Network domain entrypoint/path determination for DDoS attacks

Abstract

A method to determine entry points and paths of DDoS attack traffic flows into network domains is proposed. We determine valid source addresses seen by routers from sampled traffic under non-attack conditions. Under attack conditions, we detect route anomalies by determining which routers have been used for unknown source addresses to construct the attack paths. We show results from simulations to detect the routers carrying attack traffic in the victim's network domain. Our approach is non-intrusive, not requiring any changes to the Internet routers and data packets. Precise information regarding the attack is not required allowing a wide variety of DDoS attack detection techniques to be used. The victim is also relieved from the traceback task during an attack. Our algorithm is simple and efficient, allowing for a fast traceback and the method is scalable due to the distribution of processing workload.