Threshold-based distributed DDoS attack detection in ISP networks

Abstract

The purpose of this paper is to propose a more efficient and accurate distributed denial of service (DDoS) attack detection mechanism that detects DDoS attacks by monitoring the incoming traffic on the edge routers of ISP networks. It can be implemented as a module or agent function on the machine that is responsible for processing router traffic. The detection algorithm works by monitoring the traffic passing through the edge routers and identifying the occurrence of DDoS attacks or flash events. The algorithm calculates different values like the normalized router entropy, packet rate, and entropy rate and compares them against the preidentified threshold values to detect the happening of a DDoS attack or flash event. The threshold values used in the algorithm are evaluated offline by taking the sample attack and the legitimate traffic flows. The proposed detection mechanism can be implemented on the edge routers of the ISP networks. ISPs are selected for the deployment of attack detection because the customer networks are directly connected with them. The effectiveness of the algorithms can be validated mathematically using a sample test bed containing realistic internet topology. The results clearly indicate that the proposed detection mechanism does effective detection with a high detection rate and fewer false positives.