Measuring Defence Systems Against Flooding Attacks

Transcription

1 Measuring Defence Systems Against Flooding Attacks Martine Bellaïche Génie Informatique, Ecole Polytechnique de Montréal Montréal, QC, CANADA Jean-Charles Grégoire INRS EMT Montréal, QC, CANADA Abstract Denial of service (DoS) attacks strive to deny service access to legitimate users. A flooding attack uses massive volumes of otherwise useless traffic to occupy all the resources of a service, or the bandwidth of the network access links. There are many techniques, some implemented in commercial products, which are supposed to protect services against DDoS attacks. Our main contribution in this paper is to present a set of methods, together with their well-known related metrics, for evaluating defence systems against flooding attacks, and thus be able to compare them. We propose and justify that it is important to measure a defence system on several aspects: performance evaluation, deployment costs, degradation and robustness costs, both under and without attacks. We introduce composite metrics to measure the performance and the costs. Finally, another contribution is to proposed guidelines for a testing methodology. This methodology identifies all experiments required for collecting all the metrics and associated costs. Index Terms Denial of Service, Flooding Attack, Defence System, Metrics. I. INTRODUCTION Denial of service (DoS) attacks strive to deny service access to legitimate users. One form of attack is to use massive volumes of otherwise useless traffic to occupy all the resources of a service or the bandwidth of the network access links, hence squeezing out the traffic of legitimate users. This form of attack is based on a flood. It is called a Distributed Denial of Service (DDoS) when the attack traffic comes from multiple sources, thus amplifying its effect. There are many techniques, some of which are implemented in commercial products, with the purpose of protection services against DDoS attacks. Below, we identify 4 techniques, possibly in complementary categories of defence against the DDoS attacks: (1) prevention, (2) detection, (3) reaction, and (4) source identification: Prevention allows to avoid attacks by stopping them before a service denial occurs. Detection allows to detect the attack when it occurs. Reaction follows an attack detection and is meant to stop or to reduce the impact of the attack. Source identification enables to locate the origin of the attack, and deals with it specifically. The defence mechanisms can be deployed either at the victim, intermediate or source network [1]. At the victim s network, the defence mechanism protects the target against DDoS. At the intermediate network, the defence mechanism provides a generic protection to the victims of DDoS attacks. At the source network, the goal of the defence mechanism is to prevent network users from maliciously or not generating DDoS attacks. In [2], Peng et al. present a survey of defence mechanisms against flooding attacks. An efficient defence system must be able to preserve performance service during a denial of service attack, to minimize the disturbances on legitimate traffic and minimize any interference with the legitimate traffic when there is no attack. In this paper, our study focuses on means to quantify the performance of defence systems that include prevention, detection and reaction. To evaluate, in the same way the performance of DDoS defences, we propose a set of evaluating techniques associated with specific, most widely known metrics, which will help to establish the accuracy and effectiveness of the defence. This effort is necessary in order to allow an objective and independent comparison of defence mechanisms, which is actually lacking in the current state-of-the-art [3]. We believe that it is important to estimate a defence system s effectiveness over several aspects: performance, deployment costs, service degradation and robustness costs (see figure 1). For each aspect, a number of specific metrics exists and since we want to evaluate every cost, we have to create simple and intuitive composite metrics in order to simplify the global evaluation of the defences. For this, we add up, with weighting coefficients, different metrics whose nature may be very different (e.g. time, percentage or volume) to end up with a score. Such a composite thus does not directly reflect a physical factor, but simplifies global comparison. Note also that keeping these aspects separate will help reflect different elements of a global cost, unlike work done on extracting a unique, global metric e.g. user satisfaction. Finally, we need to evaluate the defence system s effectiveness in the presence and absence of an attack and include it in the computation of the metrics. The paper is organized as follows. In section II, we review previous work on the evaluation of defence on (D)DoS. In section III, we review the evaluation of detection and defence techniques when a service is under attack. In section IV, we identify all relevant elements to assess degradation, robustness /08/$ IEEE 600

2 Fig. 1. Deployment cost Degradation Evaluation Performance Detection, Defense Robustness cost Evaluation Environment of a DDoS Defence System and deployment of a defence system against DDoS. In section V, we identify a methodology for testing our evaluation technique. In section VI, we present a example for measuring the detection technique. Finally, we present a discussion with a conclusion in section VII. II. PREVIOUS WORK In [4], Mölsä presents a taxonomy for the evaluation of the usefulness and effectiveness of defence mechanisms against flooding-based DDoS attacks. This taxonomy is an extension of work on DDoS attacks and defence mechanisms presented in [1]. But Mölsä s evaluation of defence mechanisms does not define performance-specific metrics and their set of criteria is difficult to use for comparing defence mechanisms. Schwab et al. [5] measure the impact of the DDoS attack as the degradation of goodput (i.e. the application-level throughput), flow packet rate and server response rate. For the server, measures such as response time or server connexion completion times will increase with service degradation. The authors propose as a metric to measure the effectiveness of the defence, the time taken to remove a certain amount of attack traffic. For Hussain et al. [3], the accuracy of the metric and the effectiveness of a defence are the rate and the probability of false positives and false negatives under an attack detection. Another metric is the probability of detection, and another aspect of the effectiveness of the defence is finding the exact breaking point of a defence, i.e.. the maximum attack rate such that the filtering defence does not drop any legitimate traffic. The metric presented by Mirkovic et al. [6] allows to evaluate whether legitimate clients receive an acceptable service or not during an attack. An effective defence must minimize the impact of DDoS by reducing the percentage of failed transactions. Thus by measuring the impact of the denial of service, the authors are able to implicitly evaluate the effectiveness of the counteracting defence. In [7], Mirkovic et al. propose to divide the legitimate traffic of the network into user tasks called transactions and classify these transactions into application level categories. For each category, they define a Quality of Service (QoS) condition which must be satisfied for all transactions. The impact of DDoS is then measured thereafter as a percentage of the transactions in each category which did not meet their QoS conditions. The difficulty is to find fair threshold values for each application which, when exceeded, indicate a failure of the QoS condition. Moreover, in the DDoS impact metric, a weight is given for each category of application, and but wrong choice of weight could lead to a false conclusion. To summarize, previous work propose a number of different metrics, but their diversity makes it difficult to comparatively evaluate defence systems. However a recurring trend can be recognized: in all methods, it is important to assert how traffic from legitimate users might suffer from the attack, either through reduced availability, or through being wrongly identified as attack traffic. III. PERFORMANCE EVALUATION The performance evaluation is made under attack. It consists of an evaluation of detection, prevention and reaction systems. The sensitivity measures the evaluation of the role of the parameters of the defence (for example: thresholds) in the performance (see section III-C). The performance level is itself reflected by the combination of a number of metrics. A. Detection Performance Recall that detection is important because, if we can detect an attack before service is denied, we can correct it by deploying a reaction or a prevention countermeasure, thus offering fast protection to the legitimate users. In addition, detection can allow the identification of attackers and block the attack at the source. In order to protect the victim efficiently, the essential objectives are to detect attacks quickly, with accuracy and with minimal deployment costs (see section IV-C). Deployment costs will reflect the complexity of the detection method, measured according to the changes it requires to a defenceless service architecture 1. These overall objectives translate into the following criteria: accuracy, latency or detection time, reliability and cost (see section IV-C). 1) Accuracy: Accuracy measures the correctness of the detection and is composed of two elements: the detection rate and the rate of false positives. a) Detection Rate: The detection rate is the percentage of attacks that are detected as compared to the total number of attacks [8]. This metric associated with the detection time validates the detection mechanism of each attack. Similarly, the non-detection rate or false negative rate is a way of determining the errors made by defences for not identifying the attacks. It corresponds to the percentage of not-detected attacks compared to the total number of attacks. It is the complement of the detection rate. b) Rate of False Positives: The rate of false positives or the rate of false detection alarms [9] is another way of assessing detection errors made by identifying an attack when none occurred. This rate is the ratio between the number of erroneously-reported attacks and the total number of attacks. This metric verifies that the detection mechanism does not make (significant) mistakes. 1 Note that, at this level, we are not considering the cost of loss of service vs. the cost of the deployment of a detection system. 601

3 2) Latency: The detection time or latency metric reflects the delay in the detection of attacks. The detection time of the attack is the interval of time between the beginning of an attack and its detection by the system. The detection time is important because an attack should be detected before any severe damage is done. The latency depends on a number of elements: there are architectural constraints, for example a polling cycle to acquire data, and algorithmic constraints, such as the existence of a time window to average the information over several acquisition cycles. 3) Reliability : The goal is to identify detection measures with a high sensitivity to an attack. For example, the entropy of the IP source addresses is reported as a good detection criterion by Feinstein et al. [10]. 4) Overall Evaluation: From the description above, we see that an ideal detection technique must have a short latency l, as well as, a rate of false negatives n and positives p as low as possible. In short, it would be desirable that a technique can detect all attacks without giving any false alarms. But this is not an absolute: it is possible that a target may want a detection with a zero rate of false negatives, but could accept rising false alarms (false positives) can arise. According to the importance of the different criteria, we define, for each metric, different weighting coefficients: α l for the latency, α n for the false negatives and α p for the false positives such as α l +α n +α p = 1. We then can calculate a composite metric for the overall evaluation of detection D. This metric implicitly depends on the attack rate a rate, the parameters of this rate parameters (constant, increasing, pulsing or gradual and pulsing) and its duration a duration. D = α l l + α n n + α p p (1) B. Protection against DDoS Attacks We shall state that a defence system is effective if it provides a good service to legitimate customers while reducing the effects of denial of service attacks. We have defined above that a defence system is composed of detection, prevention and reaction, where the latter two elements are called protection. Prevention is meant to eliminate the attack traffic before it arrives at the victim, while the reaction follows the detection of an attack. Once the protection is identified, we have to evaluate it by specifying goals. 1) Evaluation of Protection: For the evaluation of protection, we need to categorize some well-known metrics, which must address the overall goals of a defence system, that is: 1) To eliminate or minimize the denial of service attacks. 2) To provide a good service to legitimate clients or maximize the service to legitimate clients. 3) To minimize deployment costs (see section IV-C). For each of these objectives, the relevant protection performance measures system are presented in sections III-B2, III-B3 and IV-C below. 2) Attack Avoidance: The first objective of a good defence system is to eliminate the effects of DDoS attacks. Just as we have shown for attack detection, we find that the response time (latency) is an important metric for protection: it is clear that a reaction to a DDoS attacks must have a very short response time. Furthermore, just as detection may have a rate of false negatives, protection may have its own issues with not being able to address all identified attack traffic. This protection miss rate leads in turn to the identification of an overall rate of false positives, for the whole defence system. a) Attack Response Time: Even though attacks may be detected quickly, the defence becomes efficient only from the time the attack traffic starts to be rejected or limited [11]. b) Protection Miss: The false negative rate reflects the errors made by a defence system which does not remove the attacks correctly. It is the rate of accepting attack traffic as legitimate traffic, that is, the ratio of the attack traffic accepted by the victim over the total amount of attack traffic. c) Rate of Rejection of Attack Traffic: This rate measures the proportion of attack traffic that was rejected, filtered, or throttled by the protection system; it is the complement of the false negative rate. Obviously, the rejecting and accepting rates carry essentially the same efficiency measure of the defence system at the victim and, hence, in practice, only one of these rates needs to be evaluated. Together, the attack response time and the defence false negative rate metrics can evaluate the elimination of the DDoS attacks. 3) Providing a Good Service to Legitimate Clients: Relevant metrics can be established for both victims and legitimate clients, using the fact that client requests depend on the successful establishment of TCP connexions. Note that, if necessary, these metrics could be complemented by those defined in the level application in [7]. Overall, these metrics can assess to what extent the defence system penalizes any legitimate client. a) False Positive Rate: This is the proportion of legitimate traffic rejected by the protection. It represents the damage on the legitimate traffic. b) Survival Rate of the Legitimate Traffic: This rate represents the fraction of the legitimate traffic accepted by the defence system of the victim over the total legitimate traffic. Naturally the survival rate is the complement of the false positive rate, therefore it may be seen as the percentage of the legitimate traffic that is protected by the defence system. c) Rate of Successful Client TCP Connexions: This rate is defined as the ratio of the number of successful connexions over the total number of attempted (legitimate) connexions [12]. A connexion is considered successful when the TCP handshake procedure has been completed. We may also define the DDoS rate of TCP connexions as the complement of the successful rate [13]. d) Average Delay: This corresponds to the average time interval necessary for the establishment of a successful TCP 602

4 connexion per client or per network [12]. The presence of the defence system should not unduly increase this delay. Together, the false positive rate or the survival rate of the legitimate traffic, the rate of successful client TCP connexions, and the average delay allow to evaluate the performance of the service offering at the legitimate clients during an attack. 4) Overall Evaluation: To summarize, for a good protection against flooding DDoS, we need to focus on two elements. To minimize the effect of the flooding attack, ideally we want to keep the response time r short and a rate of false negatives n as low as possible. Considering the weighting coefficient α r for the attack response time and α n for the false negative rate, and since α r + α n =1, we can evaluate a composite metric denoted EA as. EA = α r r + α n n (2) To give an adequate service, we want to have a false positive p and the DDOS rate of TCP connexion s as low as possible, and a minimum increase of the average delay d for establishing TCP connexions. For the coefficient α p for the false positive, α s for the DDoS rate of TCP connexion, and α d the average delay, where the sum of the coefficient is 1, we evaluate the composite metric GS, defined as. GS = α p p + α s s + α d d (3) C. Use of the Measures We have described a number of variables used to assess defence systems but, we must also discuss how they are used: in the research literature, defence systems set either thresholds or upper limits, with observations conducted over some time period. Unfortunately, researchers often do not evaluate the sensitivity of the performance of their defence technique to variations of these values, and tend to optimize the parameters for their own tests. Moreover, researchers must detail the way of assigning parameters for any users [14]. Therefore, it is necessary that the performance evaluation of the systems includes varying the choice and the setting of the parameters. For example, in Wang et al. [15], it would be important to know the relation between the threshold value used in their statistic method and the false alarm and the detection time of their algorithm. IV. DEGRADATION, ROBUSTNESS AND DEPLOYMENT In this section, we measure the performance degradation on the legitimate traffic, the robustness and the deployment cost of the system defence. A. Performance Degradation We first measure the performance of all aspects of the impact of the defence system, in the absence of an attack. With the installation of the defence system, we want to provide a good service to legitimate clients especially without attack. The legitimate client should be oblivious the presence of a defence system. The existence of performance degradation means that we must test the defence system when there are no DDoS attacks, because of the measures introduced to detect attacks as well as the presence of the protection mechanisms themselves. We simply evaluate the service for legitimate clients, but we may also fine-tune certain defence parameters (e.g. sampling rate) in order to minimize the performance degradation. This evaluation will make it possible to identify the penalties imposed on legitimate traffic by the defence system, when there are no DDoS attacks. The following metrics are thus computed: 1) Rate of false alarms: This measure or rate of false positives may be no zero when there is no attack, and will set the lower bound for the quality of detection when there is an attack. 2) Composite metric GS: This measure assesses the damage imposed on the legitimate traffic. Normally, without attacks, this composite metric must have the same value with or without a defence system. A perfect that is, ideal performance degradation is no degradation. Hence a such system, we must have a GS value of zero for service to legitimate client and a zero rate of false alarms for the detection. B. Evaluation of Robustness Costs The evaluation of robustness tests the defence s weakness, that is, the conditions under which the defence system is vulnerable. For example, in the method of Peng et al. [16] which uses a database of legitimate IP addresses, the attackers could circumvent the protection by including a certain group of IP addresses in the IP address database. In the detection mechanism of Wang et al. [15], the weakness of the counting SYN-FIN pairs is that the attacker can flood a mixture of SYNs and FINs in equal numbers. In summary, we want to know if the attacker can evade the detection and protection mechanisms. We can identify 4 levels: low, medium, good, and high. These cost levels are in the interval [1-4], 1 represents a lower robustness and 4 a higher one. C. Evaluation of Deployment Costs The deployment costs of the defence system depend on the computation time, the memory overhead, the bandwidth overhead and the system complexity as explained below. In fact, we want to evaluate the increase of these costs, due to the deployment of defence system. 1) Computation overhead in ms: In a defence system, at the client level, the packet processing overhead may be measured by comparing the packet round-trip time (RTT) with and without the defence. The difference of the RTT values due to the defence system represents the computation overhead for the packets. The RTT reflects the packet treatment delay due to the addition of the detection and protection systems. 2) Memory in Kbytes: Another factor in the deployment cost of the defence system is the storage space necessary 603

5 for the implementation of the detection and response mechanism [11]. 3) Bandwidth overhead in %: Should the defence method imply the transmission of some form of control messages, then this in turn would yield a reduction of the available bandwidth. On the other hand, a defence method which rapidly eliminates the attack packets without control messages will preserve the bandwidth for legitimate traffic. 4) Deployment complexity: The deployment complexity depends on whether the defence strategy involves one or several nodes and whether it involves numerous and substantial modifications to the network. For example, detection could require a collaboration of the other routers or a modification of the protocol. We can define a number between [1, 4], where 1 represents a low complexity and 4 a very high complexity. Finally, the installation of the defence system should not increase the deployment costs. For this, the coefficient weighting α c, α m, α b,α y corresponding to the computation overhead c, the memory m, the bandwidth overhead b, the deployment complexity y, must sum to 1. The composite metric for the deployment cost DC, then expressed by: DC = α c c + α m m + α b b α y y (4) Clearly, the composite metric DC must avoid an increase of the victim resources and hence be as low as possible. It must be measured with and without the defence (see section V). V. TESTING METHODOLOGY A testing methodology is a guideline for identifying all the experiments required for collecting all the metrics and their associated costs. The experiments can globally evaluate the defence against flooding attack by calculating all the composite metrics. For each experiment, we have to define all the elements necessary for the simulation or the testbed. The nature and volume of DDoS attacks, legitimate traffic, network topology and resources all influence the impact of the attack on the target and the defences effectiveness. Automated tools developed by Mirkovic et al [6] do exist for this purpose. Benchmarking tools can be used for testing systems in a controlled environment to predict their behaviour in real deployment. Together with the evaluation method of the system defence, they form a testing methodology which is described below. We first set up an architecture, with clients and servers and their related traffic, a network topology and we define the nature and the rate of the attacks. Recall that the attack rate can be constant, increasing, pulsing or gradual and pulsing. For testing the attack detection only, we can use different traces with merging fictive attacks and different attack rates. We now define all the steps of the test scenarios: Experiment 1. We simulate an experiment without DDoS attacks and without a defence system. This test will establish the baseline of the following metrics: 1) the legitimate traffic at the network target, 2) the average delay of establishing a TCP connexion, 3) the average RTT, and 4) the available bandwidth. More practically, we evaluate two composite metrics: GS 1 and DC 1, to evaluate respectively the service offered to the legitimate traffic and the deployment cost. Experiment 2. We simulate an experiment without a DDoS attack but with the defence system. As the objective of the defence system is still to provide a good service even without an attack, this experiment can evaluate the impact of the presence of the defence system on the legitimate traffic, that is, the penalty it imposes on it. Therefore, we evaluate two composite metrics GS 2 and DC 2 to find respectively the degradation on the real traffic and the real deployment cost of the defense. Clearly, we have to compare the value of the composite metrics of experiment 1 with the value of those of experiment 2. Experiment 3. We make an experiment with both attack and defence systems such that we can evaluate performance and sensitivity. The experiment must have a sufficiently high number of attacks in order to evaluate the quality of the decision, the latency, detection and the false positive rates. For the evaluation of the quality of the protection for a given attack, we measure the detection performance D, the elimination of the attack effect EA, the good service GS 3. Normally, the three values GS 1, GS 2 and GS 3 must be the same. Once a testing methodology of the evaluation of defence system is established, we are equipped to compare the various proposed defence systems against flooding attacks with the help of the composite metrics. We must however develop a way of determining the values of the coefficients for the composite metrics. In the following section we see how we can apply our methodology to compare detection techniques. VI. PERFORMANCE OF THE DETECTION TECHNIQUE We want to apply our composite metrics to the detection techniques. Carl et al. [14], while evaluating the results of different detection methods, have noted large variations in the methods chosen by the researchers. In some cases, they notice that the test conditions vary widely. In the majority of cases, they observed that the authors do not report the impact of the variations of the detection parameters on the performance. Carl et al. have classified the detection methods according to test data, attack description, false-positive rate, detection delay, detection results, memory and complexity. The authors remark that there is a wide range of reported results. In most cases, the researchers didn t provide false positives, missed detections, and detection delay results. It therefore appears that reported performance evaluations tend to be fragmentary and do not lend themselves to comparisons. Beaumont-Gay [17] compares three published SYN flood detection algorithms [8] [15] [18] using the same traces. The author chose these algorithms because they are intended to detect the same attack, i.e. SYN flooding. They have some similarity, namely, they are deployed at the edge router and use SYN, SYN/ACK, FIN and RST packets. For a pulsing attack rate of 600 SYN/s, and a duration of 1.2 s for the longest pulsing peak, Beaumont-Gay reports their results in Table I. Using 604

6 Wang Kompella Siris et al. [15] et al [18] et al.[8] Detection rate 2/3 3/3 2/3 False positive Latency < 40 s < 40 s < 40 s Reliability good good good Memory < 1 Kbytes 60 Kbytes < 1 Kbytes Deployment low low low complexity Performance detection D Deployment cost DC TABLE I COMPOSITE METRIC OF DETECTION PERFORMANCE their results, we test our composite metric D and DC. We choose 0.33 for each weighting coefficient of the performance detection and the value 0.5 for the deployment cost. Hence assuming that all element have the same importance. For the deployment cost, we evaluate only the amount of memory and the complexity. Table I shows clearly that as our method of evaluation yields a numerical value for the composite metric, it easily lend to quick comparison. The detection technique of Kompella et al. is the best, but it has higher deployment costs. VII. DISCUSSION AND CONCLUSION To summarize, we have observed in the literature great variations in the ways detection methods are evaluated, which not only makes comparisons difficult, but also complicates the assessment of their effectiveness. We have proposed here metrics of detection and defence efficiency whose application will make it possible to avoid such disparity. We have also proposed a method that covered all the elements for the evaluation of the effectiveness of defence system against flooding attacks. We have identified the various elements allowing to evaluate and compare defence systems for DDoS attacks. They include performance evaluation, deployment cost, degradation and robustness costs. We hope that the composite metrics proposed in this paper will help standardize the evaluation of defence system for flooding attacks and make it possible for researchers to compare fairly different defence methods. We have also proposed a testing methodology for identifying all the experiments required to collect the various metrics and their associated costs. We plan to explore further our methodology in order to evaluate and compare proposed defence methods. Our conclusions are limited by the scope of the experiments performed so far and this will require more attention; further experiments will lead to refinement and improvements to our methodology. In future work, we plan to explore criteria for choosing the value of the weighting coefficient for the composite metrics. Moreover, we shall explore further the sensitivity and application ranges of our different measures, which should lead to the study of optimality criteria for defence systems. REFERENCES [1] J. Mirkovic and P. Reiher, A taxonomy of DDoS attack and DDos defense mechanisms, SIGCOMM Comput. Commun. Rev., vol. 34, no. 2, pp , [2] T. Peng, C. Leckie, and K. Ramamohanarao, Survey of network-based defense mechanisms countering the DoS and DDoS problems, ACM Comput. Surv., vol. 39, no. 1, p. 3, [3] A. Hussain, S. Schwab, R. Thomas, S. Fahmy, and J. Mirkovic, DDoS experiment methodology, in In Proceedings of the DETER Community Workshop on Cyber Security Experimentation, June [4] J. Mölsä, A taxonomy of criteria for evaluating defence mechanisms against flooding DoS attacks, in in Proceedings of the First European Conference on Computer Network Defence, December [5] S. Schwab, B.Wilson, and R. Thomas, Methodologies and metrics for the testing and analysis of distributed denial of service attacks and defenses, in Military Communications Conference. IEEE, October [6] J. Mirkovic, E. Arikan, S. Wei, S. Fahmy, R. Thomas, and P. Reiher, Benchmarks for DDoS defense evaluation, in In Proceedings of the DETER Community Workshop on Cyber Security Experimentation, June [7] J. Mirkovic, S. Fahmy, P. Reiher, R. Thomas, A. Hussain, S. Schwab, and C. Ko, Measuring impact of DoS attacks, in In Proceedings of the DETER Community Workshop on Cyber Security Experimentation, June [8] V. A. Siris and F. Papagalou, Application of anomaly detection algorithms for detecting SYN flooding attacks, in IEEE, GlobeCom, December [9] R. Chang, Defending against flooding-based distributed denial-ofservice attacks: a tutorial, Communications Magazine, IEEE, vol. 40, no. 10, pp , October [10] L. Feinstein, D. Schnackenberg, R. Balupari, and D. Kindred, Statistical approaches to DDoS attack detection and response, in Proceedings in DARPA Information Survivability Conference and Exposition. IEEE Computer Society, April [11] J. Mirkovic, G. Prier, and P. Reiher, Attacking DDoS at the source, in Proceedings of ICNP 2002, November [12] C. L. Schuba, I. V. Krsul, M. G. Kuhn, E. H. Spafford, A. Sundaram, and D. Zamboni, Analysis of a denial of service attack on TCP, in Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Computer Society, 1997, p [13] W. Blackert, D. Gregg, A. Castner, E. Kyle, R. Hom, and R. Jokerst, Analyzing interaction between distributed denial of service attacks and mitigation technologies, in DARPA Information Survivability Conference and Exposition, IEEE, April 2003, pp [14] G. C. G. K. R. Brooks and S. Rai, Denial-of-service attack-detection techniques, in IEEE Internet Computing, vol. 10, January-February [15] H. Wang, D. Zhang, and K. G. Shin, Detecting SYN flooding attacks, in Proceedings of IEEE INFOCOM, [16] T. Peng, C. Leckie, and R. Kotagiri, Protection from distributed denial of service attack using history-based IP filtering, in International Conference on Communications. IEEE, June [17] M. Beaumont-Gay, A comparaison of SYN flood detection algorithms, in Second International Conference on Internet Monitoring and Protection, July [18] R. R. Kompella, S.Singh, and G. Varghese, On scalable attack detection in the network, in Internet Measurement Conference, October