A protocol-free detection against cloud oriented reflection DoS attacks

Abstract

Distributed denial of service (DDoS) attack presents a critical threat to cloud infrastructure, where many manipulated hosts flood the victim cloud with plenty of packets, which will lead to the exhaustion of bandwidth and other system resources. As one type of DDoS attack, in reflection DoS (RDoS) attack, legitimate servers (reflectors) are fooled into sending a large number of packets to the victim cloud. Most of the existed RDoS attack detection mechanisms are protocol-specific, thus low in efficiency. It is inspected that because of being triggered by the same attacking flow, intra-unite correlation exists among the packet rate of attacking flows. Based on the phenomenon, a flow correlation coefficient (FCC)-based protocol-free detection (PFD) algorithm is proposed. The simulation results show that PFD can detect attacking flows efficiently and effectively and is not protocol-specific, thus can be used as effective supplement to existed algorithms.

Appendix

Proof of Theorem 1

\(X_{a} \) and \(X_{b} \) follow the Pareto distribution if they are flash crowds. The probability of \(x_{a} [n]=x_{b} [n]=x\) is:

$$\begin{aligned} Pr([x_{a} [n]=x_{b} [n]=x)=\left( {\frac{\alpha \cdot \beta ^{\alpha }}{x^{\alpha +1}}} \right) ^{2}<1 \end{aligned}$$

If \(X_{a} =X_{b} \), i.e., \(x_{a} [n]=x_{b} [n]\) for each \(n(1{ }\le n{ }\le N)\), then we have:

$$\begin{aligned} Pr(X_{a} =X_{b} )=\left( {Pr([x_{a} [n]=x_{b} [n]=x)} \right) ^{N}=\left( {\frac{\alpha \cdot \beta ^{\alpha }}{x^{\alpha +1}}} \right) ^{2N} \end{aligned}$$

It can be concluded that:

$$\begin{aligned} \lim \limits _{N\rightarrow \infty } \rho _{X_{i} ,X_{j} } [k]=\lim \limits _{N\rightarrow \infty } Pr(X_{a} =X_{b} )=0 \end{aligned}$$

\(\square \)

Proof of Theorem 2

With no background noise and network delay, there is \(x_{a} [n]=kx_{b} [n](1\le n\le N)\), where \(k=M_{a} /M_{b} \) in Eqs. 8 and 9. Then we have: \(\begin{array}{l} \rho _{X_{a} ,X_{b} } [k]\quad \\ =\quad \frac{\frac{1}{N}\sum \limits _{n=1}^N {x_{a} [n]x_{b} [n]} }{\frac{1}{N}\left[ {\sum \limits _{n=1}^N {x_{a}^{2} [n]} \sum \limits _{n=1}^N {x_{b}^{2} [n]} } \right] ^{1/2}} \\ =\quad \frac{\sum \limits _{n=1}^N {kx_{b}^{2} [n]} }{\left[ {\sum \limits _{n=1}^N {k^{2}x_{b}^{2} [n]} \sum \limits _{n=1}^N {x_{b}^{2} [n]} } \right] ^{1/2}} \\ =\frac{k\sum \limits _{n=1}^N {x_{b}^{2} [n]} }{\left[ {(k\sum \limits _{n=1}^N {x_{b}^{2} [n]} )^{2}} \right] ^{1/2}}=1 \\ \end{array}\) \(\square \)

Proof of Theorem.3

Let \(X_{a} \) and \(X_{b} \) be two random flash crowds, \(X_{c} \) and \(X_{d} \) be two RDoS flooding attack flows, and \(\Delta \) be a very small real number. Based on Theorem 1, for a givenN, it has:

$$\begin{aligned} Pr(\rho _{X_{a} ,X_{b} } [k]<\Delta \vert N)=1 \end{aligned}$$

Based on Theorem 2, given N and signal-noise-rate (SNR), the following equation holds. Here SNR is the ratio of attacking traffic rate to background traffic rate.

$$\begin{aligned} Pr(\rho _{X_{c} ,X_{d} } [k]\ge \Delta \vert N,SNR)=1 \end{aligned}$$

Since \(\rho _{X_{a} ,X_{b} } [k]\) is decreasing along with increasing of N(the length of flow). In perfect condition, \(\rho _{X_{c} ,X_{d} } [k]=1\) and \(\rho _{X_{a} ,X_{b} } [k]\) decreases with increasing of SNR. As a result, there must exist a point where both above two equations hold, i.e., \(\rho _{X_{a} ,X_{b} } [k]<\Delta \le \rho _{X_{c} ,X_{d} } [k]\), thus reflection DoS attacking flow can be isolated from flash crowds, and Theorem holds as well. \(\square \)