Fingerprinting Internet DNS Amplification DDoS Activities

This work proposes a novel approach to infer and characterize Internet-scale DNS amplification DDoS attacks by leveraging the darknet space. Complementary to the pioneer work on inferring Distributed Denial of Service (DDoS) activities using darknet, this work shows that we can extract DDoS activities without relying on backscattered analysis. The aim of this work is to extract cyber security intelligence related to DNS Amplification DDoS activities such as detection period, attack duration, intensity, packet size, rate and geo-location in addition to various network-layer and flow-based insights. To achieve this task, the proposed approach exploits certain DDoS parameters to detect the attacks. We empirically evaluate the proposed approach using 720 GB of real darknet data collected from a /13 address space during a recent three months period. Our analysis reveals that the approach was successful in inferring significant DNS amplification DDoS activities including the recent prominent attack that targeted one of the largest anti-spam organizations. Moreover, the analysis disclosed the mechanism of such DNS amplification DDoS attacks. Further, the results uncover high-speed and stealthy attempts that were never previously documented. The case study of the largest DDoS attack in history lead to a better understanding of the nature and scale of this threat and can generate inferences that could contribute in detecting, preventing, assessing, mitigating and even attributing of DNS amplification DDoS activities.Comment: 5 pages, 2 figure

How Do Tor Users Interact With Onion Services?

Onion services are anonymous network services that are exposed over the Tor network. In contrast to conventional Internet services, onion services are private, generally not indexed by search engines, and use self-certifying domain names that are long and difficult for humans to read. In this paper, we study how people perceive, understand, and use onion services based on data from 17 semi-structured interviews and an online survey of 517 users. We find that users have an incomplete mental model of onion services, use these services for anonymity and have varying trust in onion services in general. Users also have difficulty discovering and tracking onion sites and authenticating them. Finally, users want technical improvements to onion services and better information on how to use them. Our findings suggest various improvements for the security and usability of Tor onion services, including ways to automatically detect phishing of onion services, more clear security indicators, and ways to manage onion domain names that are difficult to remember.Comment: Appeared in USENIX Security Symposium 201

Mining Unclassified Traffic Using Automatic Clustering Techniques

In this paper we present a fully unsupervised algorithm to identify classes of traffic inside an aggregate. The algorithm leverages on the K-means clustering algorithm, augmented with a mechanism to automatically determine the number of traffic clusters. The signatures used for clustering are statistical representations of the application layer protocols. The proposed technique is extensively tested considering UDP traffic traces collected from operative networks. Performance tests show that it can clusterize the traffic in few tens of pure clusters, achieving an accuracy above 95%. Results are promising and suggest that the proposed approach might effectively be used for automatic traffic monitoring, e.g., to identify the birth of new applications and protocols, or the presence of anomalous or unexpected traffi

KISS: Stochastic Packet Inspection Classifier for UDP Traffic

This paper proposes KISS, a novel Internet classifica- tion engine. Motivated by the expected raise of UDP traffic, which stems from the momentum of Peer-to-Peer (P2P) streaming appli- cations, we propose a novel classification framework that leverages on statistical characterization of payload. Statistical signatures are derived by the means of a Chi-Square-like test, which extracts the protocol "format," but ignores the protocol "semantic" and "synchronization" rules. The signatures feed a decision process based either on the geometric distance among samples, or on Sup- port Vector Machines. KISS is very accurate, and its signatures are intrinsically robust to packet sampling, reordering, and flow asym- metry, so that it can be used on almost any network. KISS is tested in different scenarios, considering traditional client-server proto- cols, VoIP, and both traditional and new P2P Internet applications. Results are astonishing. The average True Positive percentage is 99.6%, with the worst case equal to 98.1,% while results are al- most perfect when dealing with new P2P streaming applications

Structures in magnetohydrodynamic turbulence: detection and scaling

We present a systematic analysis of statistical properties of turbulent current and vorticity structures at a given time using cluster analysis. The data stems from numerical simulations of decaying three-dimensional (3D) magnetohydrodynamic turbulence in the absence of an imposed uniform magnetic field; the magnetic Prandtl number is taken equal to unity, and we use a periodic box with grids of up to 1536^3 points, and with Taylor Reynolds numbers up to 1100. The initial conditions are either an X-point configuration embedded in 3D, the so-called Orszag-Tang vortex, or an Arn'old-Beltrami-Childress configuration with a fully helical velocity and magnetic field. In each case two snapshots are analyzed, separated by one turn-over time, starting just after the peak of dissipation. We show that the algorithm is able to select a large number of structures (in excess of 8,000) for each snapshot and that the statistical properties of these clusters are remarkably similar for the two snapshots as well as for the two flows under study in terms of scaling laws for the cluster characteristics, with the structures in the vorticity and in the current behaving in the same way. We also study the effect of Reynolds number on cluster statistics, and we finally analyze the properties of these clusters in terms of their velocity-magnetic field correlation. Self-organized criticality features have been identified in the dissipative range of scales. A different scaling arises in the inertial range, which cannot be identified for the moment with a known self-organized criticality class consistent with MHD. We suggest that this range can be governed by turbulence dynamics as opposed to criticality, and propose an interpretation of intermittency in terms of propagation of local instabilities.Comment: 17 pages, 9 figures, 5 table

Site Characterization Using Integrated Imaging Analysis Methods on Satellite Data of the Islamabad, Pakistan, Region

We develop an integrated digital imaging analysis approach to produce a first-approximation site characterization map for Islamabad, Pakistan, based on remote-sensing data. We apply both pixel-based and object-oriented digital imaging analysis methods to characterize detailed (1:50,000) geomorphology and geology from Advanced Spaceborne Thermal Emission and Reflection Radiometer (ASTER) satellite imagery. We use stereo-correlated relative digital elevation models (rDEMs) derived from ASTER data, as well as spectra in the visible near-infrared (VNIR) to thermal infrared (TIR) domains. The resulting geomorphic units in the study area are classified as mountain (including the Margala Hills and the Khairi Murat Ridge), piedmont, and basin terrain units. The local geologic units are classified as limestone in the Margala Hills and the Khairi Murat Ridge and sandstone rock types for the piedmonts and basins. Shear-wave velocities for these units are assigned in ranges based on established correlations in California. These ranges include Vs30-values to be greater than 500 m/sec for mountain units, 200–600 m/sec for piedmont units, and less than 300 m/sec for basin units. While the resulting map provides the basis for incorporating site response in an assessment of seismic hazard for Islamabad, it also demonstrates the potential use of remote-sensing data for site characterization in regions where only limited conventional mapping has been done

A Streamwise Constant Model of Turbulence in Plane Couette Flow

Streamwise and quasi-streamwise elongated structures have been shown to play a significant role in turbulent shear flows. We model the mean behavior of fully turbulent plane Couette flow using a streamwise constant projection of the Navier Stokes equations. This results in a two-dimensional, three velocity component ($2D/3C$) model. We first use a steady state version of the model to demonstrate that its nonlinear coupling provides the mathematical mechanism that shapes the turbulent velocity profile. Simulations of the $2D/3C$ model under small amplitude Gaussian forcing of the cross-stream components are compared to DNS data. The results indicate that a streamwise constant projection of the Navier Stokes equations captures salient features of fully turbulent plane Couette flow at low Reynolds numbers. A system theoretic approach is used to demonstrate the presence of large input-output amplification through the forced $2D/3C$ model. It is this amplification coupled with the appropriate nonlinearity that enables the $2D/3C$ model to generate turbulent behaviour under the small amplitude forcing employed in this study.Comment: Journal of Fluid Mechanics 2010, in pres