DDoS attack detection using frequency domain characteristics

Abstract

Providing 24-hour service to the users, is one of the major concerns of network administrators. A denial of service attack refers to a condition that a server cannot give normal services to its legitimate clients due to the large amount of bogus packets sent by an unknown source. In a distributed denial of service (DDoS) attack, an attacker launches the attack on a server via a large number of unaware computers through Internet. During a DDoS attack, the victim is forced to reply to the requests from those infected nodes called zombies. The rst step of countermeasure against these types of threats is detection. Conventional methods analyze the contents of packets arrived to the victim node to nd an abnormality. Although they can identify some simple attacks, they are almost unable to segregate the source of normal tra c from attack one when attackers alter the source IP address into the normal source IP address. Additionally the contents of the abnormal packets are usually changed intentionally by attackers to be close to those in normal packets and therefore they can easily be passed through a system employing traditional detection approaches. In this thesis, a frequency domain analysis is proposed to detect DDoS attacks. The number of packets received by the victim in a speci c interval are sampled and considered as a random process. Employing two di erent methods of power spectral density estimation, the frequency characteristic of the time series is estimated. Using each spectrum estimation methods, two sets of frequency characteristics, one for normal and another for DDoS tra c, are acquired, and utilized by a signature based intrusion detection system to detect abnormality.