Flow level detection and filtering of low-rate DDoS

doi:10.1016/j.comnet.2012.07.003

Computer Networks

Volume 56, Issue 15, 15 October 2012, Pages 3417-3431

https://doi.org/10.1016/j.comnet.2012.07.003 Get rights and content

Under a Creative Commons license

open access

Abstract

The recently proposed TCP-targeted Low-rate Distributed Denial-of-Service (LDDoS) attacks send fewer packets to attack legitimate flows by exploiting the vulnerability in TCP’s congestion control mechanism. They are difficult to detect while causing severe damage to TCP-based applications. Existing approaches can only detect the presence of an LDDoS attack, but fail to identify LDDoS flows. In this paper, we propose a novel metric – Congestion Participation Rate (CPR) – and a CPR-based approach to detect and filter LDDoS attacks by their intention to congest the network. The major innovation of the CPR-base approach is its ability to identify LDDoS flows. A flow with a CPR higher than a predefined threshold is classified as an LDDoS flow, and consequently all of its packets will be dropped. We analyze the effectiveness of CPR theoretically by quantifying the average CPR difference between normal TCP flows and LDDoS flows and showing that CPR can differentiate them. We conduct ns-2 simulations, test-bed experiments, and Internet traffic trace analysis to validate our analytical results and evaluate the performance of the proposed approach. Experimental results demonstrate that the proposed CPR-based approach is substantially more effective compared to an existing Discrete Fourier Transform (DFT)-based approach – one of the most efficient approaches in detecting LDDoS attacks. We also provide experimental guidance to choose the CPR threshold in practice.

Keywords

DDoS

Detection

Low-rate DoS

Congestion

Cited by (0)

Changwang Zhang received the B.S. and M.S. degrees in computer science from National University of Defense Technology, Changsha, China, in 2007 and 2009, respectively, and is currently pursuing the Ph.D. degree at Security Science Doctoral Research Training Centre, University College London, UK. His research interests include network security, network protocol design and analysis.

Zhiping Cai received his received the B.S., M.S. and Ph.D. degrees in computer science from National University of Defense Technology, Changsha, China, in 1996, 2002 and 2005, respectively. His research interests involve information security and network virtualization. He is a full associate professor of computer science in the National University of Defense Technology. He is a member of the IEEE.

Weifeng Chen received his Ph.D. from University of Massachusetts at Amherst, MS from Chinese Academy of Sciences and BS from Beijing University, all in computer science. His research interests include network security, privacy and protocol design. He is currently an Assistant Professor in the Department of Math and Computer Science at California University of Pennsylvania.

Xiapu Luo received his Ph.D from the Hong Kong Polytechnic University in 2007, and earned his MS and BS from Wuhan University, China, in 1999 and 2002, respectively. He is currently a research fellow in the computing department of the Hong Kong Polytechnic University after spending 2 years at the Georgia Institute of Technology as a postdoctoral fellow. His research interests include information security and network measurement.

Jianping Yin received his M.S. degree and Ph.D. degree in Computer Science from the National University of Defense Technology, China, in 1986 and 1990, respectively. His research interests involve information security, artificial intelligence, pattern recognition, and algorithm design. He is a full professor of computer science in the National University of Defense Technology.