In our second case study, as we mentioned before, we have adopted one of the recently proposed DDoS flooding detection mechanisms proposed in [176]. Rahmani et al. could show some promising results in terms of detection performance compared to other detec- tion mechanisms. Moreover, Rahmani et al.’s mechanism, we call TVD from now on, is a distributed DDoS flooding detection mechanism that flow monitoring mechanisms such as DiCoTraM and cSamp could provide with more covered flows as opposed to packet sampling mechanisms. TVD is a two-stage mechanism that detects DDoS flooding attacks and differ- entiates non-legitimate flows from legitimate flows (i.e., flash crowds) based on the detection of breaks in the distribution of connection sizes. Connection is defined in [176] as the ag- gregate traffic between two IP addresses (i.e., a source IP and a destination IP address) and the connection size is measured by the number of packets traversing the connection. The concept of connection in TVD mechanism is the same as super-flow concept defined by Chen et al. in [160].
We have implemented a prototype of the TVD mechanism and conducted a series of experiments by employing DiCoTraM and cSamp as two flow monitoring mechanisms to compare their impact in terms of TVD’s DDoS flooding attack detection. Similar to our previous case study, DiCoTraM and cSamp were the best options as TVD’s traffic moni- toring mechanism since TVD mechanism requires to analyze the super-flow level statistics (connection-level) as its input and both DiCoTraM and cSamp could provide such statistics without further processing of the monitored data to extract the super-flows or connections. For each connection (supper-flow), TVD not only requires to monitor and count the number of packets heading to the destination IP address of the connection but also requires to monitor and count the number of packets coming from the source IP address of the connection. Hence, both DiCoTraM and cSamp prototype implementations are modified to collect the number of packets coming from the source IP addresses of each of the connections in addition to the number of packets heading to the destination IP addresses of each of the connections.
5.2.1 TVD’s detection algorithm
As we mentioned earlier, TVD has two stages. In the first stage, horizontal TVD, TVD detects the abnormal disruption in the inflow (i.e., same source IP address) connections size distribution by observing the connection size distribution of the same connections in two consecutive monitoring time windows. The outcome of the first stage determines the list of suspicious attack flows (i.e. surge flows) and Rahmani et al. also shown that these results are better than entropy-based detection mechanisms. The metric that TVD uses to detect abnormal disruption in the inflow connections size distribution (supper-flow size) is the hor- izontal TVD between two consecutive monitoring time windows. Assuming t1, t2, t3, · · · , tm
be the discrete monitoring time instances, Source(tm, i) is an array of normalized frequencies
of source address bin size distribution for the ith connection during the monitoring time slot m. Considering only K common connections (repetitive connections) in two consecutive time windows3, the horizontal TVD between two consecutive monitoring time windows is defined as follow: HorizontalT V D = 1 2 K X i=1 | Source(tm, i) − Source(tm−1, i) | (5.5)
The detection mechanism queries SRAM for the updated flow table at each monitoring time instance to extract the required statistics for inflow traffic. In our experiments, we chose the optimum monitoring time window, based on the results of our experiments, to be equal to 100ms.
The second stage of TVD detection algorithm differentiates the DDoS flooding attack flows from the legitimate traffic changes that causes a surge (a.k.a. flash crowds). DDoS flooding attack flows lead to divergence between the number of packets sent to and received from a specific destination. In order to measure this divergence, Rahmani et al. proposed total variation distance between inflow and outflow connection size distributions for two consecutive monitoring time windows. Usually, false positives occur when the size of one or several legitimate connections are larger than the average size of all active connections. Consequently, distinguishing between the flash crowds and DDoS flooding attacks when the
variation in the size of the aggregate incoming flows are not accompanied by a proportional change in the number of active connections is very difficult. When there exist a legitimate aggregate traffic flows, the variation of the aggregate traffic size from source to destination is accompanied by a relative change in the opposite direction. However, when there is an aggregate DDoS flooding attack flows, the aforementioned dependency vanishes and there will be a disparity in the size of flows that are exchanged between the attacker and the victim [51–53,176] and this is a sign of the beginning of the congestion caused by DDoS flooding attacks. Rahmani et al. proposed a differentiation distance metric to detect the divergence between the number of packets sent to and received from a specific destination as vertical TVD during the current monitoring time window. Assuming t1, t2, t3, · · · , tm be
the discrete monitoring time instances, Source(tm, i) is an array of normalized frequencies
of source address bin size distribution for the ith connection during the monitoring time slot m for all the N connections during the current monitoring time window. Destination(tm, i)
is an array of normalized frequencies of destination address bin size distribution for the ith connection during the monitoring time slot m for all the N connections during the current monitoring time window. We assume that the ith connection corresponds to the same pair of IP addresses (source and destination IP addresses) and that both Source(tm, i) and
Destination(tm, i) may be equal to zero. The vertical TVD during the current monitoring
time window is defined as follow:
V erticalT V D = 1 2 N X i=1 | Source(tm, i) − Destination(tm, i) | (5.6)
Similar to horizontal TVD measurement, vertical TVD measurement occurs by querying SRAM for the updated flow table at each monitoring time window (i.e., 100ms) to extract the required statistics. The thresholds for vertical and horizontal distances as suggested by Rahmani et al. should be determined based on the normal traffic.
TVD, like any other detection scheme, could not completely detect all the attacks but it could significantly reduce the false positive rate and increase the detection rate.