An Experience Report on Scalable Implementation of DDoS Attack Detection

  • Sri Yogesh Dorbala
  • Kishore R.
  • Neminath HubballiEmail author
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 215)


Distributed Denial of Service (DDoS) attacks are increasingly becoming powerful and crippling many networks and services in Internet. Many methods have been proposed to mitigate and detect DDoS attacks in the literature. These techniques require processing large amount of network traffic in real time. In order to process this bulky network traffic, in this paper we report an experimental investigation of scalable implementation. In our experiments we used distributed computing framework of Apache Hadoop to achieve the scalability. We implemented clustering and classification algorithms for detecting DDoS attack. Several experiments on a DDoS dataset and normal dataset of sizes ranging from 1 GB to 80 GB resulted in performance improvements.


Distributed Denial of Service Scalable implementation Attack detection 



The authors would like to acknowledge Center for Applied Internet Data Analysis (CAIDA) and MIT Lincoln Laboratory for providing access to their 2007 DDoS attack dataset and DARPA 99 dataset respectively.


  1. 1.
  2. 2.
    Geva, M., Herzberg, A., Gev, Y.: Bandwidth distributed denial of service: attacks and defenses. IEEE/ACM Trans. Network. 12(1), 54–61 (2014)Google Scholar
  3. 3.
  4. 4.
    Ferguson, P., Senie, D.: Network ingress filtering: defeating denial of service attacks which employ IP source address spoofing. RFC 2827, May 2000Google Scholar
  5. 5.
    Distler, D.: Performing Egress Filtering. SANS Institute Infosec Reading Room (2008)Google Scholar
  6. 6.
    MANANET: The reverse firewall: defeating DDOS attacks emanating from a local area network.
  7. 7.
  8. 8.
    Wang, H., Jin, C., Shin, K.G.: Defense against spoofed IP traffic using hop-count filtering. IEEE/ACM Trans. Network. 15(1), 40–53 (2007)CrossRefGoogle Scholar
  9. 9.
    Gont, F., Bellovin, S.: Defending against sequence number attacks. RFC 6528, February 2012Google Scholar
  10. 10.
    Lee, Y., Kang, W., Lee, Y.: A hadoop-based packet trace processing tool. In: Domingo-Pascual, J., Shavitt, Y., Uhlig, S. (eds.) TMA 2011. LNCS, vol. 6613, pp. 51–63. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  11. 11.
    Lee, Y., Lee, Y.: Toward scalable internet traffic measurement and analysis with hadoop. SIGCOMM Comput. Commun. Rev. 43(1), 5–13 (2012)CrossRefGoogle Scholar
  12. 12.
    Mirkovic, J., Reiher, P.: D-ward: a source-end defense against flooding denial-of-service attacks. IEEE Trans. Dependable Secure Comput. 2(3), 216–232 (2005)CrossRefGoogle Scholar
  13. 13.
    Gil, T. M., Poletto, M.: MULTOPS: a datastructure for bandwidth attack detection. In: Proceedings of 10th Usenix Security Symposium, pp. 23–38 (2001)Google Scholar
  14. 14.
    Chou, J., Lin, B., Sen, S., Spatscheck, O.: Proactive surge protection: a defense mechanism for bandwidth-based attacks. IEEE/ACM Trans. Network. 17(6), 1711–1723 (2009)CrossRefGoogle Scholar
  15. 15.
    Gev, Y., Geva, M., Herzberg, A.: Backward traffic throttling to mitigate bandwidth floods. In: Proceedings of Global Communication Conference (GLOBECOME 2012), pp. 904–910 (2012)Google Scholar
  16. 16.
    Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Practical network support for IP traceback. In: SIGCOMM 2000: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pp. 295–306 (2000)Google Scholar
  17. 17.
    Peng, T., Leckie, C., Ramamohanarao, K.: Adjusted probabilistic packet marking for ip traceback. In: Gregori, E., Conti, M., Campbell, A.T., Omidyar, G., Zukerman, M. (eds.) NETWORKING 2002: Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications. LNCS, vol. 2345, pp. 697–708. Springer, Heidelberg (2002) Google Scholar
  18. 18.
    Belenky, A., Ansari, N.: IP traceback with deterministic packet marking. IEEE Commun. Lett. 7(4), 162–165 (2003)CrossRefGoogle Scholar
  19. 19.
    Paruchuri, V., Durresi, A., Chellappan, S.: TTL based packet marking for IP traceback. In: GLOBECOM 2008: Proceedings of the GLOBCOM Conference, pp. 1–5 (2008)Google Scholar
  20. 20.
    Goldstein, M., Lampert, C., Reif, M., Stahl, A. Breuel, T.: Bayes optimal DDOS mitigation by adaptive history-based ip filtering. In: Proceedings of the Seventh International Conference on Networking, pp. 174–179 (2008)Google Scholar
  21. 21.
    Yi, F., Yu, S., Zhou, W., Hai, J., Bonti, A.: Source-based itering scheme against DDOS attacks. Int. J. Database Theory Appl. 1(1), 9–20 (2008)Google Scholar
  22. 22.
    Jin, C., Wang, H., Shin, K.G.: Hop-count filtering: an effective defense against spoofed DDOS traffic. In: CCS 2003: Proceedings of the 10th ACM Conference on Computer and Communications Security, pp. 30–41 (2003)Google Scholar
  23. 23.
    Weinsberg, U., Shavitt, Y., Schwartz, Y.: Stability and symmetry of internet routing. In: IEEE International Conference on Computer Communications Workshops, pp. 407–408 (2010)Google Scholar
  24. 24.
  25. 25.
    Dean, J., Ghemawat, S.: Mapreduce: simplified data processing on large clusters. In: Proceedings of the 6th Conference on Symposium on Opearting Systems Design & Implementation, vol. 6, pp. 137–149 (2004)Google Scholar
  26. 26.

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Sri Yogesh Dorbala
    • 1
  • Kishore R.
    • 1
  • Neminath Hubballi
    • 1
    Email author
  1. 1.Discipline of Computer Science and EngineeringIndian Institute of Technology IndoreIndoreIndia

Personalised recommendations