Study Of DDoS Traffic And Its Adaptive Detection At Soucre-end Networks

Five problems on source-end defense against DDoS attacks are discussed. Respectively,they are(â…°) DDoS attacks and defense,(â…±) TCP DDoS traffic modeling, (â…²) adaptive algorithms for source-end detection of constant rate DDoS traffic,(â…³) disruption caused by different DDoS traffic,and(â…´) detectability of different DDoS traffic.Firstly,DDoS attacks are systematically discussed,including their classification, organization,some typical attacks and other problems involved in an attack.We conclude that countermeasures against DDoS attacks will be focused on their source-end networks.Analysis on current DDoS defense mechanisms is made following a line of victim-end defense,intermediate defense and source-end defense.Secondly,a new kind of traffic transmitting policy named grouped pulsing transmission is proposed.Under the ground of two typical scheduling mechanisms, FCFS(First Come First Served) and SFQ(Start-time Fair Queuing),discussion is made on the disruption of constant rate traffic,pulsing traffic and grouped pulsing traffic,emphasized on the influence of scheduling mechanisms on these different DDoS traffic.Simulation results show that grouped pulsing traffic with flexible configurations can not only result in heavy disruption at the victims,but also decrease the efficacy of scheduling mechanisms in suppressing DDoS traffic.Thirdly,a model is proposed for describing behavior of different TCP DDoS traffic.According to this model,explanation is made as follows on the behavior diversity of constant rate traffic,pulsing traffic and grouped pulsing traffic when the number of attacking machines and the transmission rate are equally configured.(â…°) Occupation on network resources by constant rate traffic and grouped pulsing traffic is independent of time.However,grouped pulsing traffic may result in less link bandwidth occupation ratio and resource occupation compared with constant rate traffic.(â…±) As far as pulsing traffic is concerned,the link bandwidth occupation ratio, function of resource occupation and plus function of resource occupation are all independent of time.However,the resource occupation by pulsing traffic during its pulsing time is similar with that of constant rate traffic.Fourthly,development of source-end detection of DDoS traffic is analyzed, emphasized on three detection methods,namely,character matching,detection based on self-similarity of the traffic and detection based on two-way packets ratio.A generic detection statistic is constructed for source-end detection of TCP/UDP DDoS traffic based on the two-way packets ratio,and a model is established for it.Fifthly,an adaptive algorithm named A-EWMA is proposed based on the assumption of normal distribution.Performance analysis is made in terms of probability of false alarms,probability of a miss during an attack,probability of detection,and detection delay.Compared with the traditional EWMA algorithm, A-EWMA has three distinct characters,that is,(â…°) forming on-line estimations of the statistical characters of the detection statistic,(â…±) adjusting its detection threshold according to the variations of network traffic and the latest detection result,(â…²) decreasing disturbance of random abnormalities in the normal network traffic by consecutive cumulation of threshold violations.Simulations results on source-end detection of SYN flooding and UDP flooding show(â…°) A-EWMA excels methods with fixed threshold following the same valid detection confirmation rules,(â…±) A-EWMA excels the existing source-end detection algorithms in detecting the same kind of attacks,(â…²) A-EWMA works better in detecting SYN flooding than it does in detecting UDP flooding;However,the discrepancy in detecting SYN flooding and UDP flooding by A-EWMA is less than that by methods with fixed threshold.Sixthly,a nonparametric adaptive CUSUM algorithm named A-CUSUM is proposed.In the traditional CUSUM algorithm,detection threshold can not be set adaptively,which is solved by A-CUSUM based on the Chebyshev inequality.In addition,a distinct function is added which can continue monitoring the anomaly for its possible end after an alarm is raised.Analytical results on probability of false alarms,probability of a miss during an attack,probability of detection,and detection delay are deduced.By comparing the simulation results of A-CUSUM and A-EWMA in detecting SYN flooding and UDP flooding,we suggest adopting both algorithms in parallel anomaly detection of network traffic so as to further improve the detection of subtle DDoS traffic.Lastly,comparisons on the detectability of constant rate traffic,pulsing traffic and grouped pulsing traffic in their source-end networks are made in a way independent of any detection algorithms.Simulation results show that grouped pulsing traffic excels the other two.