Karanbir SINGH, Kanwalvir Singh DHINDSA, Bharat BHUSHAN

Threshold-based distributed DDoS attack detection in ISP networks

The purpose of this paper is to propose a more efficient and accurate distributed denial of service (DDoS)attack detection mechanism that detects DDoS attacks by monitoring the incoming traffic on the edge routers of ISPnetworks. It can be implemented as a module or agent function on the machine that is responsible for processing routertraffic. The detection algorithm works by monitoring the traffic passing through the edge routers and identifying theoccurrence of DDoS attacks or flash events. The algorithm calculates different values like the normalized router entropy,packet rate, and entropy rate and compares them against the preidentified threshold values to detect the happening of aDDoS attack or flash event. The threshold values used in the algorithm are evaluated offline by taking the sample attackand the legitimate traffic flows. The proposed detection mechanism can be implemented on the edge routers of the ISPnetworks. ISPs are selected for the deployment of attack detection because the customer networks are directly connectedwith them. The effectiveness of the algorithms can be validated mathematically using a sample test bed containingrealistic internet topology. The results clearly indicate that the proposed detection mechanism does effective detectionwith a high detection rate and fewer false positives.

PDF

___

[1] Douligeris C, Mitrokotsa A. DDoS attacks and defense mechanisms: classification and state-of-the-art. Comput Netw 2004; 44: 643-666.
[2] Mirkovic J, Rehier P. A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comp Comm 2004; 34: 39-53.
[3] Bhandari A, Sangal A, and Kumar K. Characterizing flash events and distributed denial-of-service attacks: an empirical investigation. Secur Commun Netw 2016; 9: 2222-2239.
[4] Singh K, Dhindsa K, Bhushan B. Collaborative agent-based model for distributed defense against DDoS attacks in ISP networks. Int J Secur Appl 2017; 11: 1-12.
[5] Kassa M, Libsie M. A synchronized distributed denial of service prevention system. Comp Sci Inform Tech 2012; 2: 9-23.
[6] Liu H, Sun Y, Valgenti VC, Kim MS. TrustGuard: A flow-level reputation-based DDoS defense system. In: IEEE Consumer Communications and Networking Conference; 2011; Las Vegas, NV, USA. New York, NY, USA: IEEE. pp. 287-291.
[7] Yu S, Zhou W. Entropy-based collaborative detection of DDOS attacks on community networks. In: IEEE Sixth Annual International Conference on Pervasive Computing and Communications; 2008; Hong Kong. New York, NY, USA: IEEE. pp. 566-571.
[8] Qin X, Xu T, Wang C. DDoS attack detection using flow entropy and clustering technique. In: Proceedings of 11th International Conference on Computational Intelligence and Security; 2015; Shenzhen, China. pp. 412-415.
[9] Lee W, Xiang D. Information-theoretic measures for anomaly detection. In: IEEE Symposium on Security and Privacy; 2001; California, USA. New York, NY, USA: IEEE. pp. 130-143.
[10] Bhandari A, Sangal A, Kumar K. Destination address entropy based detection and traceback approach against distributed denial of service attacks. Int J Comput Netw Inform Secur 2015; 7: 9-20.
[11] Tellenbach B, Burkhart M, Schatzmann D, Gugelmann D, Sornette D. Accurate network anomaly classification with generalized entropy metrics. Comput Netw 2011; 55: 3485-3502.
[12] Nychis G, Sekar V, Andersen D, Kim H, Zhang H. An empirical evaluation of entropy-based traffic anomaly detection. In: Proceedings of 8th ACM SIGCOMM Conference on Internet Measurement; 2008; Vouliagmeni, Greece. New York, NY, USA: ACM. pp. 151-156.
[13] Gu Y, McCallum A, Towsley D. Detecting anomalies in network traffic using maximum entropy estimation. In: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement; 2005; Berkeley, CA, USA. New York, NY, USA: ACM. pp. 1-6.
[14] Behal S, Kumar K. Detection of DDoS attacks and flash events using novel information theory metrics. Comput Netw 2017; 116: 96-110.
[15] David J, Thomas C. DDoS attack detection using fast entropy approach on flow based network traffic. In: Proceedings of 2nd International Symposium on Big Data and Cloud Computing; 2015; Chennai, India. pp. 30-36.
[16] Fioreze T, Wolbers MO, Meent R, Pras A. Finding elephant flows for optical networks. In: IEEE/IFIP 10th International Symposium on Integrated Network Management; 2007; Munich, Germany. New York, NY, USA: IEEE. pp. 627-640.
[17] Claise B. Cisco Systems NetFlow Services Export Version 9. Request for Comments 3954. Fremont, CA, USA: IETF, 2004.
[18] Quittek J, Zseby T, Claise B, Zander, S. Requirements for IP Flow Information Export (IPFIX). Request for Comments 3917. Fremont, CA, USA: IETF, 2004.
[19] Cover T, Thomas J. Elements of Information Theory. 2nd ed. New York, NY, USA: John Wiley, 2007.
[20] Romana D, Mushashi Y. Entropy based analysis of DNS query traffic in the campus network. Journal of Systemics, Cybernetics and Informatics 2008; 6: 42-44.
[21] Varga A, Horing R. An overview of the OMNeT++ simulation environment. In: Proceedings of the 1st International Conference on Simulation Tools and Techniques for Communications, Networks and Systems & Workshops; 2008; Marseille, France. New York, NY, USA: ACM. pp. 60:1-60:10.
[22] Gamer T, Scharf M. Realistic simulation environment for IP-based networks. In: Proceedings of 1st International Conference on Simulation Tools and Techniques for Communication and Systems & Workshops; 2008; Marseille, France. New York, NY, USA: ACM. pp. 83:1-83:7.