Detecting DDoS attacks with passive measurement based heuristics

Author

Siaterlis, Christos ; Maglaris, Basil

Author_Institution

Network Manage. & Optimal Design (NETMODE) Lab, Nat. Tech. Univ. of Athens, Greece

Volume

1

fYear

2004

fDate

28 June-1 July 2004

Firstpage

339

Abstract

Network traffic anomalies such as distributed denial of service attacks or the propagation of a new worm are hard to detect on noncongested ISP backbone links. The research community hasn´t managed to offer reliable detection metrics that can be implemented with the current technology constraints to network administrators yet. In this work we explore and evaluate the effectiveness of several potential heuristics in detecting flooding attacks. Our observations are based on a daily network traffic analysis for a period longer than 3 months and on more than 40 experiments that were conducted with the use of common DDoS tools in the production network of an academic ISP. The data analyzed are based on different types of passive measurements that are available today to ISP´s. We identify multiple effective detection metrics that could give network administrators insight to malicious activities passing through their networks.

Keywords

Internet; quality of service; telecommunication congestion control; telecommunication security; telecommunication traffic; DDoS attack detection; ISP; distributed denial of service; effective detection metrics; flooding attacks; heuristics; network traffic; passive measurement; Bandwidth; Computer crime; Data analysis; Detection algorithms; Filtering; Network servers; Production; Spine; Telecommunication traffic; Weapons;

fLanguage

English

Publisher

ieee

Conference_Titel

Computers and Communications, 2004. Proceedings. ISCC 2004. Ninth International Symposium on

Print_ISBN

0-7803-8623-X

Type

conf

DOI

10.1109/ISCC.2004.1358427

Filename

1358427