Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) constitute one of the main issues for critical Internet services. The widespread availability and simplicity of automated stressing tools has also promoted the voluntary participation to extensive attacks against known websites. Today the most effective (D)DoS detection schemes are based on information theory metrics, but their effectiveness is often evaluated with synthetic network traffic. In this work we present a comparison of the main metrics proposed in the literature carried on a huge dataset formed by real netflows. This comparison considers the ability of each metric to detect (D)DoS attacks at an early stage, in order to launch effective and timely countermeasures. The evaluation is based on a large dataset, collected from an Italian transit tier II Autonomous System (AS) located in Rome. This AS network is connected to all the three main network infrastructures present in Italy (Commercial, Research and Public Administration networks), and to several international providers (even for Internet transit purposes). Many attempted attacks to Italian critical IT infrastructures can be observed inside the network traffic of this AS. Several publicly declared attacks have been traced and many other malicious activities have been found by ex-post analysis.

DDoS detection with information theory metrics and netflows: A real case / Vitali, Domenico; Antonio, Villani; Spognardi, Angelo; Roberto, Battistoni; Mancini, Luigi Vincenzo. - STAMPA. - (2012), pp. 172-181. (Intervento presentato al convegno International Conference on Security and Cryptography, SECRYPT 2012 tenutosi a Rome nel 24 July 2012 through 27 July 2012) [10.5220/0004064501720181].

DDoS detection with information theory metrics and netflows: A real case

VITALI, Domenico;SPOGNARDI, Angelo;MANCINI, Luigi Vincenzo
2012

Abstract

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) constitute one of the main issues for critical Internet services. The widespread availability and simplicity of automated stressing tools has also promoted the voluntary participation to extensive attacks against known websites. Today the most effective (D)DoS detection schemes are based on information theory metrics, but their effectiveness is often evaluated with synthetic network traffic. In this work we present a comparison of the main metrics proposed in the literature carried on a huge dataset formed by real netflows. This comparison considers the ability of each metric to detect (D)DoS attacks at an early stage, in order to launch effective and timely countermeasures. The evaluation is based on a large dataset, collected from an Italian transit tier II Autonomous System (AS) located in Rome. This AS network is connected to all the three main network infrastructures present in Italy (Commercial, Research and Public Administration networks), and to several international providers (even for Internet transit purposes). Many attempted attacks to Italian critical IT infrastructures can be observed inside the network traffic of this AS. Several publicly declared attacks have been traced and many other malicious activities have been found by ex-post analysis.
2012
International Conference on Security and Cryptography, SECRYPT 2012
ddos; autonomous system; information divergence; attack detection; relative entropy; internet security
04 Pubblicazione in atti di convegno::04b Atto di convegno in volume
DDoS detection with information theory metrics and netflows: A real case / Vitali, Domenico; Antonio, Villani; Spognardi, Angelo; Roberto, Battistoni; Mancini, Luigi Vincenzo. - STAMPA. - (2012), pp. 172-181. (Intervento presentato al convegno International Conference on Security and Cryptography, SECRYPT 2012 tenutosi a Rome nel 24 July 2012 through 27 July 2012) [10.5220/0004064501720181].
File allegati a questo prodotto
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/488497
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 3
  • ???jsp.display-item.citation.isi??? ND
social impact