Distinguishing between FE and DDoS Using Randomness Check

  • Hyundo Park
  • Peng Li
  • Debin Gao
  • Heejo Lee
  • Robert H. Deng
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5222)


Threads posed by Distributed Denial of Service (DDoS) attacks are becoming more serious day by day. Accurately detecting DDoS becomes an important and necessary step in securing a computer network. However, Flash Event (FE), which is created by legitimate requests, shares very similar characteristics with DDoS in many aspects and makes it hard to be distinguished from DDoS attacks. In this paper, we propose a simple yet effective mechanism called FDD (FE and DDoS Distinguisher) to distinguish FE and DDoS. To the best of our knowledge, this is the first effective and practical mechanism that distinguishes FE and DDoS attacks. Our trace-driven evaluation shows that FDD distinguishes between FE and DDoS attacks accurately and efficiently by utilizing only memory of a very small size, making it possible to be implemented on high-speed networking devices.


Network Security Distributed Denial of Service Flash Event Randomness Check 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Feldman, A., Gilbert, A.D., Huang, P., Willinger, W.: Dynamics of IP traffic: A study of the role variability and the impact of control. In: ACM SIGCOMM (1999)Google Scholar
  2. 2.
    Rukhin, A., Soto, J., Nechvatal, J., Smid, M., Barker, E., Leigh, S., Levenson, M., Vangel, M., Banks, D., Heckert, A., Dray, J., Vo, S.: A statistical test suite for random and pseudorandom number generators for cryptographic applications, May 2001, vol. 800(22). NIST Special Publication (2001)Google Scholar
  3. 3.
    Stavrou, A., Keromytis, A.D.: Countering DoS attacks with stateless multipath overlays. In: ACM Computer and Communication Security (November 2005)Google Scholar
  4. 4.
    Krishnamurthy, B., Wang, J.: On network-aware clustering of web clients. In: ACM SIGCOMM (August 2000)Google Scholar
  5. 5.
    Moore, D., Voelker, G.M., Savage, S.: Inferring internet Denial-of-Service activity. In: USENIX Security Symposium (2001)Google Scholar
  6. 6.
    Marsaglia, G., Tsay, L.H.: Matrices and the structure of random number sequences. Linear Algebra Appl. Elsevier Science 67, 147–156 (1985)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Marsaglia, G.: Diehard: A battery of tests of randomness (1996),
  8. 8.
    Kim, H., Bahk, S., Kang, I.: Real-time visualization of network attacks on high-speed links. IEEE Network Magazine 18, 30–39Google Scholar
  9. 9.
    Park, H., Lee, H., Kim, H.: Detecting unknown worms using randomness check. IEICE Trans. Communication E90-B(4), 894–903 (2007)CrossRefGoogle Scholar
  10. 10.
    Wang, H., Zhang, D., Shin, K.G.: Detecting SYN flooding attacks. IEEE INFOCOM2002 3, 1530–1539 (2002)Google Scholar
  11. 11.
    Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites. In: World Wide Web (May 2002)Google Scholar
  12. 12.
    Argyraki, K.: Active internet traffic filtering: real-time response to Denial-of-Service attacks. In: USENIX Annual Technical Conference (April 2005)Google Scholar
  13. 13.
    Adamic, L.A.: Zipf, power-laws, and pareto - a ranking tutorial (1999),
  14. 14.
    Gordon, L.A., Loeb, M.P., Lucyshn, W., Richardson, R.: CSI/FBI computer crime and security survey. In: Computer Security Inst. (2004)Google Scholar
  15. 15.
    Feinstein, L., Schackenberg, D., Balupari, R., Kindred, D.: Statistical approaches to DDoS attack detection and response. In: the DARPA Information Survivability Conference and Exposition(DISCEX 2003) (2003)Google Scholar
  16. 16.
    Niven, L.: Flash crowd, The Flight of the Horse. Ballantine Books (1971)Google Scholar
  17. 17.
    Casado, M., Akella, A., Cao, P., Provos, N., Shenker, S.: Cookies Along trust-boundaries(CAT): accurate and deployable flood protection. In: USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet(SRUTI) (July 2006)Google Scholar
  18. 18.
    Peng, T., Leckie, C., Rnmamohanarao, K.: Proactively detecting Distributed Denial of Service attacks using source IP address monitoring. In: Networking 2004, pp. 771–782 (2004)Google Scholar
  19. 19.
    He, Y., Chen, W., Xiao, B.: Detecting SYN flooding attacks near innocent side. In: Jia, X., Wu, J., He, Y. (eds.) MSN 2005. LNCS, vol. 3794, pp. 443–452. Springer, Heidelberg (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Hyundo Park
    • 1
  • Peng Li
    • 2
  • Debin Gao
    • 2
  • Heejo Lee
    • 1
  • Robert H. Deng
    • 2
  1. 1.Korea UniversitySeoulKorea
  2. 2.School of Information SystemsSingapore Management UniversitySingapore

Personalised recommendations