Use of access characteristics to distinguish legitimate user traffic from DDoS attack traffic
- 7 Downloads
Distributed denial of service attacks are a serious threat in the current information society, where the Internet plays an important role as infrastructure. We have been studying ways to mitigate these attacks using a method that distinguishes between legitimate users and attacks. Our previous method was not sufficient because it only analyzed access logs after the attack. In this study, we propose a new method that can distinguish between legitimate users and attacks while the services are running. When the IDS detects an attack, a quarantine server distinguishes legitimate users using access characteristics. The access characteristics are: (1) user follows links, (2) sender accessed a popular page, and (3) the sender’s current average transmission interval. Our experiments confirmed that the proposed method can distinguish between legitimate users and attacks.
KeywordsDDoS HTTP GET flood attack OpenFlow
This work was supported by JSPS KAKENHI Grant numbers JP17H01736, JP17K00139, JP18K11268.
- 2.Duravkin I, Carlsson A, Loktionova A (2014), Method of slow-attack detection. In: Problems of infocommunications science and technology. 1st international scientific-practical conference, pp 171–172Google Scholar
- 3.Yatagai T, Isohara T, Sasasse I (2007) Detection of HTTP-GET flood attack based on analysis of page access behavior. In: Proceedings IEEE pacific rim conference on communications, computers and signal processing, pp 232–235Google Scholar
- 7.GitHub Markus-Go/bonesi: BoNeSi—the DDoS Botnet Simulator. https://github.com/markus-go/bonesi