Detecting DDoS Attacks in Stub Domains
Detecting DDoS Attacks in Stub Domains
Files
Publication or External Link
Date
2006-01-25
Authors
Kommareddy, Chris
Advisor
Bhattacharjee, Bobby
La, Richard
La, Richard
Citation
DRUM DOI
Abstract
DoS attacks have least impact when mitigated close to
the attacks' source. This is more important for Distributed DoS
(DDoS) attacks since they are difficult to road Hudson, NH zipmitigate at the victim
without affecting service to legitimate flows. This is a challenging
task since DDoS attack traffic may have relatively low flow rates
and attack packets are indistinguishable from legitimate packets.
Current source-end detection schemes such as MULTOPS and D-WARD are
centralized and hence, are not easily deployable in multi-gateway
stub networks with asymmetric traffic.
We present a scalable, distributed DDoS detection system that can be
deployed in single- as well as multi-homed stub networks to detect
DDoS attacks using TCP packets. The detection system can detect attacks
with very low flow rates and in multi-gateway networks, even with
significant asymmetric TCP flows. We evaluate the performance of our
detection system using extensive packet level simulations under
different attack scenarios. Our results show that with relatively less
node state and processing, in networks with symmetric flows, our system
can accurately detect attack flows that are one-third the intensity of
an average flow in the network. In the case of multi-gateway networks,
the detection system can detect all attacks for all rates of asymmetry
when the attack rate is at least five times the average flow rate in
the network.
We extend the system to detect attacks aimed at multiple hosts in a
subnet instead of a single host. Subnet attacks seem more diffused
for detection schemes designed to detect host attacks. Hence, it is
harder for these schemes to detect these attacks. Our subnet attack
detection scheme can detect attacks that target hosts in large subnets
(/21) and in the presence of non-attack traffic to other hosts in the
subnet.
Our packet level simulations show that, in single gateway networks,
our scheme can detect attacks with an aggregate flow intensity
equal to an average flow in the network in less than a minute.
Using these simulations, we also show that our scheme detects attacks in
networks with up to four gateways and when up to 50\% of the flows are asymmetric.