DDoSniffer: An attack detection tool detecting TCP-based distributed denial of service attack traffic at the agent machines

Abstract

Distributed Denial of Service (DDoS) attacks are an important and challenging security threat. Despite of the availability of several defence mechanisms and ongoing academic research in the field, attackers handle to build a large network of agent machines. This research developed a tool, DDoSniffer, to tackle the DDoS attack by detecting ongoing attack traffic at the agent machines. Due to the diversity in DDoS attack strategies, it is not realistic to deal with all type of attacks with one single solution. DDoSniffer focuses on TCP-based attacks. Different scenarios were tested to evaluate the performance of DDoSniffer when detecting what we classified as connection attacks and bandwidth attacks. The former attacks generate connections with four packets or fewer. The latter attacks create connections with traffic ratios larger than usual. Detection is the minimum requirement of all defence mechanisms, and DDoSniffer is capable of detecting a broad range of attacks within seconds.