Info iconThis preview shows pages 1–2. Sign up to view the full content.

View Full Document Right Arrow Icon
Monitoring the Macroscopic Effect of DDoS Flooding Attacks Jian Yuan and Kevin Mills, Senior Member , IEEE Abstract —Creating defenses against flooding-based, distributed denial-of-service (DDoS) attacks requires real-time monitoring of network-wide traffic to obtain timely and significant information. Unfortunately, continuously monitoring network-wide traffic for suspicious activities presents difficult challenges because attacks may arise anywhere at any time and because attackers constantly modify attack dynamics to evade detection. In this paper, we propose a method for early attack detection. Using only a few observation points, our proposed method can monitor the macroscopic effect of DDoS flooding attacks. We show that such macroscopic-level monitoring might be used to capture shifts in spatial-temporal traffic patterns caused by various DDoS attacks and then to inform more detailed detection systems about where and when a DDoS attack possibly arises in transit or source networks. We also show that such monitoring enables DDoS attack detection without any traffic observation in the victim network. Index Terms —DDoS attack, monitoring, network traffic, attack dynamics, spatial-temporal pattern. æ 1I NTRODUCTION T HE success of the Internet derives in large part from the end-to-end principle [1], which enabled deploying a simple network infrastructure (of packet-forwarding nodes supported by a few routing protocols), allowing network applications to evolve independent of the core network. In particular, the end-to-end congestion-control mechanisms of the TCP (Transmission-Control Protocol) played a key role in achieving a robust and stable Internet. At the same time, the existing end-to-end mechanisms have proven ineffective at protecting the Internet from distributed denial-of-service (DDoS) attacks, an increasingly frequent, global disturbance [2]. A DDoS attack is a simultaneous network attack on a victim (e.g., a Web server or a router) from a large number of compromised hosts, which may be distributed widely among different, independent networks. By exploiting asymmetry between network-wide resources and local capacities of a victim, a DDoS attack can build up an intended congestion very quickly at an attacked target. The Internet routing infrastructure, which is stateless and based mainly on destination addresses, appears extremely vulner- able to such coordinated attacks. DDoS attacks cannot be detected and stopped easily because forged source addresses and other techniques are used to conceal attack sources. DDoS attacks can take a victim network off the Internet even without exploiting particular vulnerabilities in network protocols or weak- nesses in system design, implementation, or configuration.
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Image of page 2
This is the end of the preview. Sign up to access the rest of the document.

This note was uploaded on 02/05/2011 for the course CS 2105 taught by Professor Ana during the Fall '09 term at National University of Singapore.

Page1 / 12


This preview shows document pages 1 - 2. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online