Flooding attacks detection and victim identification over high speed networks

Abstract : With the rapid dependency on the internet for business, and the fast spread of powerful destructive DoS/DDoS attack tools, the detection and thwarting of these attacks is primordial for ISP, enterprises, hosting centers, etc. In this paper, we present the implementation of new framework, for efficient detection and identification of flooding attacks over high speed links. To accomplish that, we apply multi-channel nonparametric CUSUM (MNP-CUSUM) over the shared counters in the proposed reversible sketch, in order to pinpoint flows with abrupt change via a new approach for sketch inversion. Shared counters are used to minimize the memory requirement and to identify the victim of flooding attack. We apply our system at various real traces, some traces are provided by France Telecom (FT) within the framework of ANR-RNRT OSCAR project, other traces are collected in FT backbone network, during online experiments for testing and adjusting the proposed detection algorithms in this project. Our analysis results from real internet traffic, and from online implementation over Endace DAG 3.6ET sniffing card, show that our proposed architecture is able to quickly detect various kinds of flooding attacks and to disclose culprit flows with a high level of accuracy.
Document type :
Conference papers
Complete list of metadatas

https://hal.archives-ouvertes.fr/hal-00504328
Contributor : Bibliothèque Télécom Bretagne <>
Submitted on : Tuesday, July 20, 2010 - 12:03:02 PM
Last modification on : Wednesday, October 30, 2019 - 2:58:02 PM

Identifiers

  • HAL Id : hal-00504328, version 1

Citation

Osman Salem, Ahmed Mehaoua, Sandrine Vaton, Annie Gravey. Flooding attacks detection and victim identification over high speed networks. GIIS'2009 : IEEE Global Information Infrastructure Symposium, Jun 2009, Hammamet, Tunisia. ⟨hal-00504328⟩

Share

Metrics

Record views

57