A Hadoop Based Analysis And Detection Model For Ip Spoofing Typed Ddos Attack

As more and more cloud services are exposed to DDoS attacks, DDoS attack detect has become a new challenging task because large packet traces captured on fast links could not be easily handled on a single server with limited computing and memory resources. In this paper, we propose a Hadoop based model to identify abnormal packets and compute the statistics according to the number of abnormal packets. The novelties of the model are that:(1) by harnessing HBASE, an improved bloom filter based mapping mechanism named TCP2HC/UDP2HC are implemented; (2) with the characteristics of IP spoofing and the temporal correlation of transport layer connection state, an extensible set of rules and a reliable MapReduce based checking mechanism for abnormal packets are designed; (3) using statistic features extracted from the increased abnormal packets and TCP/UDP flow, a non-parameter CUSUM algorithm is used to detect most DDoS attacks accurately and efficiently. The model can detect the attack behavior in the early stage, which is beneficial to mitigate attack with the help of flow cleaning by converting a check rule to the filtering rule. Experiments show no matter how large the attack scale and what kind of DDoS attack, the detection model can soon detect DDoS attack accurately.