Volumetric Distributed Denial of Service (DDoS) attacks have become a major concern for network operators, as they endanger the network stability by causing severe congestion. Access Control Lists (ACLs), and especially blacklists, have been widely studied as a way of distributing filtering mechanisms at network entry points to alleviate the effect of DDoS attacks. Different blacklist generation approaches, as proposed in the literature, are dependent on the information available on the network traffic. Nonetheless, the collection of traffic information comes at a cost that increases with the level of detail. To study the impact of the level of detail available, we formulate three scenarios. Each scenario describes a typical collection granularity used by operators. We then define blacklist generation algorithms corresponding to each granularity. Scenarios are evaluated with a mix of real legitimate and generated attack traffic. The evaluation shows that the amount of information does have an impact on the attack filtering results, and that one should choose the blacklist generation algorithms in regard of the available level of detail. Experiments also show that having more information does not always translate to more efficient filtering.
展开▼
