily defended networks can be penetrated. An ID system is a key component and an important tool in computer and network security.

The focus of this project is to understand the concept of DoS attacks look into the various types of common attacks study the various ID mechanisms used in the detection of DoS attacks. discuss the pros and cons of existing ID mechanism propose a new ID mechanism

3. Denial of Service Attack

DoS attack is an attack designed to render a computer or network incapable of providing normal services [3]. It occurs in a multi-user, multitasking environment when one user can make the system unusable for legitimate traffic. This type of attack can be deliberate or accidental.

Attacker

Server Normal User

Aamir Islam. 2004

page 3 of 5

Topics in Internet Research

Project Proposal

An Internet user intends to access by sending a message to a server. When available, the server replies and a connection is established. If the address of the user is fake, the server is unable to respond and goes into a waiting state, after which it closes the connection. This can result in a DoS attack, which frequently come from addresses that do not exist. Also, if hackers or attackers send so many requests that a server becomes overloaded; other Internet users find it impossible to communicate with the server. The reason a server is blocked to users is because it is so busy attempting to give responses to questions asked by attackers, it hasn't any time to deal with other users. Such an overload not only prevents access, but can even cause a server to crash. In effect a DoS attack is overwhelming a computer or network with more requests than it can handle. DoS attacks can fall into the following four broad categories: 1. Flooding a network, i.e. preventing legitimate network traffic to and from the network. 2. Disrupting connectivity between machines, thereby rendering a service. 3. Attempts to prevent a particular individual from accessing a service. 4. Attempts to disrupt service to a specific system or person.

4. Project Scope
4.1. Objective The objective of this project is to survey the existing DoS attack detection mechanisms, compare them and propose a novel algorithm to detect the attacks. 4.2. Deliverables Deliverable 01 Midterm Project Report. It will cover the following contents: Common types of DoS attacks which include brief description of the following attacks which readily occurred on the Internet o o o o o SYN Flooding Smurf Buffer Overflow Teardrop Ping of Death

Aamir Islam. 2004

page 4 of 5

Topics in Internet Research

Project Proposal

Detection of DoS Intrusions using following mechanism o Anamoly Based Intrustion Detection Adaptive Threshold Algorithm CumSum Algorithm o o o Signature Based Intrusion Detection Time Dependant Deterministic Finite Automata Multilevel Tree for Online Packet Statistics (MULTOPS)

Comparison of Detection Schemes Deliverable 02 Final Project Report. The Final Project Report will present a new algorithm for detecting DoS Intrusions. 4.3. Milestone Gathering Research Material Studying Research Papers Draft Midterm Report Final Midterm Report Devising new algorithm Final term Report 4.4. Limitations The scope of the project and contents of deliverables can change depending on the outcome of meetings with the Instructor or TA. 20th March 04 27th March 04 01st April 04 05th April 04 30th April 04 07th May 04

5. References
To write this proposal, I skimmed various research papers and articles. The references to some of the papers are given below: [1] David Durham, Priya Govindarajan, Dylan Larson, Priya Rajagopal and Ravi Sahita, [2] [3] Elimination of Distributed Denial of Service Attacks using Programmable Network Processors, Version 1.0, June 2002. http://www.cert.org/stats/#vulnerabilities Arvind S Krishna, DENIAL OF SERVICE ATTACKS, University of California, Irvine CA.
Please note that the list of references is not complete and will be updated as project proceeds.

Aamir Islam. 2004

page 5 of 5