DiCoTraM: A distributed and coordinated DDoS flooding attack tailored traffic monitoring

The success in detecting Distributed Denial of Service (DDoS) flooding attacks is highly dependent on the quality and quantity of the covered flows by the traffic monitoring mechanism that is employed in any DDoS defense mechanism. In this paper, we propose DiCoTraM, a DDoS flooding attack tailored distributed and coordinated traffic monitoring mechanism that centrally and periodically coordinates the monitoring responsibilities and distributes them among all the monitoring devices within each autonomous system (AS) while satisfying the monitoring devices' memory constraints. DiCoTraM monitors traffic flows in such a way that the flows intended for the same destination (possible network/transport level DDoS flooding attack flows) are analyzed together in the same monitoring device if there is enough memory to cover those flows on the monitoring device; hence, this can enable distributed detection mechanisms in place to analyze the monitored flows. The enabled distributed detection leads to reduced communication overhead that is a problem in centralized detection mechanisms as they need to collect centrally all the flows for analysis. Moreover, the centralized coordination structure of DiCoTraM eliminates the redundant flow monitoring among the routers. We simulate and compare DiCoTraM with other traffic monitoring mechanisms in terms of: the overall flow coverage, and the DDoS flooding attack flow coverage. The experimental results show that DiCoTraM, compared to other monitoring mechanisms, covers more DDoS flooding attack flows and it has reasonable overall flow coverage.