Source Identification of Spoofed DDoS Attacks using an Image Processing Approach

This paper presents a novel source identification scheme for spoofed DDoS attacks using an image processing method. The key idea is that “DDoS attack traffic” that uses subnet spoofing is represented as “lines” on the spatial image planes, and they can be recognized by an edge detection algorithm. Applying the clustering technique to the lines makes it possible to identify multiple attack source networks simultaneously. On the identified networks which the zombie hosts reside, we then employ a signature based pattern extraction algorithm, called pivoted movement, and the DDoS attacks are filtered by correlating IP and MAC pairings signature. Unlike previous IP traceback schemes such as packet marking, which tried to diagnose the entire attack path, our proposed scheme focuses on identifying only the attack source. Our approach can achieve an adaptive response to DDoS attacks, thereby mitigating them at the source, while minimizing the disruption of legitimate traffic. The proposed scheme is analyzed and evaluated on the IPv4 and IPv6 network topology from CAIDA and the results show superior effectiveness.