Abstract
Threads posed by Distributed Denial of Service (DDoS) attacks are becoming more serious day by day. Accurately detecting DDoS becomes an important and necessary step in securing a computer network. However, Flash Event (FE), which is created by legitimate requests, shares very similar characteristics with DDoS in many aspects and makes it hard to be distinguished from DDoS attacks. In this paper, we propose a simple yet effective mechanism called FDD (FE and DDoS Distinguisher) to distinguish FE and DDoS. To the best of our knowledge, this is the first effective and practical mechanism that distinguishes FE and DDoS attacks. Our trace-driven evaluation shows that FDD distinguishes between FE and DDoS attacks accurately and efficiently by utilizing only memory of a very small size, making it possible to be implemented on high-speed networking devices.
This research was supported by the MIC, Korea, under the ITRC support program supervised by the IITA(IITA-2008-(C1090-0801-0016)), the IT R&D program of MKE/IITA(2008-S-026-01) and partially supported by Defense Acquisition Program Administration and Agency for Defense Development under the contract(2008-SW-51-IM-02).
This is a preview of subscription content, log in via an institution to check access.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Feldman, A., Gilbert, A.D., Huang, P., Willinger, W.: Dynamics of IP traffic: A study of the role variability and the impact of control. In: ACM SIGCOMM (1999)
Rukhin, A., Soto, J., Nechvatal, J., Smid, M., Barker, E., Leigh, S., Levenson, M., Vangel, M., Banks, D., Heckert, A., Dray, J., Vo, S.: A statistical test suite for random and pseudorandom number generators for cryptographic applications, May 2001, vol. 800(22). NIST Special Publication (2001)
Stavrou, A., Keromytis, A.D.: Countering DoS attacks with stateless multipath overlays. In: ACM Computer and Communication Security (November 2005)
Krishnamurthy, B., Wang, J.: On network-aware clustering of web clients. In: ACM SIGCOMM (August 2000)
Moore, D., Voelker, G.M., Savage, S.: Inferring internet Denial-of-Service activity. In: USENIX Security Symposium (2001)
Marsaglia, G., Tsay, L.H.: Matrices and the structure of random number sequences. Linear Algebra Appl. Elsevier Science 67, 147–156 (1985)
Marsaglia, G.: Diehard: A battery of tests of randomness (1996), http://stat.fsu.edu/~geo/diehard.html
Kim, H., Bahk, S., Kang, I.: Real-time visualization of network attacks on high-speed links. IEEE Network Magazine 18, 30–39
Park, H., Lee, H., Kim, H.: Detecting unknown worms using randomness check. IEICE Trans. Communication E90-B(4), 894–903 (2007)
Wang, H., Zhang, D., Shin, K.G.: Detecting SYN flooding attacks. IEEE INFOCOM2002 3, 1530–1539 (2002)
Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites. In: World Wide Web (May 2002)
Argyraki, K.: Active internet traffic filtering: real-time response to Denial-of-Service attacks. In: USENIX Annual Technical Conference (April 2005)
Adamic, L.A.: Zipf, power-laws, and pareto - a ranking tutorial (1999), http://www.hpl.hp.com/research/idl/papers/ranking/ranking.html
Gordon, L.A., Loeb, M.P., Lucyshn, W., Richardson, R.: CSI/FBI computer crime and security survey. In: Computer Security Inst. (2004)
Feinstein, L., Schackenberg, D., Balupari, R., Kindred, D.: Statistical approaches to DDoS attack detection and response. In: the DARPA Information Survivability Conference and Exposition(DISCEX 2003) (2003)
Niven, L.: Flash crowd, The Flight of the Horse. Ballantine Books (1971)
Casado, M., Akella, A., Cao, P., Provos, N., Shenker, S.: Cookies Along trust-boundaries(CAT): accurate and deployable flood protection. In: USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet(SRUTI) (July 2006)
Peng, T., Leckie, C., Rnmamohanarao, K.: Proactively detecting Distributed Denial of Service attacks using source IP address monitoring. In: Networking 2004, pp. 771–782 (2004)
He, Y., Chen, W., Xiao, B.: Detecting SYN flooding attacks near innocent side. In: Jia, X., Wu, J., He, Y. (eds.) MSN 2005. LNCS, vol. 3794, pp. 443–452. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Park, H., Li, P., Gao, D., Lee, H., Deng, R.H. (2008). Distinguishing between FE and DDoS Using Randomness Check. In: Wu, TC., Lei, CL., Rijmen, V., Lee, DT. (eds) Information Security. ISC 2008. Lecture Notes in Computer Science, vol 5222. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85886-7_9
Download citation
DOI: https://doi.org/10.1007/978-3-540-85886-7_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85884-3
Online ISBN: 978-3-540-85886-7
eBook Packages: Computer ScienceComputer Science (R0)