DDoS Attack Detection Using Unique Source IP Deviation

In this paper we present a low cost yet robust DDoS detection method to identify all classes of DDoS attacks. Our method attempts to detect DDoS attack by monitoring the deviation of the count of unique source IPs and the count of source IPs whose transmission rate is higher than a given threshold value. Unlike other similar existing methods, our method does not need to maintain a list of source IPs which makes our detection method faster. Another advantage of our method is the ability to detect attack performed by small size bot net. In case of such an attack the packet rate of the attack sources deviate from its mean value significantly and thus we can detect this change. We use a non-parametric change point modeling technique to identify flooding attacks of all types in real time. An other contribution of this work is the development of an attack took referred to as TU-CANNON, to generate different variations of DDoS attack under a controlled test-bed environment.