A DDoS detection method based on analysis of protocol sequence and packet header information

摘要

Recently, the network attacks such as DDoSs (Distributed Denial of Service) have been increasing. In order to cope with the increase, many ISP (Internet Service Provider) customers introduce IDSs (Intrusion Detection Systems). However, the IDSs cannot always detect the network attacks due to dropping the packets when DDoS packets are aggregated to the customer's gigabit link. In addition, the DDoS packets block the user packets unless the ISP operator filters them at the ingress links from the exterior networks. Therefore, for ISP network management, we propose a DDoS attack and source detection system that includes the IDS function and IP trace back function. The system consists of the monitors and their manager. A monitor is deployed over every border link with the exterior IP network or ISP customer's LAN to watch the ingress traffic to the ISP network. The distributed multiple monitors can share the DDoS detection load such as capturing and analyzing the traffic; therefore they are applicable to large scale ISP networks using PC-based DDoS detection system. Furthermore, each monitor uses the trace back function to identify the DDoS packets. In this paper, we show the effectiveness of the system by supporting both functions of IDS and IP trace back through its implementation and the evaluation results.