The Protocol Independent Detection and Classification (PIDC) system for DRDoS attack

Abstract

High-rate flooding attack detection and classification has become a necessary component for network administrators due to their attack range that affects the Data Center servers. The main objective of this paper is to propose the Protocol Independent Detection and Classification (PIDC) system in order to prevent the web servers from devastating attacks such as Distributed Reflection Denial of Service (DRDoS) attacks. The DRDoS flooding attack exploits fixed IP spoofing to defeat the Distributed Denial of Service (DDoS) attack prevention measures. This is the first paper to detect and classify the types of reflected attacks using SNMP MIB variables. The proposed PIDC system uses the data mining and machine learning techniques to detect all types of reflected flooding attacks. The rank correlation based detection algorithm retrieves the incoming traffic in the form of Simple Network Management Protocol -Management Information Base (SNMP-MIB) variables and finds the relationship between the MIB variables to detect the attacks from the normal traffic. Then, C4.5 classification algorithm extracts and frames association rule based on protocol information from reflected DDoS flooding attacks. Finally, the CPU, memory and disk resource distribution to legitimate requests are also increased. This method achieves 99% of true positive rates and less false positive rate of (1%) when compared to existing reflected attack detection methods. Moreover, these attacks are classified by types such as TCP reflection attacks and DNS reflection attacks with the highest probability of attack traffic.