Discriminating DRDoS Packets using Time Interval Analysis

Daiki Noguchi, Tatsuya Mori, Yota Egusa, Kazuya Suzuki, Shigeki Goto


Distributed Reflection Denial of Service (DRDoS) attack is one of the critical security threats. As the attack generates unidirectional traffic, it is not easy for the targets of the attack to protect themselves. To mitigate the attack, we need a defense mechanism installed at backbone networks, i.e., detecting and blocking the attack traffic before they reach to the destinations. A conventional approach is to monitor the traffic volume of the attack, i.e., an attack is detected if the observed traffic volume exceeds a certain threshold. However, such a simple approach may not work when an attacker adjusts the traffic volume to evade the detection. This paper proposes a novel method that can detect the DRDoS attacks accurately. The key idea is to leverage the characteristics of time intervals between the packets. We make use of the K-means clustering algorithm to find the best threshold values used to distinguish packets associated with DRDoS attacks. We implement the proposed algorithm into an equipment at a data center and demonstrate that our approach attains high accuracy.

Full Text:



Akamai, “Q4 2016 State of the Internet Security Report,” https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/q4-2016-state-of-the-internet-security-report.pdf, referred Nov. 5, 2016.

Santanna, José Jair, et al., “Booters—An analysis of DDoS-as-a-service attacks,” Integrated Network Management (IM), 2015 IFIP/IEEE International Symposium on. IEEE, 2015.

B. Li, W. Niu, K. Xu, C. Zhang, P. Zhang, “You can’t hide: a novel methodology to defend DDoS attack based on BotCloud,” Applications and Techniques in Information Security, Communications in Computer and Information Science, Springer Berlin Heidelberg, pp. 203 – 214, 2015.

Arbor Networks, “Arbor Networks SP,” http://www.arbornetworks.com/, referred Oct. 23, 2016.

IMPERVA INCAPSULA, “HTTP FLOOD,” https://www.incapsula.com/ddos/attack-glossary/http-flood.html, referred Oct. 20, 2016.

The Register, “BIGGEST DDoS ATTACK IN HISTORY hammers Spamhaus,” https://www.theregister.co.uk/2013/03/27/spamhaus_ddos_megaflood/, referred Oct. 12, 2016.

Internet Initiative Japan, “Problems about DNS Open Resolver,” https://www.iij.ad.jp/company/development/report/iir/pdf/iir_vol21_internet.pdf, referred Oct. 12, 2016.

JANOG, “NTP Reflection DDoS Attack Explanatory Document,” https://www.janog.gr.jp/wg/doc/ntp-wg-en.pdf, referred Oct. 12, 2016.

Akamai, “Akamai Warns Of 3 New Reflection DDoS Attack Vectors,” https://www.akamai.com/jp/ja/about/news/press/2015-press/akamai-warns-of-3-new-reflection-ddos-attack-vectors.jsp, referred Oct. 12, 2016.

Shadowserver, https://www.shadowserver.org/wiki/, referred Jan. 24, 2017.

Daiki Noguchi and Shigeki Goto, Defense against DRDoS Attacks by OpenFlow Switches, Proceedings of the computer security symposium 2016, pp.1183 – 1190, October, 2016. (in Japanese)

Yuhei Hayashi et al., “Evaluation of the attack detection method based on duration of continuous packet arrival,” IEICE technical report 115(488), pp. 53 - 58, 2016. (in Japanese).

Arbor Networks, “Worldwide Infrastructure Security Report Volume X,” http://pages.arbornetworks.com/rs/arbor/images/WISR2014_EN2014.pdf, referred Nov. 15, 2016.

J. Takeuchi, K. Yamanishi, “A unifying framework for detecting outliers and change points from time series,” IEEE Transactions on Knowledge and Data Engineering, vol. 18, no. 4, pp. 482 – 492, 2016.

NTT DATA Mathematical Systems Inc., “Change point detection, ChangeFinder,” http://cl-www.msi.co.jp/reports/changefinder.html, referred Oct. 20, 2016.

MacQueen, J. B.,“Some Methods for classification and Analysis of Multivariate Observations,” Proceedings of 5th Berkeley Symposium on Mathematical Statistics and Probability 1, University of California Press, pp. 281 - 297, 1967.

Python Software Foundation, “PyPI – the Python Package Index,” https://pypi.python.org/pypi, referred Oct. 21, 2016.

scikit learn, “scikit-learn,” http://scikit-learn.org/stable/index.html, referred Oct. 24, 2016.

IMPERVA INCAPSULA, “SNMP REFLECTION / AMPLIFICATION,” https://www.incapsula.com/ddos/attack-glossary/snmp-reflection.html, referred Oct. 22, 2016.

Alejandro Nolla, “Amplification DDoS Attack With Quake3 Servers,” http://blog.alejandronolla.com/2013/06/24/amplification-ddos-attack-with-quake3-servers-an-analysis-1-slash-2/, referred Oct. 22, 2016.


  • There are currently no refbacks.