Detecting DDoS Attacks Near The Edge with Router Canaries

Abstract

As consumers place more devices within their local networks the ability to detect and disrupt Distributed Denial of Service (DDoS) attacks must move closer to the edge in order to provide resilient and effective decentralized protection. To move detection from centralized entities towards the edge a distributed technique to detect DDoS attacks through the use of entropy-based canaries located near edge devices (e.g., switches, and routers) is proposed. The benefit of this approach is that a set of infrastructure devices could prevent attacks using hijacked devices from ever leaving local networks. In order to evaluate this approach an open-source Python software package was built on top of the Common Open Research Emulator (CORE) in order to simulate and assess these entropy-based canaries. This distributed entropy-based detection technique, based on prior centralized entropy-techniques, is able to achieve 100% detection rate even when attacker-node comprise only 25% of the total nodes. While these distributed entropy-based canaries can rapidly detect simulated DDoS attacks with high accuracy these preliminary results motivate future investigation using more diverse typologies and real-world data.