Detection and Mitigation of High-Rate Flooding Attacks

  • G. Mohay
  • E. Ahmed
  • S. Bhatia
  • A. Nadarajan
  • B. Ravindran
  • A. B. Tickle
  • R. Vijayasarathy


Because high-rate flooding attacks constitute such a potent threat to the delivery of Internet-based services, the early and reliable detection of the onset of such an attack together with the formulation and implementation of an effective mitigation strategy are key security goals. However, the continuously evolving nature of such attacks means that they remain an area of active research and investigation. This chapter focuses largely on our research into attack detection, with some discussion of mitigation through IP address filtering. The chapter outlines leading-edge work on developing detection techniques that have the potential to identify a high-rate flooding attack reliably and in real time or, at least, in near real time. In addition, it formulates an architecture for a DoS Mitigation Module (DMM) to provide a vehicle for integrating the elements of the solution.


Transmission Control Protocol Bloom Filter User Datagram Protocol Internet Protocol Address Flooding Attack 


  1. 1.
    KNIME. 2011. Accessed 7 Feb 2011.
  2. 2.
    Snort: The open source network intrusion detection systems. Accessed 31 Aug 2011.
  3. 3.
    Waikato Applied Network Dynamic Research Group. Accessed 1st Oct 2010.
  4. 4.
    DARPA Intrusion Detection DataSets, 1991. Accessed 31 Aug 2011.
  5. 5.
    UCSD Network Telescope – Code-Red Worms Dataset, 2001. The Cooperative Association for Internet Data Analysis Accessed 7 Feb 2009.
  6. 6.
    Ahmed, E., A. Clark, and G. Mohay. 2008. A novel sliding window based change detection algorithm for asymmetric traffic. In Proceedings of the IFIP International Conference on Network and Parallel Computing, 168–175, Oct 2008.Google Scholar
  7. 7.
    Ahmed, E., A. Clark, and G. Mohay. 2009. Effective change detection in large repositories of unsolicited traffic. In Proceedings of the Fourth International Conference on Internet Monitoring and Protection, May 2009.Google Scholar
  8. 8.
    Ahmed, E., G. Mohay, A. Tickle, and S. Bhatia. 2010. Use of IP addresses for high rate flooding attack detection. In Security and Privacy Silver Linings in the Cloud, vol. 330, 124–135. Boston: Springer.Google Scholar
  9. 9.
    Almotairi, S., A. Clark, G. Mohay, and J. Zimmermann. 2008. Characterization of attackers’ activities in honeypot traffic using principal component analysis. In Proceedings of the IFIP International Conference on Network and Parallel Computing, 147–154, Washington, DC, 2008. IEEE Computer Society.Google Scholar
  10. 10.
    Almotairi, S., A. Clark, G. Mohay, and J. Zimmermann. 2009. A technique for detecting new attacks in low-interaction honeypot traffic. In Proceedings of the Fourth International Conference on Internet Monitoring and Protection, 7–13, Washington, DC, 2009. IEEE Computer Society.Google Scholar
  11. 11.
    Argyraki, K. and D.R. Cheriton. 2005. Active internet traffic filtering: Real-time response to denial-of-service attacks. In Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC ’05, 10–10, Berkeley, 2005. USENIX Association.Google Scholar
  12. 12.
    Argyraki, K. and D.R. Cheriton. 2009. Scalable network-layer defense against internet bandwidth-flooding attacks. IEEE/ACM Transactions on Networking 17: 1284–1297.CrossRefGoogle Scholar
  13. 13.
    Baldi, M., E. Baralis, and F. Risso. 2004. Data mining techniques for effective flow-based analysis of multi-gigabit network traffic. In Proceedings of IEEE 12th International Conference on Software, Telecommunications and Computer Networks, 330–334, Split, Croatia, 2004.Google Scholar
  14. 14.
    Baldi, M., E. Baralis, and F. Risso. 2005. Data mining techniques for effective and scalable traffic analysis. In Proceedings of the Ninth IFIP/IEEE International Symposium on Integrated Network Management, 105–118, Nice, France, 2005.Google Scholar
  15. 15.
    Barford, P. and D. Plonka. 2001. Characteristics of network traffic flow anomalies. In Proceedings of ACM SIGCOMM Internet Measurement Workshop, 2001.Google Scholar
  16. 16.
    Bloom, B. 1970. Space/time trade-offs in hash coding with allowable errors. Communications of the ACM 13: 422–426.MATHCrossRefGoogle Scholar
  17. 17.
    Bocan, V. 2004. Developments in DoS research and mitigating technologiess. Transactions on AUTOMATIC CONTROL and COMPUTER SCIENCE  49(63): 1–6.Google Scholar
  18. 18.
    Bos, H. and K. Huang. 2005. Towards software-based signature detection for intrusion prevention on the network card. In Proceedings of Eighth International Symposium on Recent Advances in Intrusion Detection, Seattle, WA, 2005.Google Scholar
  19. 19.
    Bruijn, W.D., A. Slowinska, K. Reeuwijk, T. Hruby, L. Xu, and H. Bos. 2006. Safecard: A gigabit IPS on the network card. In Proceedings of Ninth International Symposium on Recent Advances in Intrusion Detection, Hamburg, 2006.Google Scholar
  20. 20.
    Carl, G., G. Kesidis, R.R. Brooks, and S. Rai. 2006. Denial-of-service attack - detection techniques. IEEE Internet Computing 10(1): 82–89.CrossRefGoogle Scholar
  21. 21.
    Cheng, J., J. Yin, Y. Liu, Z. Cai, and M. Li. 2009. DDoS attack detection algorithm using IP address features. In Frontiers in Algorithmics, eds. X. Deng, J. Hopcroft, and J. Xue, vol. 5598, Lecture notes in computer science, 207–215. Berlin: Springer.Google Scholar
  22. 22.
    Clark, D.D. 1995. The design philosophy of the darpa internet protocols. SIGCOMM Computter Communication Review 25: 102–111.CrossRefGoogle Scholar
  23. 23.
    Deri, L. 2007. High-speed dynamic packet filtering. Journal of Network and Systems Management 15(3): 401–415.CrossRefGoogle Scholar
  24. 24.
    Dietterich, T.G. 2000. Ensemble methods in machine learning. In Proceedings of the First International Workshop on Multiple Classifier Systems, MCS ’00, London, 1–15. Springer-Verlag.Google Scholar
  25. 25.
    Erskin, E., A. Arnold, M. Prerau, and L. Portnoy. 2002. A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. In Applications of Data Mining in Computer Security, eds. D. Barbará and S. Jajodia, 77–102. Kluwer.Google Scholar
  26. 26.
    Fan, L., P. Cao, J. Almeida, and A.Z. Broder. 2000. Summary cache: A scalable wide-area web cache sharing protocol. IEEE/ACM Transactions on Networking 8: 281–293.CrossRefGoogle Scholar
  27. 27.
    Farid, D.M., N. Harbi, and M.Z. Rahman. 2010. Combining naive bayes and decision tree for adaptive intrusion detection. CoRR, abs/1005.4496.Google Scholar
  28. 28.
    Feinstein, L., D. Schnackenberg, R. Balupari, and D. Kindred. 2003. Statistical approaches to ddos attack detection and response. In Proceedings of the DARPA Information Survivability Conference and Exposition, vol. 1, 303–314, 2003.Google Scholar
  29. 29.
    Ferguson, P. and D. Senie. 2000. Network ingress filtering: Defeating denial of service attacks which employ IP address spoofing, BCP 38, RFC 2827, May 2000.Google Scholar
  30. 30.
    Floyd, S. and V. Jacobson. 1993. Random early detection gateways for congestion avoidance. IEEE/ACM Transactions on Networking  1(4): 397–413.CrossRefGoogle Scholar
  31. 31.
    Floyd, S. and V. Jacobson. 1995. Link-sharing and resource management models for packet networks. IEEE/ACM Transactions on Networking 3(4): 365–386.CrossRefGoogle Scholar
  32. 32.
    Gavrilis, D. and E. Dermatas. 2005. Real-time detection of distributed denial-of-service attacks using rbf networks and statistical features. Computer Networks 48(2): 235 – 245.CrossRefGoogle Scholar
  33. 33.
    Gil, T.M. and M. Poletto. 2001. Multops: A data-structure for bandwidth attack detection. In Proceedings of the Tenth Conference on USENIX Security Symposium, 3–3. USENIX Association.Google Scholar
  34. 34.
    Hettich, S. and S. D. Bay. 1999. The UCI KDD archive []. University of California, Department of Information and Computer Science.
  35. 35.
    Hruby, T., K.V. Reeuwijk, and H. Bos. 2007. Ruler: high-speed packet matching and rewriting on npus. In Proceedings of the Third ACM/IEEE Symposium on Architecture for Networking and Communications Systems, ANCS ’07, 1–10, New York, 2007. ACM.Google Scholar
  36. 36.
    Jang, J.S.R. 1993. ANFIS: adaptive-network-based fuzzy inference system. IEEE Transactions on Systems, Man and Cybernetics 23(3): 665–685.MathSciNetCrossRefGoogle Scholar
  37. 37.
    Jin, S. and D. Yeung. 2004a. A covariance analysis model for DDOS attack detection. In Proceedings of IEEE International Conference on Communications, vol. 4, 1882–1886,20–24 June 2004.Google Scholar
  38. 38.
    Jin, S.Y. and D.S. Yeung. 2004b. DDoS detection based on feature space modeling. In Proceedings of 2004 International Conference on Machine Learning and Cybernetics, vol. 7, 4210–4215, 2004.Google Scholar
  39. 39.
    Jung, J., B. Krishnamurthy, and M. Rabinovich. 2002. Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites. In Proceeding of 11th World Wide Web Conference, 252–262, Honolulu, 2002.Google Scholar
  40. 40.
    Kang, J., Y. Zhang, and J.B. Jus. 2006. Detecting DDoS attacks based on multi-stream fused HMM in source-end network. In Cryptology and Network Security, vol. 4301, Lecture Notes in Computer Science, eds. D. Pointcheval, Y. Mu, and K. Chen, 342–353. Berlin: Springer.Google Scholar
  41. 41.
    Khor, K.C., C.T. Ting, and S.P. Amnuaisuk. 2009. From feature selection to building of bayesian classifiers: A network intrusion detection perspective. American Journal of Applied Sciences 6(11): 1949–1960.Google Scholar
  42. 42.
    Kim, D. and J. Park. 2003. Network-based intrusion detection with support vector machines, Lecture Notes in Computer Science, vol. 2662, 747–756. Springer, Berlin.Google Scholar
  43. 43.
    Kim, W.J. and B.G. Lee. 1998. Fred – fair random early detection algorithm for tcp over atm networks. Electronic Letters 34(2): 152–153.CrossRefGoogle Scholar
  44. 44.
    Kline, J., S. Nam, P. Barford, D. Plonka, and A. Ron. 2008. Traffic anomaly detection at fine time scales with bayes nets. In Proceedings of the Third International Conference on Internet Monitoring and Protection, 37–46, Washington, DC 2008. IEEE Computer Society.Google Scholar
  45. 45.
    Le, Q., M. Zhanikeev, and Y. Tanaka. 2007. Methods of distinguishing flash crowds from spoofed dos attacks. In Proceedings of the Third EuroNGI Conference on Next Generation Internet Networks, 167–173, 2007.Google Scholar
  46. 46.
    Lee, H. and K. Park. 2001. On the effectiveness of probabilistic packet marking for ip traceback under denial of service attack. In Proceedings of the IEEE INFOCOM, 338–347, 2001.Google Scholar
  47. 47.
    Lee, K., J. Kim, K.H. Kwon, Y. Han, and S. Kim. 2008. DDoS attack detection method using cluster analysis. Expert Systems with Applications 34(3): 1659–1665.CrossRefGoogle Scholar
  48. 48.
    Lemon, J. 2002. Resisting syn flood dos attacks with a syn cache. In Proceedings of the BSD Conference, BSDC’02, 10–10, Berkeley, 2002. USENIX Association.Google Scholar
  49. 49.
    Leu, F.Y. and Z.Y. Li. 2009. Detecting dos and ddos attacks by using an intrusion detection and remote prevention system. In Proceedings of the Fifth International Conference on Information Assurance and Security, vol. 2, 251–254.Google Scholar
  50. 50.
    Li, J., J. Mirkovic, M. Wang, P. Reiher, and L. Zhang. 2002. Save: Source address validity enforcement protocol. In Proceedings of the IEEE INFOCOM, 1557–1566, 2002.Google Scholar
  51. 51.
    Lin, D. and R. Morris. 1997. Dynamics of random early detection. SIGCOMM Computer Communication Review 27(4): 127–137CrossRefGoogle Scholar
  52. 52.
    Liu, X., X. Yang, and Y. Lu. 2008. To filter or to authorize: Network-layer DoS defense against multimillion-node botnets. SIGCOMM Computer Communication Review 38(4): 195–206.CrossRefGoogle Scholar
  53. 53.
    Mahajan, R., S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker. 2002. Controlling high bandwidth aggregates in the network. ACM Computer Communication Review 32: 62–73.CrossRefGoogle Scholar
  54. 54.
    Mahoney, M. and P. Chan. 2002. Learning nonstationary models of normal network traffic for detecting novel attacks. In Proceedings of the Eighth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD ’02, 376–385, New York, 2002. ACM.Google Scholar
  55. 55.
    McPherson, D., C. Labovitz, M. Hollyman, J. Nazario, and G.R. Malan. 2008. Worldwide infrastructure security report. Technical report, Arbor Networks.Google Scholar
  56. 56.
    Miercom. 2008. Enterprise firewall: Lab test summary report. Technical report.Google Scholar
  57. 57.
    Mirkovic, J., G. Prier, and P.L. Reiher. 2002. Attacking DDoS at the source. In Proceedings of the Tenth IEEE International Conference on Network Protocols, ICNP ’02, 312–321, Washington, DC, 2002. IEEE Computer Society.Google Scholar
  58. 58.
    Mirkovic, J. and P. Reiher. 2004. A taxonomy of DDoS attack and DDoS defense mechanisms. SIGCOMM Computer Communication Review 34:39–53.CrossRefGoogle Scholar
  59. 59.
    Mirkovic, J. and P. Reiher. 2005. D_WARD: A source-end defense against flooding denial-of-service attacks. IEEE Transactions on Dependable and Secure Computing 2: 216–232.CrossRefGoogle Scholar
  60. 60.
    Molsa, J. 2005. Mitigating denial of service attacks: a tutorial. Journal of Computer Security 13(6): 807–837.Google Scholar
  61. 61.
    Nazario, J. 2008. Political ddos: Estonia and beyond (invited talk). In Proceedings of the Seventeenth USENIX Security Symposium, San Josa, 2008.Google Scholar
  62. 62.
    Nguyen, H.V. and Y. Choi. 2009. Proactive detection of DDoS attacks utilizing K-NN classifier in an anti-DDos framework. International Journal of Electrical and Electronics Engineering 4(4): 247–252.Google Scholar
  63. 63.
    Papadopoulos, C., A.G. Tartakovsky, and A.S. Polunchenko. 2008. A hybrid approach to efficient detection of distributed denial-of-service attacks. Technical Report, June 2008.Google Scholar
  64. 64.
    Partow, A. 2008. General purpose hash function algorithms. Accessed 25 Feb 2011.
  65. 65.
    Paruchuri, V., A. Durresi, and S. Chellappan. 2008. TTL based packet marking for IP traceback. In Proceedings of the IEEE Global Telecommunications Conference, 2552–2556, Los Angels, 30 Nov–4 Dec 2008. IEEE.Google Scholar
  66. 66.
    Paxson, V., K. Asanovic, S. Dharmapurikar, J. Lockwood, R. Pang, R. Sommer, and N. Weaver. 2006. Rethinking hardware support for network analysis and intrusion prevention. In Proceedings of the First USENIX Workshop on Hot Topics in Security, 63–68.Google Scholar
  67. 67.
    Peng, T., C. Leckie, and K. Ramamohanarao. 2004. Proactively detecting distributed denial of service attacks using source IP address monitoring. In Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications: NETWORKING 2004, 771–782, 2004.Google Scholar
  68. 68.
    Peng, T., C. Leckie, and K. Ramamohanarao. 2007. Information sharing for distributed intrusion detection systems. Journal of Network and Computer Applications 30(3): 877–899. 1231771.Google Scholar
  69. 69.
    Peng, T., C. Leckie, and K. Ramamohanarao. 2007. Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Computing Surveys 39(1): 3. 1216373.Google Scholar
  70. 70.
    Peng, T., C. Leckie, and K. Ramamohanarao. 2008. System and process for detecting anomalous network traffic. United States Patent Application 20100138919. Accessed 31 Aug 2011.
  71. 71.
    Ripeanu, M. and A. Iamnitchi. 2001. Bloom filters – Short tutorial. Technical report, Dept. of Computer Science, University of Chicago.Google Scholar
  72. 72.
    Seo, J., C. Lee, T. Shon, K.H. Cho, and J. Moon. 2005. A new DDoS detection model using multiple SVMs and TRA. Lecture notes in computer science, vol. 3823, 976–985. Berlin: Springer.Google Scholar
  73. 73.
    Shanbhag, S. and T. Wolf. 2008. Evaluation of an online parallel anomaly detection system. In Proceedings of the IEEE Global Telecommunications Conference, 1–6, 2008.Google Scholar
  74. 74.
    Shanbhag, S. and T. Wolf. 2008. Massively parallel anomaly detection in online network measurement. In Proceedings of Seventeenth International Conference on Computer Communications and Networks, 1–6.Google Scholar
  75. 75.
    Shon, T., Y. Kim, C. Lee, and J. Moon. 2005. A machine learning framework for network anomaly detection using svm and ga. In Proceedings of the Sixth Annual IEEE Information Assurance Workshop, 176–183, 2005.Google Scholar
  76. 76.
    Simmons, K., J. Kinney, A. Owens, D.A. Kleier, K. Bloch, D. Argentar, A. Walsh, and G. Vaidyanathan. 2008. Practical outcomes of applying ensemble machine learning classifiers to high-throughput screening (hts) data analysis and screening. Journal of Chemical Information and Modeling 48(11): 2196–2206.CrossRefGoogle Scholar
  77. 77.
    Sterne, D.F., K. Djahandari, B. Wilson, B. Babsonl, D. Schnackenberg, H. Holliday, and T. Reid. 2001. Autonomic response to distributed denial of service attacks. In Proceedings of the Fourth International Symposium on Recent Advances in Intrusion Detection, RAID ’00, 134–149, London, 2001. Springer-Verlag.Google Scholar
  78. 78.
    Takada, H.H. and A. Anzaloni. 2006. Protecting servers against DDoS attacks with improved source IP address monitoring scheme. In Proceedings of the Second Conference on Next Generation Internet Design and Engineering, p. 6, 2006.Google Scholar
  79. 79.
    Tavallaee, M., E. Bagheri, W. Lu, and A.A. Ghorbani. 2009. A detailed analysis of the KDD CUP 99 data set. In Proceedings of the Second IEEE International Conference on Computational Intelligence for Security and Defense Applications, CISDA’09, 53–58, Piscataway, 2009. IEEE Press.Google Scholar
  80. 80.
    Vijayasarathy, R., B. Ravindran, and S.V. Raghavan. 2011. A systems approach to network modeling for DDoS detection using naive Bayesian classifier. In Proceedings of the Third International Conference on Communication and Networks, 2011.Google Scholar
  81. 81.
    Wang, H., D. Zhang, and K.G. Shin. 2002. Detecting SYN flooding attacks. In Proceedings of the IEEE Infocom, 1530–1539, 2002. IEEE.Google Scholar
  82. 82.
    Wang, W. and S. Gombault. 2008. Efficient detection of DDoS attacks with important attributes. In Proceedings of the Third International Conference on Risks and Security of Internet and Systems, 61–67, Oct 2008.Google Scholar
  83. 83.
    Wang, W., G.R. Guile, J.A. Shaqsi, A.A. Aulamie, R. Harrison, and W. Zhang. 2007. Machine learning ensemble methodology, 2007. Accessed 31 Aug 2011.
  84. 84.
    Weng, N. and T. Wolf. 2009. Analytic modeling of network processors for parallel workload mapping. ACM Transactions in Embedded Computing Systems 8(3): 1–29.CrossRefGoogle Scholar
  85. 85.
    Xiang, Y. and W. Zhou. 2005. Mark-aided distributed filtering by using neural network for DDoS defense. In Proceedings of the IEEE Global Telecommunications Conference, vol. 3, 5.Google Scholar
  86. 86.
    Xie, Y. and S. Yu. 2006. A novel model for detecting application layer DDoS attacks. In Proceedings of the First International Multi-Symposiums on Computer and Computational Sciences, IMSCCS ’06, 56–63, Washington, DC, 2006. IEEE Computer Society.Google Scholar
  87. 87.
    Xu, T., D. He, and Y. Luo. 2007. DDoS attack detection based on RLT features. In Proceedings of the International Conference on Computational Intelligence and Security, 697–701, China, 15–19 Dec 2007.Google Scholar
  88. 88.
    Xu, X., Y. Sun, and Z. Huang. 2007. Defending DDoS attacks using hidden Markov models and cooperative reinforcement learning. In Intelligence and Security Informatics, Lecture notes in computer science, vol. 4430, 196–207, 2007. Springer, Berlin.Google Scholar
  89. 89.
    Yan, J., S. Early, and R. Anderson. 2000. The xenoservice – A distributed defeat for distributed denial of service. In Proceedings of the Information Survivability Workshop, Oct 2000.Google Scholar
  90. 90.
    Yuan, J. and K. Mills. 2005. Monitoring the macroscopic effect of DDoS flooding attacks. IEEE Transactions on Dependable and Secure Computing 2: 324–335.CrossRefGoogle Scholar
  91. 91.
    Zargar, G.R. and P. Kabiri. 2009. Identification of effective network features for probing attack detection. In Proceedings of the First International Conference on Networked Digital Technologies, 392–397, July 2009.Google Scholar
  92. 92.
    Zhou, Z., D. Xie, and W. Xiong. 2009. Novel distributed detection scheme against DDoS attack. Journal of Networks 4: 921–928.Google Scholar

Copyright information

© Springer India Pvt. Ltd. 2011

Authors and Affiliations

  • G. Mohay
    • 1
  • E. Ahmed
    • 1
  • S. Bhatia
    • 1
  • A. Nadarajan
    • 2
  • B. Ravindran
    • 3
  • A. B. Tickle
    • 1
  • R. Vijayasarathy
    • 4
  1. 1.Information Security InstituteQueensland University of TechnologyBrisbaneAustralia
  2. 2.Maths and Computer Application DepartmentPSG College of TechnologyCoimbatoreIndia
  3. 3.Department of Computer Science and EngineeringIndian Institute of Technology MadrasChennaiIndia
  4. 4.Network Security Research GroupSociety for Electronic Transactions and SecurityChennaiIndia

Personalised recommendations