Detecting ddos attacks in stub domains

DoS attacks have least impact when detected and mitigated close to the attacks' source. This is more important for Distributed DoS (DDoS) attacks since they are difficult to mitigate at the victim without affecting service to legitimate flows. This is a challenging task since DDoS attack traffic may have relatively low flow rates and attack packets are indistinguishable from legitimate packets. Current source-end detection schemes such as MULTOPS and D-WARD are centralized and hence, are not easily deployable in multi-gateway stub networks with asymmetric traffic. Moreover, these systems require modifications to current routers for successful deployment. We present a scalable, distributed DDoS detection system that can be deployed in single- as well as multi-homed stub networks to detect DDoS attacks using TCP packets. The detection system can detect attacks with very low flow rates and in multi-gateway networks, even with significant asymmetric TCP flows. We evaluate the performance of our detection system using extensive packet level simulations under different attack scenarios. Our results show that with relatively less node state and processing, in networks with symmetric flows, our system can accurately detect attack flows that are one-third the intensity of an average flow in the network. In the case of multi-gateway networks, the detection system can detect all attacks for all rates of asymmetry when the attack rate is at least five times the average flow rate in the network. We extend the system to detect attacks aimed at multiple hosts in a subnet instead of a single host. Subnet attacks seem more diffused for detection schemes designed to detect host attacks. Hence, it is harder for these schemes to detect these attacks. Our subnet attack detection scheme can detect attacks that target hosts in large subnets (/21) and in the presence of non-attack traffic to other hosts in the subnet. Our packet level simulations show that, in single gateway networks, our scheme can detect attacks with an aggregate flow intensity equal to an average flow in the network in less than a minute. Using these simulations, we also show that our scheme detects attacks in networks with up to four gateways and when up to 50% of the flows are asymmetric.