Defending against distributed denial of service (DDoS) attacks

Abstract

The volume, duration and frequency of DDoS attacks have increased significantly every year. The average bandwidth of attack seen during the first quarter of 2013 was of 48.25 Gbps which is an eightfold increase over the last quarter of 2012 whereby the attack bandwidth was averaged at 5.9Gbps. The DDoS attacks can cripple automated systems like email, websites, bank transactions and more. With such increase in DDoS attacks over the years, the potential damage will definitely be high if left unattended. In a distributed system, data gets relayed from the source machine to the destination machine. With the modern implementation of Domain Name System (DNS) servers, the load of the incoming data may be split evenly to all the receiving servers. Thus, a coordinated DDoS attack may be split up and therefore becomes normal legit requests. Resource consumption is also an important factor in distributed systems. Therefore the relay nodes should only run the DDoS detection whenever it is necessary. To achieve a higher efficiency in the detection, the detectors have to be deployed at the nodes whereby the DDoS traffic converges so that there will be information to be aggregated for the building of a profile of the DDoS traffic. This project aims to help the systems identify the source of the DDoS attacker. The program analyzes and reassembles information from the network traffic while not interfering with the flow of the actual system. If the separate data has been reconstructed, it will be clear that the connections belong to the same DDoS profile. Hence by aggregating the network traffic at the deeper levels of the network whereby the traffic converges, it is possible to reassemble the DDoS profile. With such program monitoring the network traffic, systems can be notified of the IP addresses of the DDoS attackers and therefore deny their entries to the system.