FHSD: An Improved IP Spoof Detection Method for Web DDoS Attacks

DDoS attacks represent a significant threat for companies, affecting them on a regular basis, as reported in the 2013 Information Security Breaches Survey. The most common target is web services, the downtime of which could lead to significant monetary costs and loss of reputation. IP Spoofing is often used in DDoS attacks not only to protect the identity of offending bots but also to overcome IP-based filtering controls. This paper aims to propose a new multi-layer IP Spoofing detection mechanism, called Fuzzy Hybrid Spoofing Detector (FHSD), which is based on Source MAC Address, Hop Count, GeoIP, OS Passive Fingerprinting, and Web Browser User Agent. The Hop Count algorithm has been optimised to limit the need for continuous traceroute requests, by querying the subnet IP Address and GeoIP information instead of individual IP Addresses. FHSD uses Fuzzy empirical rules and Fuzzy Largest of Maximum (LoM) Operator to identify offensive IPs and mitigate offending traffic. The proposed system was developed and tested against the BoNeSi DDoS emulator with encouraging results in terms of detection and performance. Specifically, FHSD analysed 10,000 packets, and correctly identified 99.99% of spoofed traffic in less than 5 seconds. It also reduced the need for traceroute requests by 97%.