DDoS detection based on traffic self-similarity
Thesis DisciplineComputer Science
Degree GrantorUniversity of Canterbury
Degree NameMaster of Science
Distributed denial of service attacks (or DDoS) are a common occurrence on the internet and are becoming more intense as the bot-nets, used to launch them, grow bigger. Preventing or stopping DDoS is not possible without radically changing the internet infrastructure; various DDoS mitigation techniques have been devised with different degrees of success. All mitigation techniques share the need for a DDoS detection mechanism. DDoS detection based on trafﬁc self-similarity estimation is a relatively new approach which is built on the notion that undis- turbed network trafﬁc displays fractal like properties. These fractal like properties are known to degrade in presence of abnormal trafﬁc conditions like DDoS. Detection is possible by observing the changes in the level of self-similarity in the trafﬁc ﬂow at the target of the attack. Existing literature assumes that DDoS trafﬁc lacks the self-similar properties of undisturbed trafﬁc. We show how existing bot- nets could be used to generate a self-similar trafﬁc ﬂow and thus break such assumptions. We then study the implications of self-similar attack trafﬁc on DDoS detection. We ﬁnd that, even when DDoS trafﬁc is self-similar, detection is still possible. We also ﬁnd that the trafﬁc ﬂow resulting from the superimposition of DDoS ﬂow and legitimate trafﬁc ﬂow possesses a level of self-similarity that depends non-linearly on both relative trafﬁc intensity and on the difference in self-similarity between the two incoming ﬂows.