Detection of distributed denial-of-service attack in wired network

In distributed denial-of-service (DDOS) attacks, attackers aim at denying normal service or degrading quality of service by generating a large number of requests to victims via compromised computers. To launch a DDOS attack, the attackers initially establish a network of computers with which they generate a huge volume of traffic required to deny services to legitimate systems of the victim. To create this attack, attackers target the vulnerable hosts on the network. The systems that are runs either no antivirus or expired antivirus software are vulnerable hosts.


 A common solution to deal with DDOS attack is based on the use of IP trace backing technique. IP trace back approaches adopt packet marking techniques such as Probabilistic packet marking (PPM), and deterministic packet marking (DPM). The major challenges in implementing packet marking techniques include lack of scalability, lack of security, and restricted memory space at the victim.
A trace back method based on entropy variations between normal and DDOS attack traffic can detect the DDOS attacker effectively. It initially observes and stores short term information of flow entropy variations at routers. Soon after identifying the DDOS attack, the victim initiates the pushback tracing procedure. The trace back algorithm initially identifies its upstream routers to detect the origination of attack flow. It then submits the trace back requests to the corresponding upstream routers. This process is repeated till it reaches the discrimination limitation of DDOS attack flows.

NS2 Solution

  • Network is designed with set of genuine nodes and attackers.

  • IP trace back algorithm is implemented at each node in the network.

  • Performance of the trace back algorithm is tested and evaluated in terms of the metrics such as trace back time, packet delivery ratio and throughput using Network Simulator.