Resistance Is Not Futile: Detecting DDoS Attacks without Packet Inspection
نویسندگان
چکیده
Packets in anonymous networks are fully protected. Therefore, traditional methods relying on packet header and higher layer information do not work to detect Distributed-Denial-of-Service (DDoS) attacks in anonymous networks. In this paper we propose to use observable statistics at routers that need no packet inspection to infer the presence of an attack. We propose packet resistance as a metric to detect the presence of attacks which reduce the availability of channel bandwidth for wireless routers in the core network. Our proposed detection framework is distributed, wherein each router in the network core monitors and reports its findings to an intermediate router. These intermediate routers form a hierarchical overlay to eventually reach a centralized attack monitoring center. The alarm messages are used to construct an attack path and determine the origin of the attack. We present simulation results to demonstrate the effectiveness of our proposed metric.
منابع مشابه
A Detection and Filter System for Use Against Large-Scale DDoS Attacks in the Internet Backbone
Distributed denial of service (DDoS) attacks in the Internet pose huge problems on nowadays communication infrastructure. Attacks either destroy information or impede access to a service. Since the significance of the Internet to business and economy is growing rapidly, efficient protection mechanisms are urgently required to protect hosts from being infected and, more important, sites from bei...
متن کاملAn Intelligent DDoS Attack Detection System Using Packet Analysis and Support Vector Machine
Nowadays, many companies and/or governments require a secure system and/or an accurate intrusion detection system (IDS) to defend their network services and the user’s private information. In network security, developing an accurate detection system for distributed denial of service (DDoS) attacks is one of challenging tasks. DDoS attacks jam the network service of the target using multiple bot...
متن کاملDetecting DDoS Attacks in Stub Domains
Title of dissertation: DETECTING DDoS ATTACKS IN STUB DOMAINS Christopher Kommareddy, Doctor of Philosophy, 2006 Dissertation directed by: Prof. Samrat Bhattacharjee Department of Computer Science Dr. Richard La Department of Electrical & Computer Engineering DoS attacks have least impact when detected and mitigated close to the attacks’ source. This is more important for Distributed DoS (DDoS)...
متن کاملEntropy Based Detection of DDoS Attacks in Packet Switching Network Models
Distributed denial-of-service (DDoS) attacks are network-wide attacks that cannot be detected or stopped easily. They affect “natural” spatiotemporal packet traffic patterns, i.e. “natural distributions” of packets passing through the routers. Thus, they affect “natural” information entropy profiles, a sort of “fingerprints”, of normal packet traffic. We study if by monitoring information entro...
متن کاملF-STONE: A Fast Real-Time DDOS Attack Detection Method Using an Improved Historical Memory Management
Distributed Denial of Service (DDoS) is a common attack in recent years that can deplete the bandwidth of victim nodes by flooding packets. Based on the type and quantity of traffic used for the attack and the exploited vulnerability of the target, DDoS attacks are grouped into three categories as Volumetric attacks, Protocol attacks and Application attacks. The volumetric attack, which the pro...
متن کامل