Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring

In this paper, we propose a simple but robust scheme to detect denial of service attacks (including distributed denial of service attacks) by monitoring the increase of new IP addresses. Unlike previous proposals for bandwidth attack detection schemes which are based on monitoring the traffic volume, our scheme is very effective for highly distributed denial of service attacks. Our scheme exploits an inherent feature of DDoS attacks, which makes it hard for the attacker to counter this detection scheme by changing their attack signature. Our scheme uses a sequential nonparametric change point detection method to improve the detection accuracy without requiring a detailed model of normal and attack traffic. Furthermore, we show that with the combination of monitoring per flow speed, we can detect all types of DDoS attacks. We demonstrate that we can achieve high detection accuracy on a range of different network packet traces.