Document Type

Conference Proceeding


Secure and Dependable System Forensics Workshop

Publication Date



Moscow, ID, United States


Availability requires that computer systems remain functioning as expected without loss of resources to legitimate users. The impact of a lack of availability to services and data is often little more than a nuisance; however the results could be devastating if critical computational and communication resources are targeted. One of the most problematic challenges to availability is the denial of service (DoS) attack. Over time, DoS attacks have become increasingly sophisticated, often employing techniques like address spoofing, coordinated distributed sources of attack, and subverting “inside” computers to assist in carrying out the attack. DoS attacks are very easy to launch, are effective, and are difficult to prevent or mitigate.

The purpose of this work is to study post-mortem DoS attacks over time with the goals of uncovering how the attacks relate to each other, identifying the underlying vulnerability that led to success, and gaining insight on future attack trends. By studying how attacks have changed over time and adapted to overcome new security practices, it is possible to construct attack trees to represent the genealogy and history of DoS attack tools. Through code inspections and close analysis of the attack trees, we were able to identify core techniques copied from one attack to another, the synthesis of more effective techniques based on combinations of existing methods, and the genesis of novel attack strategies. The generation of attack trees allows for an important examination of how attacks relate to one another as well as insight on the core vulnerabilities that still remain in modern software solutions. More importantly, by closely analyzing the genealogy of attack trees and post-mortem DoS exploitation, we not only gain information on the methodologies currently used by attackers but also discover valuable insight on predicting future attack patterns as well as developing possible countermeasure.




Article Location