Most past solutions for detecting denial of service attacks (and identifying the perpetrators) have targeted end-node victims. However, little attention has been given to this problem from an ISP perspective. This paper explores the key challenges involved in helping an ISP network detect attacks on itself or attacks on external sites which use the ISP network. We propose a detection mechanism where each router detects traffic anamolies using profiles of normal traffic constructed using stream sampling algorithms. In addition, an ISP’s routers exchange information with each other to increase confidence in their detection decisions. Our initial results show that individual router profiles capture key characteristics of the traffic effectively and help identify anomalies with low false positive and false negative rates. We believe that profile construction can be extremely efficient, supporting even multi-gigabit speeds. We also believe that incremental deployment of such techniques is possible, although it may signficantly impact the effectiveness of the distributed reinforced decision making.
[1]
Sally Floyd,et al.
Pushback Messages for Controlling Aggregates in the Network
,
2001
.
[2]
Balachander Krishnamurthy,et al.
Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites
,
2002,
WWW.
[3]
Cristian Estan,et al.
New directions in traffic measurement and accounting
,
2001,
IMW '01.
[4]
Srikanta Tirthapura,et al.
Estimating simple functions on the union of data streams
,
2001,
SPAA '01.
[5]
Noga Alon,et al.
The Space Complexity of Approximating the Frequency Moments
,
1999
.