Classification of UDP Traffic for DDoS Detection presented at 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats 2012

by Xinming Ou, Alexandru g. Bardas, Loai Zomlot, Sathya chandran Sundaramurthy, S. raj Rajagopalan, Marc Eisenbarth,

Tags: UDP DDoS


Summary : UDP traffic has recently been used extensively in flooding-based distributed denial of service (DDoS) at- tacks, most notably by those launched by the Anony- mous group. Despite extensive past research in the gen- eral area of DDoS detection/prevention, the industry still lacks effective tools to deal with DDoS attacks leverag- ing UDP traffic. This paper presents our investigation into the proportional-packet rate assumption, and the use of this criterion to classify UDP traffic with the goal of detecting malicious addresses that launch flooding-based UDP DDoS attacks. We conducted our experiments on data from a large number of production networks includ- ing large corporations (edge and core), ISPs, universities, financial institutions, etc. In addition, we also conducted experiments on the DETER testbed as well as a testbed of our own. All the experiments indicate that proportional- packet rate assumption generally holds for benign UDP traffic and can be used as a reasonable criterion to differ- entiate DDoS and non-DDoS traffic. We designed and implemented a prototype classifier based on this crite- rion and discuss how it can be used to effectively thwart UDP-based flooding attacks.