Monitoring the Macroscopic Effect
of DDoS Flooding Attacks
Jian Yuan and Kevin Mills,
—Creating defenses against flooding-based, distributed denial-of-service (DDoS) attacks requires real-time monitoring of
network-wide traffic to obtain timely and significant information. Unfortunately, continuously monitoring network-wide traffic for
suspicious activities presents difficult challenges because attacks may arise anywhere at any time and because attackers constantly
modify attack dynamics to evade detection. In this paper, we propose a method for early attack detection. Using only a few observation
points, our proposed method can monitor the macroscopic effect of DDoS flooding attacks. We show that such macroscopic-level
monitoring might be used to capture shifts in spatial-temporal traffic patterns caused by various DDoS attacks and then to inform more
detailed detection systems about where and when a DDoS attack possibly arises in transit or source networks. We also show that such
monitoring enables DDoS attack detection without any traffic observation in the victim network.
—DDoS attack, monitoring, network traffic, attack dynamics, spatial-temporal pattern.
success of the Internet derives in large part from the
end-to-end principle , which enabled deploying a
simple network infrastructure (of packet-forwarding nodes
supported by a few routing protocols), allowing network
applications to evolve independent of the core network. In
particular, the end-to-end congestion-control mechanisms
of the TCP (Transmission-Control Protocol) played a key
role in achieving a robust and stable Internet. At the same
time, the existing end-to-end mechanisms have proven
ineffective at protecting the Internet from distributed
denial-of-service (DDoS) attacks, an increasingly frequent,
global disturbance .
A DDoS attack is a simultaneous network attack on a
victim (e.g., a Web server or a router) from a large number
of compromised hosts, which may be distributed widely
among different, independent networks. By exploiting
asymmetry between network-wide resources and local
capacities of a victim, a DDoS attack can build up an
intended congestion very quickly at an attacked target. The
Internet routing infrastructure, which is stateless and based
mainly on destination addresses, appears extremely vulner-
able to such coordinated attacks.
DDoS attacks cannot be detected and stopped easily
because forged source addresses and other techniques are
used to conceal attack sources. DDoS attacks can take a
victim network off the Internet even without exploiting
particular vulnerabilities in network protocols or weak-
nesses in system design, implementation, or configuration.