A comprehensive approach to discriminate DDoS attacks from flash events

Most of the business applications on the Internet are dependent on web services for their transactions. Distributed denial of service (DDoS) attacks either degrade or completely disrupt web services by sending a flood of packets in the form of legitimate looking requests towards the victim web servers. Flash event (FE), which is an overload condition caused by a large number of legitimate requests, has similar characteristics as that of DDoS attacks. Therefore, detection of DDoS attacks with FE as background traffic is one of the hardest problems confronted by the network security researchers. Moreover, DDoS attacks and FEs require altogether different handling procedures. In this paper, traffic cluster entropy is derived from source address entropy and their combination is used not only to detect various types of DDoS attacks against web services but also to distinguish DDoS attacks from FEs. Optimal thresholds for traffic cluster entropy are calibrated through receiver operating characteristic curve (ROC). Proposed detection approach can operate in one of the defence modes: naive, normal or best, based on attack detection sensitivity requirements. Sensitivity of detection metric is tested using multiple simulation scenarios with different types of DDoS attacks along with variation in origins of attack and FE traffic. Detection of a variety of DDoS attacks like high rate skewed DDoS attacks, low rate isotropic attacks, subnet spoofed DDoS attacks and sophisticated DDoS attacks has been demonstrated. The effectiveness of the proposed approach in terms of false positive rate, detection rate and classification rate is validated through simulations carried out using NS-2 on a Linux platform.