A Real-Time DDoS Attack Detection and Prevention System Based on per-IP Traffic Behavioral Analysis

While many offline-based detection approaches have been well studied, the on-line detection of DDoS attack at leaf router near victims still poses quite a challenge to network administrators. Based on per-IP traffic behavioral analysis, this paper presents a real-time DDoS attack detection and prevention system which can be deployed at the leaf router to monitor and detect DDoS attacks. The advantages of this system lie in its statelessness and low computation overhead, which makes the system itself immune to flooding attacks. Based on the synchronization of TCP and UDP protocol behavior, this system periodically samples every single IP user's sending and receiving traffic and judges whether its traffic behavior meets the synchronization or not. A new non-parametric CUSUM algorithm is applied to detect SYN flooding attacks. Moreover, this system can recognize attackers, victims and normal users, and filter or forward IP packets by means of a quick identification technique. Finally, experiment results show that the system can make a real-time detection for flooding attacks at the early attacking stage, and take effective measures to quench it.