Statistical Signatures for Early Detection of Flooding Denial-Of-Service Attacks

A major threat to the information economy is denial-of-service attacks. Despite the widespread deployment of perimeter model countermeasures these attacks are highly prevalent. Therefore a new approach is posited; early detection. This paper posits an approach that utilises statistical signatures at the router to provide early detection of flooding denial-of-service attacks. The advantages of the approach presented in this paper are threefold: analysing fewer packets reduces computational load on the defence mechanism; no state information is required about the systems under protection; and alerts may span many attack packets. Thus, the defence mechanism may be placed within the routing infrastructure to prevent malicious packets from reaching their intended victim in the first place. This paper presents an overview of the early detection-enabled router algorithm and case study results.

[1]  Xu Ying,et al.  A network state based intrusion detection model , 2001, Proceedings 2001 International Conference on Computer Networks and Mobile Computing.

[2]  José Carlos Brustoloni,et al.  Protecting electronic commerce from distributed denial-of-service attacks , 2002, WWW '02.

[3]  M. Stephens EDF Statistics for Goodness of Fit and Some Comparisons , 1974 .

[4]  Aleksandar Kuzmanovic,et al.  Low-rate TCP-targeted denial of service attacks and counter strategies , 2003, IEEE/ACM Transactions on Networking.

[5]  Catherine A. Meadows,et al.  A Cost-Based Framework for Analysis of Denial of Service Networks , 2001, J. Comput. Secur..

[6]  Qi Shi,et al.  DiDDeM: a system for early detection of TCP SYN flood attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[7]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[8]  Wayne Madsen US intelligence links 419s to coded communications , 2004 .

[9]  Van Jacobson,et al.  Random early detection gateways for congestion avoidance , 1993, TNET.

[10]  Ray Hunt,et al.  Intrusion detection techniques and approaches , 2002, Comput. Commun..

[11]  Konstantinos Psounis,et al.  CHOKe - a stateless active queue management scheme for approximating fair bandwidth allocation , 2000, Proceedings IEEE INFOCOM 2000. Conference on Computer Communications. Nineteenth Annual Joint Conference of the IEEE Computer and Communications Societies (Cat. No.00CH37064).

[12]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[13]  Priya Narasimhan,et al.  Active network based DDoS defense , 2002, Proceedings DARPA Active Networks Conference and Exposition.

[14]  Symeon Papavassiliou,et al.  Network intrusion and fault detection: a statistical anomaly approach , 2002, IEEE Commun. Mag..

[15]  Thomer M. Gil,et al.  MULTOPS: A Data-Structure for Bandwidth Attack Detection , 2001, USENIX Security Symposium.

[16]  Zygmunt J. Haas,et al.  Securing the Internet routing infrastructure , 2002, IEEE Commun. Mag..

[17]  Van Jacobson,et al.  Link-sharing and resource management models for packet networks , 1995, TNET.