FHSD: an improved IP spoof detection method for web DDoS attacks

Stavros N. Shiaeles, Maria Papadaki*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

Abstract

Distributed denial of service (DDoS) attacks represent a significant threat for companies, affecting them on a regular basis, as reported in the 2013 Information Security Breaches Survey (Technical Report. http://www.pwc.co.uk/assets/pdf/cyber-security-2013-technical-report.pdf.). The most common target is web services, the downtime of which could lead to significant monetary costs and loss of reputation. IP spoofing is often used in DDoS attacks not only to protect the identity of offending bots but also to overcome IP-based filtering controls. This paper aims to propose a new multi-layer IP Spoofing detection mechanism, called fuzzy hybrid spoofing detector (FHSD), which is based on source MAC address, hop count, GeoIP, OS passive fingerprinting and web browser user agent. The hop count algorithm has been optimized to limit the need for continuous traceroute requests, by querying the subnet IP Address and GeoIP information instead of individual IP addresses. FHSD uses fuzzy empirical rules and fuzzy largest of maximum operator to identify offensive IPs and mitigate offending traffic. The proposed system was developed and tested against the BoNeSi DDoS emulator with encouraging results in terms of detection and performance. Specifically, FHSD analysed 10 000 packets, and correctly identified 99.99% of spoofed traffic in <5 s. It also reduced the need for traceroute requests by 97%.

Original languageEnglish
Pages (from-to)892-903
Number of pages12
JournalComputer Journal
Volume58
Issue number4
DOIs
Publication statusPublished - 16 Sept 2015

Keywords

  • anomaly detection
  • distributed denial of service attack
  • fingerprinting
  • HCF
  • hop counting
  • IP2HC mapping
  • network anomaly
  • spoofing detection
  • user agent

Fingerprint

Dive into the research topics of 'FHSD: an improved IP spoof detection method for web DDoS attacks'. Together they form a unique fingerprint.

Cite this