Accurate and Fast Detection of DDoS Attacks in High-Speed Network with Asymmetric Routing

The existing DDoS attack detection methods based on a single monitoring point only consider symmetric routing scenarios, which may not be practical. Such schemes will produce high false positives when facing the asymmetric routing scenarios. Besides, few of them are applicable in high-speed networks. The paper designs a DDoS detection scheme customized for high-speed networks and takes asymmetric routing scenarios into account. Systematic sampling is applied to high-speed incoming traffic, and a proposed Double Composite Structure Sketch (DCSS) is utilized for fast recording and extraction of features based on the characteristics of DDoS attacks in both symmetric and asymmetric routing scenarios. Then classifiers are trained for online DDoS detection. Our experimental results using the public dataset show that in a 10Gbps network with asymmetric routing, our approach can accurately detect UDP Flood and SYN Flood attacks within 20 seconds when the sampling rate is set to 1/2048.