Network Attack Detection at Flow Level

  • Aleksey A. Galtsev
  • Andrei M. Sukhov
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6869)


In this paper, we propose a new method for detecting unauthorized network intrusions, based on a traffic flow model and Cisco NetFlow protocol application. The method developed allows us not only to detect the most common types of network attack (DDoS and port scanning), but also to make a list of trespassers’ IP-addresses. Therefore, this method can be applied in intrusion detection systems, and in those systems which lock these IP-addresses.


DDoS attack flow traffic model Cisco NetFlow 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Paulauskas, N., Garsva, E.: Computer System Attack Classification. Electronics and Electrical Engineering 2(66) (2006)Google Scholar
  2. 2.
    Mirkovic, J., Reiher, P.: A taxonomy of DDoS attack and DDoS defense mechanisms. ACM SIGCOMM Comput. Commun. 34(2), 39–53 (2004)CrossRefGoogle Scholar
  3. 3.
    Hussain, A., Heidemann, J., Paradopoulos, C.: A Framework for Classifying Denial-of-Service Attacks, Karlsruhe, Germany, pp. 99–110 (2003)Google Scholar
  4. 4.
    Douligeris, C., Mitrokotsa, A.: DDoS Attacks and Defense Mechanisms: Classification and State-of-the-art. Comp. Networks 44, 643–666 (2004)CrossRefGoogle Scholar
  5. 5.
    Paxson, V.: An Analysis of Using Reflectors for Distributed Denial-of-Service Attacks. CCR 31(3) (July 2001)Google Scholar
  6. 6.
    Chang, R.K.C.: Defending against Flooding-based Distributed Denial of Service Attacks: A tutorial. IEEE Communications Magazine 40(10), 42–51 (2002)CrossRefGoogle Scholar
  7. 7.
    Cisco IOS NetFlow site, Cisco Systems,
  8. 8.
    Claise, B.: NetFlow Services Export Version 9. RFC 3954 (2004)Google Scholar
  9. 9.
    White Paper: Cisco IOS and NX-OS Software Reference Guide, Cisco Systems,
  10. 10.
    Afanasiev, F., Petrov, A., Grachev, V., Sukhov, A.: A Flow-based analysis of Internet traffic. Russian Edition of Network Computing 5(98), 92–95 (2003)Google Scholar
  11. 11.
    McGlone, J., Marshall, A., Woods, R.: An Attack-Resilient Sampling Mechanism for Integrated IP Flow Monitors. In: 29th IEEE International Conference on Distributed Computing Systems Workshops (2009) ISBN: 978-0-7695-3660-6Google Scholar
  12. 12.
    Yang, W., Gong, J., Ding, W., Wu, X.: Network Traffic Emulation for IDS Evaluation. In: IFIP International Conference on Network and Parallel Computing, pp. 608–612 (2007) ISBN: 978-0-7695-2943-1Google Scholar
  13. 13.
    Deal, R.A.: Cisco Router Firewall Security: DoS Protection (October 2004),
  14. 14.
    Fullmer, M., Roming, S.: The OSU Flow-tools Package and Cisco Netflow logs. In: Proceedings of the 2000 USENIX LISA Conference, New Orleans, LA (2000)Google Scholar
  15. 15.
    Haag, P.: Watch your Flows with NfSen and NfDump. In: 50th RIPE Meeting (2005)Google Scholar
  16. 16.
    Marmorstein, R., Kearns, P.: A tool for automated iptables firewall analysis. In: 2005 USENIX Annual Technical Conference, FREENIX Track, pp. 71–82 (April 2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Aleksey A. Galtsev
    • 1
  • Andrei M. Sukhov
    • 1
  1. 1.Samara State Aerospace UniversitySamaraRussia

Personalised recommendations