Detecting DDoS Attacks in Stub Domains (ISR IP)

For more information, contact ISR External Relations Director
Jeff Coriale at coriale@umd.edu or 301.405.6604.

ISR intellectual property available to license

Inventors:
Christopher Kommareddy, Samrat Bhattacharjee, Mark Shayman, Richard La

Description
Denial of Service (DoS) attack technology is developing in an open-source environment and is evolving rapidly. Technology producers, system administrators, and users are improving their ability to react to emerging problems, but they are behind and significant damage to systems and infrastructure can occur before effective defenses can be implemented.

Researchers at University of Maryland have come up with an innovative technique for detecting "Distributed Denial of Service (DDoS)" attacks without changing the existing routing infrastructure. This new detection system (using TCP packets) has several advantages over currently existing technology in terms of:
1. Flexibility: can be deployed in single and multi-homed stub networks.
2. Performance: high detecting capability even with the network having asymmetric traffic or very low flow rates.
3. Efficiency: very little processing and communication overhead.
4. Robustness: detects different types of attacks on traces with orders of magnitude difference in packet rates without parameter tweaking.

Inventors have performed extensive packet level simulations under different attack scenarios. Observations are listed below:

1. Detect attack flows that are one-third the intensity of an average flow of in the network.
2. Detect attack for asymmetric traffic in multi-gateway networks if the attack rate is at least five times the average flow rate in the network.

Researchers have even extended this detection technique to detect subnet attacks and were successful in detecting attacks that target hosts in large subnets and in the presence of non-attack traffic to other hosts in the subnet. The experiments conducted for single domain networks revealed that the scheme can detect attacks with aggregate flow intensity equal to the average flow in the network in less than a minute. The experiments for multi-domain stub networks demonstrated that the scheme detects attacks even when the network has four gateways and when up to 50% of flows are asymmetric.

For more information
If you would like to license this intellectual property, have questions, would like to contact the inventors, or need more information, contact ISR External Relations Director Jeff Coriale at coriale@umd.edu or 301.405.6604.

Find more ISR IP
You can go to our main IP search page to search by research category or faculty name. Or view the entire list of available IP on our complete IP listing page.

ISR-IP-Shayman ISR-IP-La ISR-IP-security

Published June 22, 2007