Abstract
This study presents a new method for detecting Shrew DDoS (Distributed Denial of Service) attacks and analyzes the characteristics of the Shrew DDoS attack. Shrew DDoS is periodic to be suitable for the server’s TCP (Transmission Control Protocol) timer. It has lower maximum to bypass peak detection. This periodicity makes it distinguishable from normal data packets. By proposing the CCID (Cross-Correlation Identity Distinction) method to distinguish the flow properties, it quantifies the difference between a normal flow and an attack flow. Simultaneously, we calculated the cross-correlation between the attack flow and the normal flow in three different situations. The server can use its own TCP flow timer to construct a periodic attack flow. The cross-correlation between Gaussian white noise and simulated attack flow is less than 0.3. The cross-correlation between single-door function and simulated attack flow is 0.28. The cross-correlation between actual attack flow and simulated attack flow is more than 0.8. This shows that we can quantitatively distinguish the attack effects of different signals. By testing 4 million data, we can prove that it has a certain effect in practice.
Highlights
DDoS (Distributed Denial of Service) needs to send a large amount of data packets to the server in a short time, so that the server rejects the normal user’s request
We place the server’s historical data throughout the time domain so that the flow data is treated as a finite signal in the time domain
Through the time attribute of the TCP flow, we directly construct the appropriate simulated attack flow signal according to the system related settings
Summary
DDoS (Distributed Denial of Service) needs to send a large amount of data packets to the server in a short time, so that the server rejects the normal user’s request. The attacker controls some of the hosts in the network and forges the network service request, so as to achieve the purpose of sending a large number of data packets to the server [1]. Targeted traditional IDS (intrusion detection system) determines whether the server is attacked or not, according to the number of packets in the unit time [2]. The attacker sends the corresponding periodic pulse data flow and makes the route of the server congested It will trigger a common speed limit mechanism for TCP flows, causing the server to reduce the packet rate to handle congestion problems. Shrew DDoS is often hidden in the normal TCP data flow, making IDS lost the effect [5].
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
