Shrew DDoS Attack Detection Based on Statistical Analysis

Gogoi, Nilakshi; Bhattacharyya, Dhruba Kr; Boro, Debojit

doi:10.22042/isecure.2024.420803.1032

Shrew DDoS Attack Detection Based on Statistical Analysis

Document Type : Research Article

Authors

Nilakshi Gogoi ¹

Dhruba Kr Bhattacharyya ²

Debojit Boro ²

¹ Excelr Edtech Private Limited, HITEC City, Hyderabad, India

² Department of Computer Science and Engineering, Tezpur University, Tezpur, India

https://doi.org/10.22042/isecure.2024.420803.1032

Abstract

Distributed Denial of Service (DDoS) attacks are of two kinds viz. high-rate DDoS (HRDDoS) attacks and low-rate DDoS (LRDDoS) attacks. A shrew attack is a LRDDoS attack that can prove to be more harmful than a HRDDoS attack since they are not easily noticeable and are stealthy. They cause TCP flows to attain near-zero throughput by sending attack pulses of very short bursts synchronized with the TCP retransmission timeout (RTO) value. Consequently, it compels the TCP packets to be dropped whenever it tries to retransmit again after the timeout. Thus, it may endanger the victim systems if not detected for a long time and reduce the overall quality of services without being noticed. In this paper, we perform the analysis of the network traffic based on a statistical approach where the deviation in the behavior of the flows is analyzed based on the packets sent during the normal and attack conditions. To do this, we determine the participation of a flow in congestion and its adherence to the legitimate TCP-compliant nature during attack conditions based on a priority determiner D. The shrew attack flows exhibit higher values of $D$ as they do not adhere to the TCP compliance and tend to contribute to more congestion to disrupt a server. This nature of attack flows enables us to filter them based on the values of $D$ and mitigate them by blocking these flows. The experimental results on various scenarios demonstrated high accuracy to substantiate the efficacy of the proposed method.

Keywords

Shrew

LRDDoS

HRDDoS

TCP

Retransmission Time Out (RTO)

Flooding Attack

[1] M Nooribakhsh and M Mollamotalebi. F-stone: A fast real-time ddos attack detection method using an improved historical memory management. The ISC International Journal of Information Security, 12:113–128, 2020.
[2] Y Xiang, K Li, and W Zhou. Low-rate ddos attacks detection and traceback by using new information metrics. IEEE Transactions on Information Forensics and Security, 6:426–437, 2011.
[3] V Paxson, M Allman, J Chu, and M Sargent. Computing tcp’s retransmission timer. In RFC6298. IETF, 2011.
[4] Y Chen, K Hwang, and Y K Kwok. Filtering of shrew ddos attacks in frequency domain. In 30th Annual IEEE Conference on Local Computer Networks, pages 1–8. IEEE, 2005.
[5] A Kuzmanovic and E W Knightly. Low-rate tcp-targeted denial of service attacks: The shrew vs. the mice and elephants. In SIGCOMM ’03: Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, pages 75–86. IEEE, 2003.
[6] Y Chen and K Hwang. Spectral analysis of tcp flows for defense against reduction-of-quality attacks. In International Conference on Communications, pages 1203–1210. IEEE, 2007.
[7] Abilene-iii trace data - illustrated.
[8] Y Chen and K Hwang. Collaborative detection and filtering of shrew ddos attacks using spectral analysis. Journal of Parallel and Distributed Computing, 66:1137–1151, 2006.

[9] W Zhi-jun and Y Meng. Detection of lddos attack based on kalman filtering. Acta Electronica Sinica, 36:1590–1594, 2008.
[10] Y X He, Q Cao, T Liu, Y Han, and Q Xiong. A low-rate dos detection method based on feature extraction using wavelet transform. Journal of Software, 20:930–941, 2009.
[11] P Efstathopoulos. Practical study of a defense against low-rate tcp-targeted dos attack. In International Conference for Internet Technology and Secured Transactions (ICITST), pages 1–6. IEEE, 2009.
[12] C W Chang, S Lee, B Lin, and J Wang. The taming of the shrew: Mitigating low-rate tcptargeted attack. In 29th IEEE International Conference on Distributed Computing Systems, pages 137–144. IEEE, 2009.
[13] C Zhang, Z Cai, W Chen, X Luo, and J Yin. Flow level detection and filtering of low-rate ddos. Computer Networks, 56:3417–3431, 2012.
[14] W Zhi-jun, W Minghua, Z Haitao, and L Xingchen. Correlation-based detection of ldos attack. Journal of Software, 7:2341–2348, 2012.
[15] W Zhi-jun, L Jin, Y Di, W Ming-hua, and S M Musa. Chaos-based detection of ldos attacks. The Journal of Systems and Software, 86:211–221, 2013.
[16] J Luo, X Yang, J Wang, J Xu, J Sun, and K Long. On a mathematical model for low-rate shrew ddos. IEEE Transactions on Information Forensics and Security, 9:1069–1083, 2014.
[17] Z Wu, M Yue, D Li, and K Xie. Sedp-based detection of low-rate dos attacks. International Journal of Communication Systems, 28:1772–1788, 2014.
[18] S Jayanthi and A Kumar. Rto randomization for low rate dos attack on a feedback controlled system. International Journal of Advanced Research in Computer Science, 6:166–173, 2015.
[19] Z Wu, L Zhang, and M Yue. Low-rate dos attacks detection based on network multifractal. IEEE Transactions on Dependable and Secure Computing, 13:559–567, 2016.
[20] L Zhou, M Liao, C Yuan, and H Zhang. Low-rate ddos attack detection using expectation of packet size. Security and Communication Networks, 2017:1–14, 2017.
[21] X Zhang, Z Wu, J Chen, and M Yue. An adaptive kpca approach for detecting ldos attack. International Journal of Communication Systems, 30:e2993, 2017.
[22] M S¸ im¸sek and A S¸ ent¨urk. Fast and lightweight detection and filtering method for low-rate tcp targeted distributed denial of service (lddos) attacks. International Journal of Communication Systems, 31:e3823, 2018.
[23] P Cotae and R Rabie. On a game theoretic approach to detect the low- rate denial of service attacks. In International Conference on Communications (COMM), pages 19–26. IEEE, 2018.
[24] C Huang, P Yi, F Zou, Y Yao, W Wang, and T Zhu. Ccid: Cross-correlation identity distinction method for detecting shrew ddos. Wireless Communication and Mobile Computing, 2019:1–9, 2019.
[25] A Martin, N Sani, A J Joseph, and R Nishanth. Implementing dynamic shrew attack protection(sap) to defend against shrew attack on edges. International Journal of Scientific Research and Engineering Trends, 5:2229–2232, 2019.
[26] G Kaur, V Saxena, and J P Gupta. Detection of tcp targeted high bandwidth attacks using self-similarity. Journal of King Saud University Computer and Information Sciences, 32:25–49, 2020.
[27] D Boro, M Haloi, and D K Bhattacharyya. A fast self-similarity matrix-based method for shrew ddos attack detection. Information Security Journal: A Global Perspective, 29:73–90, 2020.
[28] N Agrawal and S Tapaswi. An sdn-assisted defense mechanism for the shrew ddos attack in a cloud computing environment. Journal of Network Systems and Management, 29, 2021.
[29] D Tang, S Zhang, J Chen, and X Wang. The detection of low-rate dos attacks using the sadb-scan algorithm. Information Sciences, 565:229–247, 2021.
[30] D Tang, Y Yan, S Zhang, J Chen, and Z Qin. Performance and features: Mitigating the low-rate tcp-targeted dos attack via sdn. IEEE Journal on Selected Areas in Communications, 40:428–444, 2022.
[31] A Ahalawat, K S Babu, A K Turuk, and S Patel. A low-rate ddos detection and mitigation for sdn using renyi entropy with packet drop. Journal of Information Security and Applications, 69:103212, 2022.
[32] A M Nair and R Santhosh. Two phase detection process to mitigate lrddos attack in cloud computing environment. International Journal of Advanced Computer Science and Applications, 14:594–602, 2023.
[33] T Cai, Y Li, T Jia, L Y Zhang, and Z Yang. Catch me if you can: A new low-rate ddos attack strategy disguised by feint. In 26th International Conference on Computer Supported Cooperative Work in Design (CSCWD), pages 1710–1715. IEEE, 2023.
[34] H Singh, V V Baligodugula, and F Amsaad. Shrew distributed denial-of-service (ddos) attack in iot applications: A survey. In Internet of Things. Advances in Information and Communication Technology, pages 97–103. Springer, 2024.