A adaptive filtration based defense framework against DDoS

While increasing cloud services are exposed to DDoS, DDoS defense has becoming more and more challenging. A single server with limited computing and memory resource can hardly handle large packet traces which are captured on fast links. In this paper, we propose a spark-streaming based online DDoS defense framework. First, we present a analysis model to identify abnormal packets. Second, we develop a defense model based on the statistics of abnormal packets. Our framework has two main advantages: (1) Our framework is configurable and with expert system functionality; the information maintained to detect threats is also leveraged during mitigation to effectively distinguishing legitimate from suspicious traffic; (2) Based on spark-streaming, our framework allows for parallel and distributed traffic analysis that can be deployed at high-speed network links. At the same time, by employing improved bloom-filter for approximated checks with low false positive/negative errors, it also reduces the space required to maintain the information leveraged for the threat detection and mitigation. The evaluation with data sets derived from real network traffic validates the performance of our framework in terms of detection accuracy, filtering efficiency, and monitoring overhead. The experiments show that our framework is able to detect DDoS attacks in the early stage of attack, to mitigate them by filtering out the majority of the abnormal packets while keeping a high percentage of the legitimate traffic unaffected.