Distributed Data Aggregation Technology for Real-Time DDoS Attacks Detection

The information technology has revolutionized almost every facet of our lives. Government, commercial, and educational organizations depend on computers and Internet to such an extent that day-to-day operations are significantly hindered when the networks are “down” (Gordon, Loeb, Lucyshyn & Richardson, 2005). The prosperity of the Internet also attracted abusers and attackers motivated for personal, financial, or even political reasons. What attackers aim at currently is beyond obtaining unauthorized network accesses or stealing private information, there have been attacks on Internet infrastructures (Chakrabarti & Manimaran, 2002; Moore, Voelker & Savage, 2001; Naoumov & Ross, 2006). Distributed Denial of Services (DDoS) attacks is one of such attacks that can lead to enormous destruction, as different infrastructure components of the Internet have implicit trust relationship with each other (Mirkovic & Reiher, 2004; Specht & Lee, 2004). The DDoS attacker often exploits the huge resource asymmetry between the Internet and the victim systems (Chen, Hwang & Ku, 2007; Douligeris & Mitrokosta, 2003). A comprehensive solution to DDoS attacks requires covering global effects over a wide area of autonomous system (AS) domains on the Internet (Mirkovic & Reiher, 2005). Timely detection of the ongoing attacks is the prerequisite of any effective defense scheme (Carl, Kesidis, Brooks & Rai, 2006). It is highly desirable to detect DDoS attacks at very early stage, instead of waiting for the flood to become widespread. It is mandatory for the detection systems to collect real time traffic data from widely deployed traffic monitors and construct the spatiotemporal pattern of anomaly propagation inside the network. This chapter will introduce a novel distributed real time data aggregation technique named Change Aggregation Tree (CAT). The CAT system adopts a hierarchical architecture to simplify the alert correlation and global detection procedures. At intra-domain level, each individual router, which plays the role of traffic monitor, periodically report the local traffic status to the CAT server in the AS. At the inter-domain layer, CAT servers share local detected anomaly patterns with peers located in other ASes, where the potential attack victim is located.