Fusion of Detection, Traffic Control and Traceback Technique for DDoS attacks r

Denial-of-Service (DoS) and Distributed Denial-ofService (DDoS) attacks typically generate huge amount of adverse traffic to a target server and make the server unavailable for services. Several works had put lots of efforts to find novel and effective techniques to detect and prevent such attacks. However, most studies were conducted using offline data or via simulation. Only a few studies address the issues of server survivability when under DDoS attacks and perform real experiments to measure the effectiveness of filtering such malicious traffic since capturing and analyzing real attacking traffic on the fly would be an enormous task. This paper proposes a model to measure the effectiveness of filtering malicious traffic while actual attacks aim at a target server. The model performs a simple anomaly detection using the rates of input traffic which is classified into normal, suspicious and malicious traffic based on the pre-defined threshold values. If the input traffic is regarded as suspicious or malicious, the model will substantially drop part of the input traffic to an acceptable level so that only the small amount of traffic is allowed to pass and reach the target server. As a result, the server survives the attacks. When packets marked as normal and suspicious are allowed passing through then we employ a recursive based IP traceback method used to locate the original source node producing malicious packets. These packets could be produced by attackers deliberately or by Botnets and Zombies which are autonomously driven software producing malicious packets in the traffic. KeywordsBotnets, Bloom filter, Detection analysis, Traffic