Dual-Level Attack Detection, Characterization, and Response for Networks under DDoS Attacks

Dual-Level Attack Detection, Characterization, and Response for Networks under DDoS Attacks

Anjali Sardana (Indian Institute of Technology Roorkee, India) and Ramesh C. Joshi (Indian Institute of Technology Roorkee, India)
DOI: 10.4018/978-1-4666-2163-3.ch001
OnDemand PDF Download:
No Current Special Offers


DDoS attacks aim to deny legitimate users of the services. In this paper, the authors introduce dual - level attack detection (D-LAD) scheme for defending against the DDoS attacks. At higher and coarse level, the macroscopic level detectors (MaLAD) attempt to detect congestion inducing attacks which cause apparent slowdown in network functionality. At lower and fine level, the microscopic level detectors (MiLAD) detect sophisticated attacks that cause network performance to degrade gracefully and stealth attacks that remain undetected in transit domain and do not impact the victim. The response mechanism then redirects the suspicious traffic of anomalous flows to honeypot trap for further evaluation. It selectively drops the attack packets and minimizes collateral damage in addressing the DDoS problem. Results demonstrate that this scheme is very effective and provides the quite demanded solution to the DDoS problem.
Chapter Preview

Traffic Feature Selection

DDoS attacks are launched from distributed sources. Hence the attack traffic is spread across multiple links. As the distance from the victim increases, attack traffic is more diffused and harder to detect because the volume of attack flows are indistinguishable from legitimate flows. Current schemes for early attack detection are based on detecting aggregates causing sustained congestion on communication links (Ioannidis & Bellovin, 2002; Mahajan et al., 2001), imbalance between incoming or outgoing traffic volume on routers (Carl et al., 2005) and probabilistic packet marking techniques . These early detection methods, unfortunately, have to wait for the flooding to become widespread, consequently, they are ineffective to fence off the DDoS timely.

Lakhina et al. (2005) observed that most of traffic anomalies despite their diversity share a common characteristic: they induce a change in distributional aspects of packet header fields (i.e., source address, source port, destination address, and destination port etc called traffic features).

Complete Chapter List

Search this Book: