A Heuristic DDoS Flooding Attack Detection Mechanism Analyses based on the Relationship between Input and Output Traffic Volumes

Abstract

Nowadays various kinds of anomalies are prohibiting the widely used Internet from offering normal services. Within them a novel anomaly is caused by bandwidth attacks. To defense these threats many detecting schemes are essentially based on unidirectional checking of traffic changes. When legitimately abrupt changes appear, they might result in false alarms. In this paper we consider the problem from the bidirectional-traffic view and analyze the traffic characteristics by checking the input/output traffic characteristics of the protected network node. We have analyzed the relationship between input and output traffic volume pairs in the simulation traffic and studied them both under normal and abnormal cases. Based on these analyses, we've proposed a heuristic DDoS flooding attack detection method and showed a verifying simulation as well.