Flooding attacks detection and victim identification over high speed networks

With the rapid dependency on the Internet for business, and the fast spread of powerful destructive DoS/DDoS attack tools, the detection and thwarting of these attacks is primordial for ISP, enterprises, hosting centers, etc. In this paper, we present the implementation of a new framework, for efficient detection and identification of flooding attacks over high speed links. To accomplish that, we apply multi-channel nonparametric CUSUM (MNP-CUSUM) over the shared counters in the proposed reversible sketch, in order to pinpoint flows with abrupt change via a new approach for sketch inversion. Shared counters are used to minimize the memory requirements and to identify the victim of flooding attacks. We apply our system at various real traces, some traces are provided by France Telecom (FT) within the framework of ANR-RNRT OSCAR project, other traces are collected in FT backbone network, during online experiments for testing and adjusting the proposed detection algorithms in this project. Our analysis results from real Internet traffic, and from online implementation over Endace DAG 3.6ET sniffing card, show that our proposed architecture is able to quickly detect various kinds of flooding attacks and to disclose culprit flows with a high level of accuracy.