Distributed Denial of Service (DDoS) attacks continue to instigate intense wars against popular ecommerce and content websites. One in five companies worldwide become a DDoS attack victim. Such attacks remain active causing prolonged damage from a few hours to several weeks. Deccan Chronicle34,35, dated April 29, 2015, reported above statement as conclusion of Kaspersky Lab's and B2B's international survey with categorizing two types of DDoS attacks: “a powerful short term attack or persistent long running campaign”. Both the above types of popular DDoS attacks can be detected, prevented and mitigated using the proposed novel Qualified Vector Match and Merge Algorithm (QVMMA) in real time. 14 feature components are used to generate an attack signature in real time and stored in dynamically updated DDoS Captured Attack Pattern (DCAP)30database. It's effective in detecting new and old attacks. Persistent DDoS attacks cause financial damage or reputation loss by loss of the company's valuable clients. The server's availability is heavily compromised. Popular websites Github and BBC UK faced DDoS attacks in 2015. Long term DDoS attack directed on Github continued for over 118 hours34,35. Short term DDoS attack experienced by BBC36 website caused its patchy response. The main crux of the problem is the absence of a way to differentiate between attack records and legitimate records while the attack is occurring in real time. Several methods1-31,37-42 are listed in the paper. Post mortem solutions are not applicable in real time. Available real time solutions are slow. QVMMA is an ideal faster real time solution to prevent DDoS attacks using Statistical Feature Vector Generation. Matlab is used for DDoS real time simulation where the topologies (bus, star, abilene network) are created using OMNET++33. QVMMA generates and uses Statistical Feature Vector for Attack Signature Generation, Matching and Identification only for qualifier satisfied records. The web server's log files used as input to QVMMA are according to W3C log format standard34. Experimentation is completed with exhaustive 336 cases. Four networks are tested with 5, 8, 10, 13 nodes. Performance evaluation of QVMMA concludes EER is 11.8% when threshold is 1.6. Abilene network achieves best result. As the number of attackers, nodes and intermediate routers increase, detection time increases. If threshold is increased, the accuracy reduces. If the number of nodes increases, accuracy increases. Thus it is concluded that QVMMA can be used for effective layer 3 DDoS Prevention and Mitigation in real time based on results generated in Matlab simulation.
Read full abstract