Discriminating drdos packets using time interval analysis

The Distributed Reflection Denial of Service (DRDoS) attack represents a critical security threat. As such attacks generate unidirectional traffic, it is difficult for the targets to protect themselves. To mitigate against such attacks, defense mechanisms must be installed on backbone networks, to detect and block the attack traffic before it reaches the final destination. Conventional approaches monitor the traffic volume, and assume that an attack is in progress if the observed volume exceeds a certain threshold. However, this simple approach allows the attacker to evade detection by adjusting the traffic volume. In this study, we proposed a novel approach that accurately detects DRDoS attacks using the time intervals between the arriving packets. We applied a K-means clustering algorithm to identify the appropriate threshold value. The proposed algorithm was implemented at a real data center, and the results demonstrated the high level of accuracy that our approach can achieve.

Download PDF