DDoS Detection and Alerting

Distributed Denial of Service attacks are becoming very popular nowadays. The easy access to services and resources that can be used for this purpose, and the high resulting amount of damage, are the main reasons for this. Current detection and mitigation systems are not accurate enough and can be very expensive. Previous research has led to detection methods that even though can be accurate for certain kinds of anomalies, no effective real solution or system has been proposed or made. By analyzing NetFlow data from the core routers of the ISP where this research was done, we defined categories for different kinds of traffic, which are treated in a different way. We created a model for volumetric Distributed Denial of Service attacks detection and we created a statistical method to find optimal thresholds for detection of such anomalies. We individually analyze protocol-port combinations that are either popular or have potential to be used for this kind of attacks, which are handled individually for a more accurate detection. By subtracting the individually analyzed traffic, we also analyze the remaining traffic for new attacks detection. For traffic where a repetitive behavior over time is observed, we created baselines from past traffic data, which will adapt over time to mimic the traffic trends. Our method revealed to be particularly effective for repetitive traffic with noise, where the statistically calculated values where a good match, avoiding normal traffic noise while detecting traffic peaks related to anomalies. We developed a prototype in a form of a NfSen plugin, where the results of our analysis were applied.