2004
DOI: 10.1007/978-3-540-24693-0_63
|View full text |Cite
|
Sign up to set email alerts
|

Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring

Abstract: Abstract. In this paper, we propose a simple but robust scheme to detect denial of service attacks (including distributed denial of service attacks) by monitaring the increase of new IP addresses. Unlike previous proposals for bandwidth attack detection schemes which are based on monitaring the traffic volume, our scheme is very effective for highly distributed denial of service attacks. Our scheme exploits an inherent feature of DDoS attacks, which makes it hard for the attacker to counter this detection sche… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
3
1
1

Citation Types

0
71
0
3

Year Published

2008
2008
2019
2019

Publication Types

Select...
6
1

Relationship

0
7

Authors

Journals

citations
Cited by 130 publications
(74 citation statements)
references
References 7 publications
0
71
0
3
Order By: Relevance
“…There is a possibility that the abovementioned assumptions will not always be true and, if not, the performance of the anomaly detection algorithm will be jeopardized; for example, DoS attack traffic instances do not follow these assumptions [11]. As DoS attacks are not significantly different from normal traffic and also occur in a similar fashion, their behaviors lead to the following assumption.…”
Section: Motivationmentioning
confidence: 99%
See 1 more Smart Citation
“…There is a possibility that the abovementioned assumptions will not always be true and, if not, the performance of the anomaly detection algorithm will be jeopardized; for example, DoS attack traffic instances do not follow these assumptions [11]. As DoS attacks are not significantly different from normal traffic and also occur in a similar fashion, their behaviors lead to the following assumption.…”
Section: Motivationmentioning
confidence: 99%
“…We measured the accuracy of our approach using the standard confusion metrics true positive (TP), false positive (FP), true negative (TN) and false negative (FN) computed using equation (11).…”
Section: Accuracymentioning
confidence: 99%
“…Peng [3] detected attacks by monitoring the number of new source IP addresses in a given time period based on the observation [2] that the majority of the source IP addresses of incoming packets are new to the victim during attacks but appeared before in flash crowds. Sun [4] proposed a detection method based on FCD (Flow Connection Density).…”
Section: Introductionmentioning
confidence: 99%
“…For example, Peng et al [10] proposed to use the number of new source IP addresses as a feature to detect DDoS attacks, under the assumption that source addresses of IP packets observed at an edge router were relatively static in normal conditions than those during DDoS attacks. The paper further pointed out that the feature could differentiate DDoS attacks from the flash crowd, which represents the situation when many legitimate users start to access one service at the same time, e.g., when many people watch a live sports broadcast over the Internet at the same time.…”
Section: Introductionmentioning
confidence: 99%
“…Therefore, the feature of the number of new source IP addresses improves those DDoS detection schemes that rely on traffic rate only. However, Peng et al [10] focused on detection of DDoS attacks. It did not mention other types of network anomalies.…”
Section: Introductionmentioning
confidence: 99%