Return to search

DDoS detection based on traffic self-similarity

Distributed denial of service attacks (or DDoS) are a common occurrence on the internet and are becoming more intense as
the bot-nets, used to launch them, grow bigger. Preventing or stopping DDoS is not possible without radically changing the
internet infrastructure; various DDoS mitigation techniques have been devised with different degrees of success. All mitigation
techniques share the need for a DDoS detection mechanism.
DDoS detection based on traffic self-similarity estimation is a relatively new approach which is built on the notion that undis-
turbed network traffic displays fractal like properties. These fractal like properties are known to degrade in presence of abnormal
traffic conditions like DDoS. Detection is possible by observing the changes in the level of self-similarity in the traffic flow at the
target of the attack.
Existing literature assumes that DDoS traffic lacks the self-similar properties of undisturbed traffic. We show how existing bot-
nets could be used to generate a self-similar traffic flow and thus break such assumptions. We then study the implications of
self-similar attack traffic on DDoS detection.
We find that, even when DDoS traffic is self-similar, detection is still possible. We also find that the traffic flow resulting from the
superimposition of DDoS flow and legitimate traffic flow possesses a level of self-similarity that depends non-linearly on both
relative traffic intensity and on the difference in self-similarity between the two incoming flows.

Identiferoai:union.ndltd.org:canterbury.ac.nz/oai:ir.canterbury.ac.nz:10092/2105
Date January 2008
CreatorsBrignoli, Delio
PublisherUniversity of Canterbury. Computer Science and Software Engineering
Source SetsUniversity of Canterbury
LanguageEnglish
Detected LanguageEnglish
TypeElectronic thesis or dissertation, Text
RightsCopyright Delio Brignoli, http://library.canterbury.ac.nz/thesis/etheses_copyright.shtml
RelationNZCU

Page generated in 0.0106 seconds