Detecting Flooding-Based DDoS Attacks

A distributed denial of service (DDoS) attack is widely regarded as a major threat for the current Internet because of its ability to create a huge volume of unwanted traffic. It is hard to detect and respond to DDoS attacks due to large and complex network environments. In this paper, we introduce two distance-based DDoS detection techniques: average distance estimation and distance-based traffic separation. They detect attacks by analyzing distance values and traffic rates. The distance information of a packet can be inferred from the time- to-live (TTL) value of the IP header. In the average distance estimation DDoS detection technique, the prediction of mean distance value is used to define normality. The prediction of traffic arrival rates from different distances is used in the distance-based traffic separation DDoS detection technique. The mean absolute deviation (MAD)-based deviation model provides the legal scope to separate the normality from the abnormality for both the techniques. The results obtained from the NS2-based simulations of the proposed techniques show that the techniques can detect attacks