PAPER DIGEST
Most Influential SIGCOMM 2003 Paper · 2026-03 edition

A Framework For Classifying Denial Of Service Attacks

Alefiya Hussain; John Heidemann; Christos Papadopoulos

Venue
ACM SIGCOMM Conference (SIGCOMM) 2003
Recognition
Most Influential SIGCOMM 2003 Paper (Rank No. 8)
Edition
2026-03
Impact factor
7
Certificate ID
a5d41a2222aef239

Abstract

Launching a denial of service (DoS) attack is trivial, but detection and response is a painfully slow and often a manual process. Automatic classification of attacks as single- or multi-source can help focus a response, but current packet-header-based approaches are susceptible to spoofing. This paper introduces a framework for classifying DoS attacks based on header content, and novel techniques such as transient ramp-up behavior and spectral analysis. Although headers are easily forged, we show that characteristics of attack ramp-up and attack spectrum are more difficult to spoof. To evaluate our framework we monitored access links of a regional ISP detecting 80 live attacks. Header analysis identified the number of attackers in 67 attacks, while the remaining 13 attacks were classified based on ramp-up and spectral analysis. We validate our results through monitoring at a second site, controlled experiments, and simulation. We use experiments and simulation to understand the underlying reasons for the characteristics observed. In addition to helping understand attack dynamics, classification mechanisms such as ours are important for the development of realistic models of DoS traffic, can be packaged as an automated tool to aid in rapid response to attacks, and can also be used to estimate the level of DoS activity on the Internet.

Download PDF certificate