Summary:

This paper provides a framework for classifying denial of service (DoS) attacks as single source attacks or multi-source attacks. Following techniques have been explored

1. Header analysis for anomaly detection: Primarily this technique looks at the ID field of the packet to find out if they come form the same source. Most of the operating systems increment the ID field and by observing a sequence of ID vales it can be concluded that the packets belong to a common source. Likewise, TTL field does not change for packets originating from the same source if routes are stable. However these techniques don't work very well since it is possible to spoof both the fields.

2. Initial Ramp-up: This technique observes the rate of change of traffic over a period of time. The authors claim that a single source attack starts at a particular moment and doesn't exhibit any ramp-up in the traffic. However, a multi-source attack which is carried out by orchestrating distributed sources and triggering them at different points in time, shows a gradual increase in the traffic volume. However, this technique is also ineffective if a single source can emulate the same behavior.

3. Spectral analysis: Authors apply the technique of spectral analysis (previously proposed by Kung et. al.) to distinguish between single source and multi-source attack patterns. Through rigorous simulations, traffic analysis and numerical calculations, authors confirm that this technique is effective for distinguishing single source attacks from multi-source attacks.

Critique:

1. This is a good "verification" paper since authors verify the concepts which have already been applied to solve the same problem. Header analysis has been in the use, spectral analysis was proposed in a different paper. Initial ramp-up analysis can be considered as a contribution. However, authors have done a great job of verifying these techniques through experiments and simulations. The results give an insight into the original techniques.

2. The paper does not talk about detecting a DDoS but talks only about classifying them as single-source and multi-source attacks. A more important question that still needs to be answered is : How to differentiate between flash crowds and DDoS attack? Only when this differentiation is accurate, it makes sense to apply these techniques to classify them as single-source or multi-source attacks.

3. The proposed technique needs a lot of preprocessing of the trace data (like isolation of flows/streams, calculating the packet arrival rate per flow) and manual inspection (for discarding flows that are known to generate flash crowds). The automation of this technique generates a lot of false-positives. Could this be done in real-time?

4. Some of the thresholds used for the analysis were chosen arbitrarily and authors don't discuss how they will vary for different types of networks.(packet rate thresholds for detection of attack, 60% quantile)