Overview

MULTOPS uses disproportional packet rates to or from hosts and subnets as a heuristic to detect (and potentially stop) attacks. To collect these statistics, a tree-shaped data-structure keeps track of packet rates to and from those subsets of the IP address space that display disproportional behavior. This is done by letting the tree expand and contract (``zoom in and zoom out'') based on observed (disproportional) traffic patterns.

MULTOPS stores packet rate statistics for flows between hosts (or subnets) $A$ and $B$ using either $A$'s IP address or $B$'s IP address. As a consequence, MULTOPS can either establish the victim, or the source(s) of the attack. We distinguish between these two modes by defining them as victim-oriented mode and attacker-oriented mode, respectively. In victim-oriented mode, MULTOPS tries to identify the IP address of the victim of an attack. In attacker-oriented mode, MULTOPS tries to identify the IP address(es) of the attacker(s). The difference between these two modes becomes important when dropping packets: either packets going to the victim are dropped, or packets coming from the attacker are dropped. Note that in both cases the attack is stopped. In one case this is done based on the IP address of the victim, in the other case it is done based on the IP address(es) of the attacker(s). Throughout this paper we assume that MULTOPS runs in victim-oriented mode, unless specified otherwise.

Figure 1: Schematic MULTOPS in victim-oriented mode

MULTOPS expects two streams of IP packets as input--each connected to a different network interface. Packets going in one direction (``forward packets'') are inspected on their destination address; packets going in the opposite direction (``reverse packets'') are inspected on their source address. Figure 1 illustrates this. Exchanging the network interfaces switches between attacker-oriented and victim-oriented mode.

MULTOPS presents a query interface that returns an approximation to $R(P)$. $R(P)$ is the ratio of forward packets with destination IP address prefix $P$ to reverse packets with source IP address prefix $P$.

In victim-oriented mode, MULTOPS determines a victim's IP address by looking for prefixes for which $R(P)$ is greater than some threshold. Dropping packets with destination addresses matching such prefixes might defeat the attack, though it may also impose ``collateral damage'' by dropping legitimate packets. In attacker-oriented mode, MULTOPS determines the addresses of attackers by looking for prefixes for which $R(P)$ is less than some threshold. Dropping packets based on source addresses matching such prefixes might defeat the attack, though IP spoofing introduces complications that are discussed in Section 7.1. Note that a single MULTOPS cannot detect both attacker and victim addresses.

In our current design, we also assume that packets are being sent using IPv4. Our approach should easily extend to IPv6, although it will consume significantly more resources.