• DocumentCode
    2890500
  • Title

    Distributed denial of service detection using TCP/IP header and traffic measurement analysis

  • Author

    Limwiwatkul, Lersak ; Rungsawang, Arnon

  • Author_Institution
    Nat. Electron. & Comput. Technol. Center, Pathumthanee, Thailand
  • Volume
    1
  • fYear
    2004
  • fDate
    26-29 Oct. 2004
  • Firstpage
    605
  • Abstract
    Recently, the detection of distributed denial of service (DDoS) and the discovery of DDoS attacking signature used the mean of traffic measurement analysis at protocol level. This technique is not suited to find the signatures of DDoS attack, which is formless. Also, DDoS is in general the combination of different forms of denial of service (DoS). As a result, it is difficult to find the exact signature of attack. Moreover, it is very difficult to distinguish the difference between an unusual high traffic which is caused by the attack, and the flash crowds which normally occur when a huge number of users use the target machine at the same time. In fact, this difference should only be observed from analyzing the data in the packet header. In this paper, we propose to discover the DDoS attacking signature by analyzing the TCP/IP packet header against the well defined rules and conditions, and distinguish the difference between normal and abnormal traffic. We here observe three groups or delegates of DDoS attacking, i.e., ICMP flood, UDP flood and TCP SYN flood, and present convincing preliminary experiments.
  • Keywords
    computer networks; packet switching; quality of service; security of data; telecommunication congestion control; telecommunication security; telecommunication traffic; transport protocols; DDoS attacking signature; DoS; ICMP flood; TCP SYN flood; TCP/IP header; UDP flood; abnormal traffic; distributed denial of service detection; flash crowds; normal traffic; packet header data; protocol level traffic measurement analysis; target machine; traffic measurement analysis; unusual high traffic; Bandwidth; Computer crime; Data analysis; Electronic mail; Floods; IP networks; Internet; Knowledge engineering; Protocols; TCPIP;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Communications and Information Technology, 2004. ISCIT 2004. IEEE International Symposium on
  • Print_ISBN
    0-7803-8593-4
  • Type

    conf

  • DOI
    10.1109/ISCIT.2004.1412917
  • Filename
    1412917