Dual-Level Defense Framework for DDoS Attacked Network

Abstract

DDoS has become one of the thorniest problems in the Internet, and aims to deny legitimate users of the services they should have. In this paper, we introduce novel dual level framework that consist of attack detection (D-LAD) and characterization scheme for defending against the DDoS attacks. The macroscopic level detectors (MaLAD) attempt to detect voluminous congestion inducing attacks which cause apparent slowdown in network functionality. The macroscopic level characterization process identifies these large volumes attacks that have been detected early in transit domain by MaLAD. The microscopic level detectors (MiLAD) detect sophisticated attacks that cause network performance to degrade gracefully and remain undetected in transit domain. Microscopic level characterization process identifies such attacks that have been detected at border routers in stub domain near the victim by Mi-LAD. We employ the concepts of change point detection on entropy with time to improve the detection rate. Honeypots help achieve high detection and filtering accuracy. Use of honeypots is proposed that help achieve high detection accuracy. We validate the effectiveness of our framework with simulations on AT&T topology in ns-2 on a Linux platform. Results demonstrate that in addition to being competitive than other techniques, our framework works well in the presence of different DDoS attacks. The compromise of detection and characterization accuracy and time of confirming is a critical aspect and proposed technique provides the demanded solution.