Parametric Differences between a Real-world Distributed Denial-of-Service Attack and a Flash Event

Distributed Denial-of-Service (DDoS) attacks continue to be one of the most pernicious threats to the delivery of services over the Internet. Not only are DDoS attacks present in many guises, they are also continuously evolving as new vulnerabilities are exploited. Hence accurate detection of these attacks still remains a challenging problem and a necessity for ensuring high-end network security. An intrinsic challenge in addressing this problem is to effectively distinguish these Denial-of-Service attacks from similar looking Flash Events (FEs) created by legitimate clients. A considerable overlap between the general characteristics of FEs and DDoS attacks makes it difficult to precisely separate these two classes of Internet activity. In this paper we propose parameters which can be used to explicitly distinguish FEs from DDoS attacks and analyse two real-world publicly available datasets to validate our proposal. Our analysis shows that even though FEs appear very similar to DDoS attacks, there are several subtle dissimilarities which can be exploited to separate these two classes of events.

[1]  Wanlei Zhou,et al.  Discriminating DDoS Flows from Flash Crowds Using Information Distance , 2009, 2009 Third International Conference on Network and System Security.

[2]  Srikanth Kandula,et al.  Botz-4-sale: surviving organized DDoS attacks that mimic flash crowds , 2005, NSDI.

[3]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[4]  Rocky K. C. Chang,et al.  Defending against flooding-based distributed denial-of-service attacks: a tutorial , 2002, IEEE Commun. Mag..

[5]  Angela Cearns,et al.  DESIGN OF AN AUTONOMOUS ANTI-DDOS NETWORK (A2D2) , 2002 .

[6]  R.C. Joshi,et al.  A Distributed Approach using Entropy to Detect DDoS Attacks in ISP Domain , 2007, 2007 International Conference on Signal Processing, Communications and Networking.

[7]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[8]  John Langford,et al.  Telling humans and computers apart automatically , 2004, CACM.

[9]  Myung-Sup Kim,et al.  Traffic Flooding Attack Detection on SNMP MIB Using SVM , 2008 .

[10]  Cui-Mei Bao Intrusion Detection Based on One-class SVM and SNMP MIB Data , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[11]  Shunzheng Yu,et al.  Detecting Shrew HTTP Flood Attacks for Flash Crowds , 2007, International Conference on Computational Science.

[12]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[13]  Jitendra Malik,et al.  Recognizing objects in adversarial clutter: breaking a visual CAPTCHA , 2003, 2003 IEEE Computer Society Conference on Computer Vision and Pattern Recognition, 2003. Proceedings..

[14]  Rui Guo,et al.  Research on the Active DDoS Filtering Algorithm Based on IP Flow , 2009, 2009 Fifth International Conference on Natural Computation.

[15]  Balachander Krishnamurthy,et al.  On network-aware clustering of Web clients , 2000, SIGCOMM.

[16]  A. Rungsawang,et al.  Distributed denial of service detection using TCP/IP header and traffic measurement analysis , 2004, IEEE International Symposium on Communications and Information Technology, 2004. ISCIT 2004..

[17]  George M. Mohay,et al.  Use of IP Addresses for High Rate Flooding Attack Detection , 2010, SEC.

[18]  Hyundo Park,et al.  Distinguishing between FE and DDoS Using Randomness Check , 2008, ISC.

[19]  M. Zhanikeev,et al.  Methods of Distinguishing Flash Crowds from Spoofed DoS Attacks , 2007, 2007 Next Generation Internet Networks.

[20]  Kotagiri Ramamohanarao,et al.  Protection from distributed denial of service attacks using history-based IP filtering , 2003, IEEE International Conference on Communications, 2003. ICC '03..

[21]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[22]  Wenke Lee,et al.  Proactive Intrusion Detection and Distributed Denial of Service Attacks—A Case Study in Security Management , 2002, Journal of Network and Systems Management.

[23]  Andreas Terzis,et al.  My Botnet Is Bigger Than Yours (Maybe, Better Than Yours): Why Size Estimates Remain Challenging , 2007, HotBots.