08-10-2014, 02:57 PM
A Rank Correlation Based Detection against
Distributed Reflection DoS Attacks
A Rank.pdf (Size: 285.65 KB / Downloads: 15)
Abstract
—DDoS presents a serious threat to the Internet since
its inception, where lots of controlled hosts flood the victim
site with massive packets. Moreover, in Distributed Reflection
DoS (DRDoS), attackers fool innocent servers (reflectors) into
flushing packets to the victim. But most of current DRDoS
detection mechanisms are associated with specific protocols and
cannot be used for unknown protocols. It is found that because
of being stimulated by the same attacking flow, the responsive
flows from reflectors have inherent relations: the packet rate
of one converged responsive flow may have linear relationships
with another. Based on this observation, the Rank Correlation
based Detection (RCD) algorithm is proposed. The preliminary
simulations indicate that RCD can differentiate reflection flows
from legitimate ones efficiently and effectively, thus can be used
as a useable indicator for DRDoS.
INTRODUCTION
DISTRIBUTED denial of service (DDoS) attack is a
serious threat to the Internet, where lots of controlled
hosts flood the victim site with massive packets. As a popular
form of controlled hosts, botnets are still improving and ready
for launching future DDoS [1]. To render it more difficult
to defend, in Distributed Reflection DoS (DRDoS), attackers
spoof requests to many Internet servers which will send
responses back to the victim. Therefore, a lot of connectionless
request-response based protocols could be exploited. And the
dilution of locality makes it hard to isolate attacking traffic.
Local detection near single reflector may be useless because
of low volume of reflected traffic [2]. Though ingress filtering
is a hopeful solution, it has not been largely deployed [3]
SYSTEM ANALYSIS
In view of limited space, we mainly focus on two typical
scenarios involving one attacker and multiple reflectors:
a) One attacker spoofs requests to reflectors randomly with
uniform distribution, at a constant rate, e.g., the outgoing
bandwidth.
b) One attacker spoofs requests to reflectors randomly with
uniform distribution, at a low but variable rate.
We define all packets to the victim through one router as a
flow. The packet count of suspicious flows is sampled per time
unit T when an alarm appears. Set the start of a time span as
t, then for two suspicious flows fa and fb, their respective set
of source reflectors are Ra and Rb in time span [t, t+T], with
Na and Nb reflectors, where the set of uninvolved reflectors
are Ro, as shown in fig. 1. Here source reflectors of one flow
is all the reflectors which will contribute packets to the flow
if received bogus request packets
. CONCLUSION
The letter concentrates on detecting DRDoS independent of
specific protocols, and proposed the Rank Correlation based
Detection (RCD) algorithm. Once suspicious flows found,
RCD starts to calculate the rank correlation between flow
Fig. 4. Comparison of methods in scenario b.
Fig. 5. Statistical comparison of RCD for both scenarios.
pairs and give final alert according to preset thresholds. The
preliminary simulations demonstrate that it could be a helpful
indicator for DRDoS detection. The result could also be used
to pick out and discard malicious flows. There are a lot of
interesting works in the future, including: