LADS: Large-scale Automated DDoS Detection System

The last few years have seen a steady rise in the occurrence and sophistication of distributed denial of service (DDoS) attacks. Volume-based attacks aggregate at a target’s access router, suggesting that (i) detection and mitigation is best done by providers in their networks; and (ii) attacks are most readily detectable at access routers, where their impact is strongest. In-network detection presents a tension between scalability and accuracy. Specifically, accuracy of detection dictates fine grained traffic monitoring, while performing such monitoring for the tens or hundreds of thousands of access interfaces in a large provider network presents serious scalability issues. In this work we investigate the design space for in-network DDoS detection and present a triggered, multi-stage approach that addresses both scalability and accuracy. Each successive stage can access finer resolution data sets, and can perform deeper, more expensive diagnostics if required. We argue that this approach is applicable to any economically feasible, large scale, DDoS detection system. Our second contribution is the design and implementation of an operational instance of our triggered, multi-stage approach. The attractiveness of this system lies in the fact that it makes use of data that is readily available to an ISP. Specifically, SNMPbased anomalies trigger the collection of Netflow data for detailed attack analysis. Aggregation and compression on the flow data is used to generate alarms concerning possible attack targets. We evaluate the system using SNMP and Netflow data collected from a large tier-1 ISP and compare the results with alarms generated by a commercial DDoS detection system. Our triggered approach achieves high accuracy with fairly modest processing requirements.