Abstract : High-rate flooding attacks (aka Distributed Denial of Service or DDoS attacks) continue to constitute a pernicious threat within the Internet domain. In this work we demonstrate how using packet source IP addresses coupled with a change-point analysis of the rate of arrival of new IP addresses may be sufficient to detect the onset of a high-rate flooding attack. Importantly, minimizing the number of features to be examined, directly addresses the issue of scalability of the detection process to higher network speeds. Using a proof of concept implementation we have shown how pre-onset IP addresses can be efficiently represented using a bit vector and used to modify a "white list" filter in a firewall as part of the mitigation strategy.
https://hal.inria.fr/hal-01054522 Contributor : Hal IfipConnect in order to contact the contributor Submitted on : Thursday, August 7, 2014 - 10:17:36 AM Last modification on : Friday, August 11, 2017 - 11:12:40 AM Long-term archiving on: : Wednesday, November 26, 2014 - 1:36:24 AM
Ejaz Ahmed, George Mohay, Alan Tickle, Sajal Bhatia. Use of IP Addresses for High Rate Flooding Attack Detection. 25th IFIP TC 11 International Information Security Conference (SEC) / Held as Part of World Computer Congress (WCC), Sep 2010, Brisbane, Australia. pp.124-135, ⟨10.1007/978-3-642-15257-3_12⟩. ⟨hal-01054522⟩