Distributed Change-Point Detection of DDoS Attacks over Multiple Network Domains

Distributed denial of services (DDoS) attacks post a major threat to Internet security. This paper proposes a distributed system to detect flooding DDoS attacks at the earliest possible time. At the launching stage of a DDoS attack, some changes in traffic fluctuation are detectable at the router or gateway level. We develop a distributed change-point (DCP) detection architecture using change aggregation trees (CAT). This DCP scheme detects abrupt traffic changes across multiple network domains serviced by the same ISP or managed by the same organization. The early detection of flooding attacks enables timely countermeasures to minimize damages to the edge networks or to hot-spot victim systems serviced by the provider. Each network domain corresponds to a single autonomous system (AS). The AS domain is equipped with a CAT server to aggregate traffic change information detected at the routers. All CAT servers exchange flooding alert information to make global detection decision across multiple domains. To resolve the conflicts in security policies at different provider domains, a new secure infrastructure protocol (SIP) is developed to establish the trust among them. We report scalable performance results on implementing the DCP detection system over 16 domains in the DETER testbed. The simulated Internet setting reveals that 4 domains are sufficient to yield 98% detection accuracy of TCP SYN and UDP flooding attacks with less than 1% false alarms. By using ISP-controlled AS domains, the DCP system is proven scalable to 84 domains, which appeals to real-life deployment in the Internet environments.