A defense framework for flooding-based DDoS attacks

Abstract

Distributed denial of service (DDoS) attacks are widely regarded as a major threat to the Internet. A flooding-based DDoS attack is a very common way to attack a victim machine by sending a large number of malicious traffic. In this thesis, we propose a distance-based distributed DDoS defense framework which defends against attacks by coordinating between the distance-based DDoS defense systems of the source ends and the victim end. The proposed defense system has three major components: detection, traceback, and response. In the detection component, two distance-based detection techniques are employed. First, a distance-based technique is used to detect attacks based on a distance statistical model. Second, a statistical traffic rate forecasting technique is applied to identify attack traffic within the traffic, that are separated based on distance to the victim-end network. For the traceback component, the existing Fast Internet Traceback (FIT) technique is employed to find remote edge routers which forward attack traffic to the victim. In the response component, the distance-based rate limit mechanism quickly lowers attack traffic by setting up rate limits on these routers. We evaluate the distance-based DDoS defense system on a network simulation platform called NS2. The results demonstrate that both detection techniques are capable of detecting flooding-based DDoS attacks, and the defense system can effectively control attack traffic to sustain quality of service for legitimate users. Moreover, the system shows better performance in defeating flooding-based DDoS attacks compared to the pushback technique which uses a local aggregate congestion control mechanism.