Skip to main content
SpringerLink
Log in

History-Based Throttling of Distributed Denial-of-Service Attacks

  • Conference paper
  • First Online:
E-Business and Telecommunications (ICETE 2017)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 990))

Included in the following conference series:

Abstract

Distributed Denial-of-Service (DDoS) attack has been identified as one of the most serious threats to Internet services. The attack denies service to legitimate users by flooding and consuming network resources of the target server. We propose a distributed defense mechanism that filters out malicious traffic and allows significant legitimate traffic during an actual attack. We investigate the features of network traffic that can be used to do such filtration and describe a history-based profiling algorithm to identify legitimate traffic. We use Bloom filters to efficiently implement the history-based profile model, which serves to reduce the communication and computation costs. To further improve communication and computation costs, we describe two optimizations: (a) using only three octets of the IP address to generate the history profile, and (b) a data structure called Compacted Bloom Filter, which is a modified version of a regular Bloom filter. We use these notions as building blocks to describe a distributed framework called Collaborative Filtering for filtering attack traffic as far away as possible from the target server. The proposed techniques identify a set of nodes that are best suited for filtering attack traffic, and places the Bloom filters in these locations. The approach is evaluated on different real-world data sets from Auckland University, CAIDA, and Colorado State University. Under different experimental settings, we demonstrate that 70–95% attack traffic can be filtered by our approach while allowing the flow of a similar percentage of legitimate traffic.

An earlier version of this work appeared in [1]. This work was partially supported by NSF I/UCRC Award Number 1650573 and funding from CableLabs. The views and conclusions contained in this document are those of the authors and should not be automatically interpreted as representing the official policies, either expressed or implied of NSF, CableLabs, Furuno Electric Company, SecureNok, and AFRL.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Mosharraf, N., Jayasumana, A.P., Ray, I.: Using a history-based profile to detect and respond to DDoS attacks. In: Proceedings of the 14th International Joint Conference on e-Business and Telecommunications (ICETE 2017) - Volume 4: SECRYPT, pp. 175–186 (2017)

    Google Scholar 

  2. Steinberger, J., Sperotto, A., Baier, H.: Collaborative attack mitigation and response: a survey. In: IFIP/IEEE International Symposium on IM, pp. 910–913 (2005)

    Google Scholar 

  3. Munivara Prasad, K., Rama Mohan Reddy, A., Venugopal Rao, K.: DoS and DDoS attacks: defense, detection and traceback mechanisms - a survey. J. JCST 14, 15–32 (2014)

    Google Scholar 

  4. Gil, T.M., Poletto, T.: MULTOPS: a data-structure for bandwidth attack detection. In: Proceedings of USENIX Security Symposium (2001)

    Google Scholar 

  5. Waikato Applied Network Dynamics Research Group: Auckland University data traces (2016). http://wand.cs.waikato.ac.nz/wand/wits/. Accessed 12 Mar 2016

  6. Schwartz, M.J.: DDoS attack hits 400 Gbit/s, breaks record (2014). http://www.darkreading.com/attacks-and-breaches/ddos-attack-hits-400-gbit-s-breaks-record/d/d-id/1113787. Accessed 2 Nov 2014

  7. https://www.tripwire.com/state-of-security/featured/5-notable-ddos-attacks-2017/

  8. DDoS incident report (2018). Accessed 04 Apr 2018

    Google Scholar 

  9. Chen, Y., Hwang, K., Ku, W.S.: Collaborative detection of DDoS attacks over multiple network domains. IEEE Trans. Parallel Distrib. Syst. 18, 1649–1662 (2007)

    Article  Google Scholar 

  10. Chen, C., Park, J.M.: Attack diagnosis: throttling distributed denial-of-service attacks close to the attack sources. In: Proceedings of IEEE ICCCN, pp. 275–280 (2005)

    Google Scholar 

  11. (2018). Accessed 1 Apr 2018

    Google Scholar 

  12. Yaar, Y., Perrig, A., Song, D.: Pi: a path identification mechanism to defend against DDoS attacks. In: Proceedings of IEEE S&P, pp. 93–107 (2003)

    Google Scholar 

  13. Wang, H., Jin, C., Shin, K.: Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans. Netw. 15, 40–53 (2007)

    Article  Google Scholar 

  14. Kim, Y., Lau, W., Chuah, M., et al.: PacketScore: statistics-based overload control against distributed denial of service attacks. In: Proceedings of INFOCOM, pp. 141–155 (2004)

    Google Scholar 

  15. Ioannidis, J., Bellovin, S.: Implementing pushback: router-based defense against DDoS attacks. In: Proceedings of NDSS (2002)

    Google Scholar 

  16. Mirkovic, J., Prier, G., Reiher, P.L.: Attacking DDoS at the source. In: Proceedings of IEEE ICNP, pp. 312–321 (2002)

    Google Scholar 

  17. Mahajan, R., Bellovin, S.M., Floyd, S., et al.: Controlling high bandwidth aggregates in the network. ACM SIGCOMM 32, 62–73 (2002)

    Article  Google Scholar 

  18. Papadopoulos, C., Lindell, R., Mehringer, J., et al.: COSSACK: coordinated suppression of simultaneous attacks. In: Proceedings of Discex III, pp. 94–96 (2003)

    Google Scholar 

  19. Francois, J., Aib, I., Boutaba, R.: FireCol: a collaborative protection network for the detection of flooding DDoS attacks. IEEE/ACM Trans. Netw. 20, 1828–1841 (2012)

    Article  Google Scholar 

  20. Aghaei Foroushani, Z.H.: TDFA: traceback-based defense against DDoS flooding attacks. In: Proceedings of AINA IEEE, pp. 710–715 (2014)

    Google Scholar 

  21. Luo, H., Chen, Z., Li, J., Vasilakos, A.V.: Preventing distributed denial-of-service flooding attacks with dynamic path identifiers. IEEE Trans. Inf. Forensics Secur. 12, 1801–1815 (2017)

    Article  Google Scholar 

  22. Hameed, S., Khan, H.A.: SDN based collaborative scheme for mitigation of DDoS attacks. Future Internet 10, 23 (2018)

    Article  Google Scholar 

  23. Sung, M., Xu, J.: IP traceback-based intelligent packet filtering: a novel technique for defending against internet DDoS attacks. IEEE Trans. Parallel Distrib. Syst. 14, 861–872 (2003)

    Article  Google Scholar 

  24. Yaar, Y., Perrig, A., Song, D.: SIFF: a stateless internet flow filter to mitigate DDoS flooding attacks. In: Proceedings of IEEE S&P, pp. 130–143 (2004)

    Google Scholar 

  25. Peng, T., Leckie, C., Ramamohanarao, K.: Detecting distributed denial of service attacks using source IP address monitoring. In: Proceedings of NETWORKS (2004)

    Google Scholar 

  26. Wang, H., Zhang, D., Shin, K.: Change-Point monitoring for the detection of DoS attacks. IEEE Trans. Dependable Secure Comput. 1, 193–208 (2004)

    Article  Google Scholar 

  27. Manikopoulos, C., Papavassiliou, S.: Network intrusion and fault detection: a statistical anomaly approach. IEEE Commun. Mag. 40, 76–82 (2002)

    Article  Google Scholar 

  28. Noh, S., Jung, G., Choi, K., et al.: Compiling network traffic into rules using soft computing methods for the detection of flooding attacks. J. Appl. Soft Comput. 8, 1200–1210 (2008)

    Article  Google Scholar 

  29. Mirkovic, J., Reiher, P.: D-WARD: a source-end defense against flooding denial-of-service attacks. IEEE Trans. Dependable Secure Comput. 2, 216–232 (2005)

    Article  Google Scholar 

  30. Wang, H., Zhang, D., Shin, K.: Detecting SYN flooding attacks. In: Proceedings of IEEE INFOCOM, pp. 530–1539 (2002)

    Google Scholar 

  31. Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of service attack using history-based IP filtering. In: Proceedings of IEEE ICC, pp. 482–486 (2003)

    Google Scholar 

  32. Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv. 39, 1–42 (2007)

    Article  Google Scholar 

  33. RioRey Inc.: Taxonomy DDoS attacks (2012). http://www.riorey.com/xresources/2012/RioRe. Accessed 24 Dec 2015

  34. Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In: Proceedings of WWW Conference, pp. 293–304 (2002)

    Google Scholar 

  35. Lee, K., Kim, J., Kwon, K.H., et al.: DDoS attack detection method using cluster analysis. Expert Syst. Appl. 34, 1659–1665 (2007)

    Article  Google Scholar 

  36. Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13, 422–426 (1970)

    Article  Google Scholar 

  37. (JDSU)

    Google Scholar 

  38. Melander, B., Bjorkman, M., Gunningberg, P.: A new end-to-end probing and analysis method for estimating bandwidth bottlenecks. In: Global Telecommunications Conference, GLOBECOM 2000, vol. 1, pp. 415–420. IEEE (2000)

    Google Scholar 

  39. IMPACT Cyber Trust: Colorado state university dataset: FRGPContinuousFlowData (2015). Accessed 26 Oct 2016

    Google Scholar 

  40. Center for Applied Internet Data Analysis: The CAIDA “DDoS Attack 2007” dataset (2007). http://www.caida.org/data/passive/ddos-20070804-dataset.xml. Accessed 7 May 2016

  41. (1998, D.I.D.D.)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Electrical and Computer Engineering, Colorado State University, Fort Collins, CO, USA

    Negar Mosharraf & Anura P. Jayasumana

  2. Department of Computer Science, Colorado State University, Fort Collins, CO, USA

    Indrakshi Ray & Bruhadeshwar Bezawada

Authors
  1. Negar Mosharraf
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anura P. Jayasumana
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Indrakshi Ray
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bruhadeshwar Bezawada
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Anura P. Jayasumana .

Editor information

Editors and Affiliations

  1. University of Jordan, Amman, Jordan

    Mohammad S. Obaidat

  2. King Juan Carlos University, Madrid, Madrid, Spain

    Enrique Cabello

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Mosharraf, N., Jayasumana, A.P., Ray, I., Bezawada, B. (2019). History-Based Throttling of Distributed Denial-of-Service Attacks. In: Obaidat, M., Cabello, E. (eds) E-Business and Telecommunications. ICETE 2017. Communications in Computer and Information Science, vol 990. Springer, Cham. https://doi.org/10.1007/978-3-030-11039-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-11039-0_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-11038-3

  • Online ISBN: 978-3-030-11039-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation