History-Based Throttling of Distributed Denial-of-Service Attacks

  • Negar Mosharraf
  • Anura P. JayasumanaEmail author
  • Indrakshi Ray
  • Bruhadeshwar Bezawada
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 990)


Distributed Denial-of-Service (DDoS) attack has been identified as one of the most serious threats to Internet services. The attack denies service to legitimate users by flooding and consuming network resources of the target server. We propose a distributed defense mechanism that filters out malicious traffic and allows significant legitimate traffic during an actual attack. We investigate the features of network traffic that can be used to do such filtration and describe a history-based profiling algorithm to identify legitimate traffic. We use Bloom filters to efficiently implement the history-based profile model, which serves to reduce the communication and computation costs. To further improve communication and computation costs, we describe two optimizations: (a) using only three octets of the IP address to generate the history profile, and (b) a data structure called Compacted Bloom Filter, which is a modified version of a regular Bloom filter. We use these notions as building blocks to describe a distributed framework called Collaborative Filtering for filtering attack traffic as far away as possible from the target server. The proposed techniques identify a set of nodes that are best suited for filtering attack traffic, and places the Bloom filters in these locations. The approach is evaluated on different real-world data sets from Auckland University, CAIDA, and Colorado State University. Under different experimental settings, we demonstrate that 70–95% attack traffic can be filtered by our approach while allowing the flow of a similar percentage of legitimate traffic.


Distributed Denial-of-Service attack Flooding attack Network security Bloom filter 


  1. 1.
    Mosharraf, N., Jayasumana, A.P., Ray, I.: Using a history-based profile to detect and respond to DDoS attacks. In: Proceedings of the 14th International Joint Conference on e-Business and Telecommunications (ICETE 2017) - Volume 4: SECRYPT, pp. 175–186 (2017)Google Scholar
  2. 2.
    Steinberger, J., Sperotto, A., Baier, H.: Collaborative attack mitigation and response: a survey. In: IFIP/IEEE International Symposium on IM, pp. 910–913 (2005)Google Scholar
  3. 3.
    Munivara Prasad, K., Rama Mohan Reddy, A., Venugopal Rao, K.: DoS and DDoS attacks: defense, detection and traceback mechanisms - a survey. J. JCST 14, 15–32 (2014)Google Scholar
  4. 4.
    Gil, T.M., Poletto, T.: MULTOPS: a data-structure for bandwidth attack detection. In: Proceedings of USENIX Security Symposium (2001)Google Scholar
  5. 5.
    Waikato Applied Network Dynamics Research Group: Auckland University data traces (2016). Accessed 12 Mar 2016
  6. 6.
    Schwartz, M.J.: DDoS attack hits 400 Gbit/s, breaks record (2014). Accessed 2 Nov 2014
  7. 7.
  8. 8.
    DDoS incident report (2018). Accessed 04 Apr 2018Google Scholar
  9. 9.
    Chen, Y., Hwang, K., Ku, W.S.: Collaborative detection of DDoS attacks over multiple network domains. IEEE Trans. Parallel Distrib. Syst. 18, 1649–1662 (2007)CrossRefGoogle Scholar
  10. 10.
    Chen, C., Park, J.M.: Attack diagnosis: throttling distributed denial-of-service attacks close to the attack sources. In: Proceedings of IEEE ICCCN, pp. 275–280 (2005)Google Scholar
  11. 11.
    (2018). Accessed 1 Apr 2018Google Scholar
  12. 12.
    Yaar, Y., Perrig, A., Song, D.: Pi: a path identification mechanism to defend against DDoS attacks. In: Proceedings of IEEE S&P, pp. 93–107 (2003)Google Scholar
  13. 13.
    Wang, H., Jin, C., Shin, K.: Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans. Netw. 15, 40–53 (2007)CrossRefGoogle Scholar
  14. 14.
    Kim, Y., Lau, W., Chuah, M., et al.: PacketScore: statistics-based overload control against distributed denial of service attacks. In: Proceedings of INFOCOM, pp. 141–155 (2004)Google Scholar
  15. 15.
    Ioannidis, J., Bellovin, S.: Implementing pushback: router-based defense against DDoS attacks. In: Proceedings of NDSS (2002)Google Scholar
  16. 16.
    Mirkovic, J., Prier, G., Reiher, P.L.: Attacking DDoS at the source. In: Proceedings of IEEE ICNP, pp. 312–321 (2002)Google Scholar
  17. 17.
    Mahajan, R., Bellovin, S.M., Floyd, S., et al.: Controlling high bandwidth aggregates in the network. ACM SIGCOMM 32, 62–73 (2002)CrossRefGoogle Scholar
  18. 18.
    Papadopoulos, C., Lindell, R., Mehringer, J., et al.: COSSACK: coordinated suppression of simultaneous attacks. In: Proceedings of Discex III, pp. 94–96 (2003)Google Scholar
  19. 19.
    Francois, J., Aib, I., Boutaba, R.: FireCol: a collaborative protection network for the detection of flooding DDoS attacks. IEEE/ACM Trans. Netw. 20, 1828–1841 (2012)CrossRefGoogle Scholar
  20. 20.
    Aghaei Foroushani, Z.H.: TDFA: traceback-based defense against DDoS flooding attacks. In: Proceedings of AINA IEEE, pp. 710–715 (2014)Google Scholar
  21. 21.
    Luo, H., Chen, Z., Li, J., Vasilakos, A.V.: Preventing distributed denial-of-service flooding attacks with dynamic path identifiers. IEEE Trans. Inf. Forensics Secur. 12, 1801–1815 (2017)CrossRefGoogle Scholar
  22. 22.
    Hameed, S., Khan, H.A.: SDN based collaborative scheme for mitigation of DDoS attacks. Future Internet 10, 23 (2018)CrossRefGoogle Scholar
  23. 23.
    Sung, M., Xu, J.: IP traceback-based intelligent packet filtering: a novel technique for defending against internet DDoS attacks. IEEE Trans. Parallel Distrib. Syst. 14, 861–872 (2003)CrossRefGoogle Scholar
  24. 24.
    Yaar, Y., Perrig, A., Song, D.: SIFF: a stateless internet flow filter to mitigate DDoS flooding attacks. In: Proceedings of IEEE S&P, pp. 130–143 (2004)Google Scholar
  25. 25.
    Peng, T., Leckie, C., Ramamohanarao, K.: Detecting distributed denial of service attacks using source IP address monitoring. In: Proceedings of NETWORKS (2004)Google Scholar
  26. 26.
    Wang, H., Zhang, D., Shin, K.: Change-Point monitoring for the detection of DoS attacks. IEEE Trans. Dependable Secure Comput. 1, 193–208 (2004)CrossRefGoogle Scholar
  27. 27.
    Manikopoulos, C., Papavassiliou, S.: Network intrusion and fault detection: a statistical anomaly approach. IEEE Commun. Mag. 40, 76–82 (2002)CrossRefGoogle Scholar
  28. 28.
    Noh, S., Jung, G., Choi, K., et al.: Compiling network traffic into rules using soft computing methods for the detection of flooding attacks. J. Appl. Soft Comput. 8, 1200–1210 (2008)CrossRefGoogle Scholar
  29. 29.
    Mirkovic, J., Reiher, P.: D-WARD: a source-end defense against flooding denial-of-service attacks. IEEE Trans. Dependable Secure Comput. 2, 216–232 (2005)CrossRefGoogle Scholar
  30. 30.
    Wang, H., Zhang, D., Shin, K.: Detecting SYN flooding attacks. In: Proceedings of IEEE INFOCOM, pp. 530–1539 (2002)Google Scholar
  31. 31.
    Peng, T., Leckie, C., Ramamohanarao, K.: Protection from distributed denial of service attack using history-based IP filtering. In: Proceedings of IEEE ICC, pp. 482–486 (2003)Google Scholar
  32. 32.
    Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network-based defense mechanisms countering the DoS and DDoS problems. ACM Comput. Surv. 39, 1–42 (2007)CrossRefGoogle Scholar
  33. 33.
    RioRey Inc.: Taxonomy DDoS attacks (2012). Accessed 24 Dec 2015
  34. 34.
    Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In: Proceedings of WWW Conference, pp. 293–304 (2002)Google Scholar
  35. 35.
    Lee, K., Kim, J., Kwon, K.H., et al.: DDoS attack detection method using cluster analysis. Expert Syst. Appl. 34, 1659–1665 (2007)CrossRefGoogle Scholar
  36. 36.
    Bloom, B.H.: Space/time trade-offs in hash coding with allowable errors. Commun. ACM 13, 422–426 (1970)CrossRefGoogle Scholar
  37. 37.
  38. 38.
    Melander, B., Bjorkman, M., Gunningberg, P.: A new end-to-end probing and analysis method for estimating bandwidth bottlenecks. In: Global Telecommunications Conference, GLOBECOM 2000, vol. 1, pp. 415–420. IEEE (2000)Google Scholar
  39. 39.
    IMPACT Cyber Trust: Colorado state university dataset: FRGPContinuousFlowData (2015). Accessed 26 Oct 2016Google Scholar
  40. 40.
    Center for Applied Internet Data Analysis: The CAIDA “DDoS Attack 2007” dataset (2007). Accessed 7 May 2016
  41. 41.
    (1998, D.I.D.D.)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Negar Mosharraf
    • 1
  • Anura P. Jayasumana
    • 1
    Email author
  • Indrakshi Ray
    • 2
  • Bruhadeshwar Bezawada
    • 2
  1. 1.Department of Electrical and Computer EngineeringColorado State UniversityFort CollinsUSA
  2. 2. Department of Computer ScienceColorado State UniversityFort CollinsUSA

Personalised recommendations