An ISP Level Solution to Combat DDoS Attacks using Combined Statistical Based Approach

TL;DR

This paper presents a novel ISP-level DDoS detection framework using combined statistical metrics and dynamic thresholding methods, validated through NS-2 simulations showing improved accuracy over volume-based approaches.

Contribution

It introduces a combined statistical approach with Six-Sigma based dynamic thresholding for more accurate DDoS detection at the ISP level.

Findings

Effective detection of various DDoS attacks using statistical metrics.

Dynamic thresholding reduces false positives and negatives.

Proposed system outperforms traditional volume-based detection methods.

Abstract

Disruption from service caused by DDoS attacks is an immense threat to Internet today. These attacks can disrupt the availability of Internet services completely, by eating either computational or communication resources through sheer volume of packets sent from distributed locations in a coordinated manner or graceful degradation of network performance by sending attack traffic at low rate. In this paper, we describe a novel framework that deals with the detection of variety of DDoS attacks by monitoring propagation of abrupt traffic changes inside ISP Domain and then characterizes flows that carry attack traffic. Two statistical metrics namely, Volume and Flow are used as parameters to detect DDoS attacks. Effectiveness of an anomaly based detection and characterization system highly depends on accuracy of threshold value settings. Inaccurate threshold values cause a large number of false positives and negatives. Therefore, in our scheme, Six-Sigma and varying tolerance factor methods are used to identify threshold values accurately and dynamically for various statistical metrics. NS-2 network simulator on Linux platform is used as simulation testbed to validate effectiveness of proposed approach. Different attack scenarios are implemented by varying total number of zombie machines and at different attack strengths. The comparison with volume-based approach clearly indicates the supremacy of our proposed system.