Monitoring the Macroscopic Effect of DDoS Flooding Attacks

	This Article
	Subscribers, please Login Purchase article: $19 PDF HTML IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Jian Yuan Articles by Kevin Mills

October-December 2005 (vol. 2 no. 4)

pp. 324-335

	ASCII Text	x
	Jian Yuan, Kevin Mills, "Monitoring the Macroscopic Effect of DDoS Flooding Attacks," IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 4, pp. 324-335, October-December, 2005.

	BibTex	x
	@article{ 10.1109/TDSC.2005.50, author = {Jian Yuan and Kevin Mills}, title = {Monitoring the Macroscopic Effect of DDoS Flooding Attacks}, journal ={IEEE Transactions on Dependable and Secure Computing}, volume = {2}, number = {4}, issn = {1545-5971}, year = {2005}, pages = {324-335}, doi = {http://doi.ieeecomputersociety.org/10.1109/TDSC.2005.50}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - JOUR JO - IEEE Transactions on Dependable and Secure Computing TI - Monitoring the Macroscopic Effect of DDoS Flooding Attacks IS - 4 SN - 1545-5971 SP324 EP335 EPD - 324-335 A1 - Jian Yuan, A1 - Kevin Mills, PY - 2005 KW - Index Terms- DDoS attack KW - monitoring KW - network traffic KW - attack dynamics KW - spatial-temporal pattern. VL - 2 JA - IEEE Transactions on Dependable and Secure Computing ER -

Jian Yuan

Kevin Mills

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/TDSC.2005.50

Creating defenses against flooding-based, distributed denial-of-service (DDoS) attacks requires real-time monitoring of network-wide traffic to obtain timely and significant information. Unfortunately, continuously monitoring network-wide traffic for suspicious activities presents difficult challenges because attacks may arise anywhere at any time and because attackers constantly modify attack dynamics to evade detection. In this paper, we propose a method for early attack detection. Using only a few observation points, our proposed method can monitor the macroscopic effect of DDoS flooding attacks. We show that such macroscopic-level monitoring might be used to capture shifts in spatial-temporal traffic patterns caused by various DDoS attacks and then to inform more detailed detection systems about where and when a DDoS attack possibly arises in transit or source networks. We also show that such monitoring enables DDoS attack detection without any traffic observation in the victim network.

[1] 324 J. Saltzer, D. Reed, and D. Clark, “End-to-End Arguments in System Design,” ACM Trans. Computer System, vol. 2, no. 4, pp. 277-288, Nov. 1984.[2] D. Moore, G. Voelker, and S. Savage, “Inferring Internet Denial of Service Activity,” Proc. USENIX Security Symp., Aug. 2001.[3] J. Mirkovic, J. Martin, and P. Reiher, “A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms,” Technical Report CSD-TR-020018, Computer Science Dept., Univ. of California, Los Angeles, 2001.[4] J. Mirkovic, G. Prier, and P. Reiher, “Challenges of Source-End DDoS Defense,” Proc. Int'l Symp. Network Computing and Applications, 2003.[5] A. Feldmann, A.C. Gilbert, W. Willinger, and T.G. Kurtz, “The Changing Nature of Network Traffic: Scaling Phenomena,” ACM SIGCOMM Computer Comm. Rev., vol. 28, no. 2, pp. 5-29, Apr. 1998.[6] Q. Huang, H. Kobayashi, and B. Liu, “Analysis of a New Form of Distributed Denial of Service Attack,” Proc. 37th Ann. Conf. Information Science and Systems (CISS'03), Mar. 2003.[7] J. Yuan and K. Mills, “A Cross-Correlation Based Method for Spatial-Temporal Traffic Analysis,” J. Performance Evaluation, vol. 61, nos. 2-3, pp. 163-180, 2005.[8] S. Noh, C. Lee, K. Choi, and G. Jung, “Detecting Distributed Denial of Service (DDoS) Attacks through Inductive Learning,” Lecture Notes in Computer Science, vol. 2690, pp. 286-295, 2003.[9] R. Basu, K.R. Cunningham, S.E. Webster, and P.R. Lippmann, “Detecting Low-Profile Probes and Novel Denial of Service Attacks,” Proc. 2001 IEEE Workshop Information Assurance, 2001.[10] M. Li and C. Chi, Decision Analysis of Statistically Detecting Distributed DoS Flooding Attacks,” Int'l J. Information Technology and Decision Making, vol. 2, no. 3, pp. 397-405, 2003.[11] J. Ioannidis and S.M. Bellovin, “Implementing Pushback: Router Defense against DDoS Attacks,” Proc. Network and Distributed Systems Security Symp., Feb. 2002.[12] Y. Huang and J.M. Pullen, “Countering Denial of Service Attacks Using Congestion Triggered Packet Sampling and Filtering,” Proc. 10th Int'l Conf. Computer Comm. and Networks, 2001.[13] Y. Xiong, S. Liu, and P. Sun, “On the Defense of the Distributed Denial of Service Attacks: An On-Off Feedback Control Approach,” IEEE Trans. Systems, Man, and Cybernetics— PART A: Systems and Humans, vol. 31, no. 4, pp. 282-293, 2001.[14] J. Mirkovic, G. Prier, and P. Reiher, “Attacking DDoS at the Source,” Proc. Int'l Conf. Network Protocols 2002, pp. 312-321, 2002.[15] T.M. Gil and M. Poleto, “MULTOPS: A Data-Structure for Bandwidth Attack Detection,” Proc. 10th Usenix Security Symp., pp. 23-38, Aug. 2001.[16] S.S. Kim, A.L. N. Reddy, and M. Vannucci, “Detecting Traffic Anomalies through Aggregate Analysis of Packet Header Data,” Proc. Networking 2004, pp. 1047-1059, May 2004.[17] D. Pappalardo, “ISPs Take on DDoS Attacks,” Computerworld, Nov. 2003.[18] L.-C. Chen, T.A. Longstaff, and K.M. Carley, “Characterization of Defense Mechanisms against Distributed Denial of Service Attacks,” Computers and Security, vol. 23, no. 8, pp. 665-678, 2004.[19] R.R. Talpade, G. Kim, S. Khurana, “NOMAD: Traffic-Based Network Monitoring Framework For Anomaly Detection,” Proc. Fourth IEEE Symp. Computers and Comm., 1998.[20] A. Akella, A. Bharambe, M. Reiter, and S. Seshan, “Detecting DDoS Attacks on ISP Networks,” Proc. ACM SIGMOD/PODS Workshop Management and Processing of Data Streams (MPDS) FCRC 2003, 2003.[21] A. Lakhina, M. Crovella, and C. Diot, “Characterization of Network-Wide Anomalies in Traffic Flows,” Proc. ACM/SIGCOMM Internet Measurement Conf., 2004.[22] S. Staniford, V. Paxson, and N. Weaver, “How to Own the Internet in Your Spare Time,” Proc. USENIX Security Symp., pp. 149-167, Aug. 2002.[23] R.K. C. Chang, “Defending against Flooding-Based Distributed Denial of Service Attacks: A Tutorial,” IEEE Comm. Magazine, vol. 40, no. 10, pp. 42-51, 2002.[24] J.O. Ramsay and B.W. Silverman, Functional Data Analysis, Springer. New York, 1997.[25] J. Yuan and K. Mills, “Macroscopic Dynamics of Large-Scale Data Networks,” Complex Dynamics in Comm. Networks, pp. 191-212, 2005.[26] J. Yuan and K. Mills, “Exploring Collective Dynamics in Communication Networks,” J. Research of the Nat'l Inst. of Standards and Technology, vol. 107, no. 2, pp. 179-191, 2002.[27] V. Paxson and S. Floyd, “Wide-Area Traffic: The Failure of Poisson Modeling,” Proc. ACM SIGCOMM '94 Conf., pp. 257-268, 1994.[28] M. Crovella and A. Bestavros, “Self-Similarity in World Wide Web Traffic: Evidence and Possible Causes,” Proc. 1996 ACM SIGMETRICS Int'l Conf. Measurement and Modeling of Computer Systems, May 1996.[29] A. Feldmann, A.C. Gilbert, P. Huang, and W. Willinger, “Dynamics of IP Traffic: A Study of the Role of Variability and the Impact of Control,” Proc. ACM SIGCOMM '99 Conf., pp. 301-313, 1999.[30] W. Willinger, M.S. Taqqu, R. Sherman, and D.V. Wilson, “Self-Similarity through High-Variability: Statistical Analysis of Ethernet Lan Traffic at the Source Level,” Proc. ACM SIGCOMM '95 Conf., pp. 100-113, 1995.[31] T. Karagiannis, M. Molle, and M. Faloutsos, “Long-Range Dependence: Ten Years of Internet Traffic Modeling,” IEEE Internet Computing, pp. 57-64, Sept.-Oct. 2004.[32] M. Barthelemy, B. Gondran, and E. Guichard, “Large-Scale Cross-Correlations in Internet Traffic,” Physical Rev. E 66, 2002.[33] Z. Bai, J. Demmel, J. Dongarra, A. Ruhe, and H. van der Vorst, Templates for the Solution of Algebraic Eigenvalue Problems: A Practical Guide. Philadelphia, Penn.: Soc. for Industrial and Applied Math., 2000.[34] MATLAB User's Guide, The MathWorks, Inc., Natick, Mass., 1998.[35] K.I. Goh, B. Kahng, and D. Kim, “Spectra and Eigenvectors of Scale-Free Networks,” Physical Rev. E 64, 2001.[36] M. Crovella and E. Kolaczyk, “Graph Wavelets for Spatial Traffic Analysis,” Proc. IEEE Infocom 2003, Apr. 2003.[37] M. Claypool, R. Kinicki, M. Li, J. Nichols, and H. Wu, “Inferring Queue Sizes in Access Networks by Active Measurement,” Proc. PAM (Passive and Active Measurement) Workshop, Apr. 2004.[38] M. Weigle, K. Jeffay, and F.D. Smith, “Quantifying the Effects of Recent Protocol Improvements to Standards-Track TCP,” Proc. 11th IEEE/ACM Int'l Symp. Modeling, Analysis, and Simulation of Computer and Telecomm., 2003.[39] P. Barford and D. Plonka, “Characteristics of Network Traffic Flow Anomalies,” Proc. ACM SIGCOMM Internet Measurement Workshop, Nov. 2001.[40] A. Kuzmanovic and E.W. Knightly, “Low-Rate TCP-Targeted Denial of Service Attacks,” Proc. ACM SIGCOMM 2003 Conf., Aug. 2003.[41] S. Savage, D. Wetherall, A. Karlin, and T. Anderson, “Practical Network Support for IP Traceback,” Proc. ACM SIGCOMM'2000 Conf., 2000.[42] A.C. Shoeten, C. Partridge, L.A. Sanchez, C.e.E. Jones, F. Tchakountio, S.T. Kent, and W.T. Strayer, “Hash-Based IP Traceback,” Proc. 2001 ACM SIGCOMM Conf., Aug. 2001.[43] R. Mahajan, S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker, “Controlling High Bandwidth Aggregates in the Network,” technical report, AT&T Center for Internet Research at ICSI (ACIRI) and AT&T Labs Research, Feb. 2001.

Index Terms:

Index Terms- DDoS attack, monitoring, network traffic, attack dynamics, spatial-temporal pattern.

Citation:

Jian Yuan, Kevin Mills, "Monitoring the Macroscopic Effect of DDoS Flooding Attacks," IEEE Transactions on Dependable and Secure Computing, vol. 2, no. 4, pp. 324-335, Oct.-Dec. 2005, doi:10.1109/TDSC.2005.50

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.