Towards a Forecasting Model for Distributed Denial of Service Activities

Distributed Denial of Service (DDoS) activities continue to dominate today´s attack landscape. This work proposes a DDoS forecasting model to provide significant insights to organizations, security operators and emergency response teams during and after a targeted DDoS attack. Specifically, the work strives to predict, within minutes, the attacks´ impact features, namely, intensity/rate (packets/sec) and size (estimated number of used compromised machines/bots). The goal is to understand the future short term trend of the ongoing DDoS attack in terms of those features and thus provide the capability to recognize the current as well as future similar situations and hence appropriately respond to the threat. Our analysis employs real dark net data to explore the feasibility of applying the forecasting model on targeted DDoS attacks and subsequently evaluate the accuracy of the predictions. To achieve its tasks, our proposed approach leverages a number of time series fluctuation analysis and forecasting methods. The extracted inferences from various DDoS case studies exhibit promising accuracy reaching at some points less than 1% error rate. Further, our model could lead to better understanding of the scale and speed of DDoS attacks and should generate inferences that could be adopted for immediate response and hence mitigation as well as accumulated for the purpose of long term large-scale DDoS analysis.