AF-FDS: An Accurate, Fast, and Fine-Grained Detection Scheme for DDoS Attacks in High-Speed Networks With Asymmetric Routing

Abstract

Distributed Denial of Service (DDoS) attacks have posed severe threats to the Internet. Although researchers have proposed many DDoS detection schemes, there are still some challenging issues. Traditional per-flow-based DDoS methods are impractical for massive amounts of high-speed network traffic due to the huge resource consumption. In addition, existing methods are not designed to take into account the widespread asymmetric routing in high-speed networks, resulting in false positives when these methods are deployed on the Internet. Furthermore, existing methods can not achieve a good trade-off between detection accuracy and granularity when detecting hybrid DDoS attacks. This paper proposes an Accurate, Fast, and Fine-grained Detection Scheme (AF-FDS) for DDoS attacks in high-speed networks with asymmetric routing. We select features based on the characteristics of DDoS attacks and design a data structure Double Composite Structure Sketch (DCSS). DCSS can achieve fast recording and extraction of the selected features from the sampled traffic. Experimental results using real-world traces in a 10Gbps network with asymmetric routing show that AF-FDS can detect nine types of DDoS attacks at a fine-grained level within 15 seconds with over 98.0% precision and recall, even at a sampling rate of 1/1024. Furthermore, the comparison with several state-of-the-art methods illustrates that AF-FDS can detect DDoS attacks with a lower false positive rate (FPR) and shorter alarm time in asymmetric routing scenarios.