Rank distribution for determining the threshold values of network variables and the analysis of DDoS attacks

This paper analyzes network attacks using rank distribution data. Rank distributions for a number of variables generated by a single IP address are compared for normal and anomalous network states. The investigated network variables include the number of active flows, the rate of incoming TCP, UDP and ICMP traffic, as well as the frequency of references to a web server (for a given port). Experimental data were obtained during experiments performed involving a real bandwidth DDoS attack on a popular Internet portal. The rank distribution collected under normal network conditions enables the determination of threshold values for major network variables; exceeding these thresholds should therefore lead to the identification of attacking IP addresses and subsequent blocking of their access.