Abstract
High-rate flooding attacks (aka Distributed Denial of Service or DDoS attacks) continue to constitute a pernicious threat within the Internet domain. In this work we demonstrate how using packet source IP addresses coupled with a change-point analysis of the rate of arrival of new IP addresses may be sufficient to detect the onset of a high-rate flooding attack. Importantly, minimizing the number of features to be examined, directly addresses the issue of scalability of the detection process to higher network speeds. Using a proof of concept implementation we have shown how pre-onset IP addresses can be efficiently represented using a bit vector and used to modify a “white list” filter in a firewall as part of the mitigation strategy.
Chapter PDF
Similar content being viewed by others
References
Garber, L.: Denial-of-Service Attacks Rip the Internet. Computer 33(4), 12–17 (2000)
Nazario, J.: Political DDoS: Estonia and Beyond (Invited Talk). In: 17th USENIX Security Symposium, San Jose, CA, USA (2008)
Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv. 39(1), 3 (2007)
Miercom, Enterprise Firewall: Lab Test Summary Report (2008)
Peng, T., Leckie, C., Ramamohanarao, K.: Information sharing for distributed intrusion detection systems. J. Netw. Comput. Appl. 30(3), 877–899 (2007)
Peng, T., Leckie, C., Ramamohanarao, K.: Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring. In: NETWORKING 2004, Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications, pp. 771–782 (2004)
Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of service attacks using history-based IP filtering. In: Proceeding of the 38th IEEE International Conference on Communications (ICC 2003), Anchorage, Alaska (2003)
Peng, T., Leckie, C., Ramamohanarao, K.: System and Process For Detecting Anomalous Network Traffic, W.I.P. Organisation, Editor (2008)
Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. In: Proceeding of 11th World Wide Web Conference, Honolulu, Hawaii, USA (2002)
Cheng, J., et al.: DDoS Attack Detection Algorithm Using IP Address Features. In: Frontiers in Algorithmics, pp. 207–215. Springer, Heidelberg (2009)
Barford, P., Plonka, D.: Characteristics of Network Traffic Flow Anomalies. In: Proceedings of ACM SIGCOMM Internet Measurement Workshop (2001)
Gil, T.M., Poletto, M.: MULTOPS: A data-structure for bandwidth attack detection. In: Proceedings of 10th Usenix Security Symposium (2001)
Takada, H.H., Anzaloni, A.: Protecting servers against DDoS attacks with improved source IP address monitoring scheme. In: 2nd Conference on Next Generation Internet Design and Engineering ( NGI ’06) (2006)
Le, Q., Zhanikeev, M., Tanaka, Y.: Methods of Distinguishing Flash Crowds from Spoofed DoS Attacks. In: 3rd EuroNGI Conference on Next Generation Internet Networks (2007)
Lee, W., Stolfo, S.J., Mok, K.W.: Adaptive Intrusion Detection: A Data Mining Approach. Artificial Intelligence Review 14(6), 533–567 (2000)
Lee, W., Stolfo, S.J.: A framework for constructing features and models for intrusion detection systems. ACM Trans. Inf. Syst. Secur. 3(4), 227–261 (2000)
Lee, W., et al.: Real time data mining-based intrusion detection. In: DARPA Information Survivability Conference & Exposition II, DISCEX ’01, Anaheim, CA, USA (2001)
Cannady, J.: Next Generation Intrusion Detection: Autonomous Reinforcement Learning of Network Attacks. In: Proceedings of The 23rd National Information Systems Security Conference, NISSC 2000 (2000)
Xu, X.: Adaptive Intrusion Detection Based on Machine Learning: Feature Extraction, Classifier Construction and Sequential Pattern Prediction. International Journal of Web Services Practices 2(1-2), 49–58 (2006)
Moosa, A., Alsaffar, E.M.: Proposing a hybrid-intelligent framework to secure e-government web applications. In: Proceedings of the 2nd International Conference on Theory and Practice of Electronic Governance. ACM, Cairo (2008)
OpenBSD. PF: The OpenBSD Packet Filter (2009), http://www.openbsd.org/faq/pf/ (cited November 11, 2009)
OpenBSD. OpenBSD Programmer’s Manual: ioctl - control device (2009), http://www.openbsd.org/cgi-bin/man.cgi?query=ioctl&sektion=2&arch=&apropos=0&manpath=OpenBSD+4.6
OpenBSD. OpenBSD System Manager’s Manual: pfctl - control the packet filter (PF) device (2009), http://www.openbsd.org/cgi-bin/man.cgi?query=pfctl&sektion=8&arch=&apropos=0&manpath=OpenBSD+4.6. (cited November 11, 2009)
Barnett, R.: ModSecurity Core Rule Set (CRS) v2.0 (2009), http://www.owasp.org/index.php/File:OWASP_ModSecurity_Core_Rule_Set.ppt
ModSecurity. ModSecurity Open Source Web Application Firewall (2009), http://www.modsecurity.org/index.html
Kabiri, P., Ghorbani, A.A.: Research on Intrusion Detection and Response: A Survey. International Journal of Network Security 1(2), 84–102 (2005)
Tartakovsky, A.G., et al.: A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods. IEEE Transactions on Signal Processing 54, 3372–3382 (2006)
Ahmed, E., Clark, A., Mohay, G.: Change Detection in Large Repositories of Unsolicited Traffic. In: Proceedings of The Fourth International Conference on Internet Monitoring and Protection (ICIMP 2009), Venice, Italy (2009)
Ahmed, E., Clark, A., Mohay, G.: A Novel Sliding Window Based Change Detection Algorithm for Asymmetric Traffic. In: Proceedings of the IFIP International Conference on Network and Parallel Computing (NPC 2008), pp. 168–175, Shanghai, China (2008)
Waikato Applied Network Dynamic Research Group, http://wand.cs.waikato.ac.nz/
Mirkovic, J., et al.: DDoS Benchmarks and Experimenter’s Workbench for the DETER Testbed. In: 3rd International Conference on Testbeds and Research Infrastructure for the Development of Networks and Communities, TridentCom 2007 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 IFIP International Federation for Information Processing
About this paper
Cite this paper
Ahmed, E., Mohay, G., Tickle, A., Bhatia, S. (2010). Use of IP Addresses for High Rate Flooding Attack Detection. In: Rannenberg, K., Varadharajan, V., Weber, C. (eds) Security and Privacy – Silver Linings in the Cloud. SEC 2010. IFIP Advances in Information and Communication Technology, vol 330. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15257-3_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-15257-3_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-15256-6
Online ISBN: 978-3-642-15257-3
eBook Packages: Computer ScienceComputer Science (R0)