Leveraging Geolocation Towards Distributed Denial of Service and Flash Crowd Traffic Differentiation

Phetchai Ponpat (1811423)


Distributed Denial of Service (DDoS) is a generic type of attack that is challenging. to detect precisely and defend. There are various efforts and approaches that are competing to provide an ideal solution against DDoS attacks. Many works focused on certain generic characteristics of DDoS, such as the IP address distribution. However, the attacks are still proven to be persistently successful in most cases. It utilises a simple concept of flooding packets to the target device or network until it reaches the physical or logical limits, which resulted in inaccessible of legitimate uses to the device or network. The primary key to success is the number of devices under control and the number of packets being sent to the destination without being blocked or detected by the target or any intermediary devices. Hence a way to avoid that is to forge the source IP addresses. Another type of attack with the similar nature and consequences is called flash crowd (FC). It is when the users intended to get the information at the same time. With the beliefs that the righteous user should have the right to access, we research on a novel method to distinguish the difference between the DDoS attack from flash crowd traffic by using the traffic behaviour with regards to the geolocation information by utilising the entropy-based approach. Since there are many approaches and effort on detecting DDoS attack, but rarely did focus on the geolocation distribution and unique characteristic of the 2 types of traffic. If we can distinguish the two types of traffic, we could not only minimise the error in DDoS detection for various other models, but to detect the DDoS itself as well. In this work, we proposed a methodology to distinguish DDoS from FC and a synthetic dataset which could mimic the DDoS and FC geolocation characteristics.

In this presentation, we approach the problem by divide it into 3 tasks to achieve our goals: DDoS detection, distinguishing DDoS from flash crowd, and synthetic dataset generation. First and foremost, we introduce some backgrounds and the reason why we aim to focus on this topic. We identify the gaps and propose our contribution along with the proposed method. The result of each step will be shown and discussed. Last but not least, we conclude by connecting our works together and suggest the future works.