Detecting Amplification DDoS Attacks in Multi-Cloud Environments

Abstract

Cloud computing has become the latest foundation of modern life during the past few years, not only for hosting and delivering services and data over the internet, but also for social medias, contactless payments and Fintech applications. Multi-cloud architecture represents a strategic approach to cloud computing where organisations utilise services from multiple cloud service providers. Nowadays, multi-cloud architecture is widely used across almost all sectors. They are increasingly adopted by enterprises across industries for improved resilience, scalability, and strategic advantages, though they present new challenges, especially in security. The multi-cloud architecture expands vulnerabilities from inter cloud integrations and operations, cross provider collaborative and infrastructural links, diverse third-party services and complex network topologies. Traditional trust boundaries become fragmented, because single perimeters are no longer sufficient. Multi-region monitoring and detecting models and frameworks at infrastructure levels need to be developed to tackle new challenges.
This thesis proposes an infrastructure-level attribution model for detecting amplification DDoS attacks in multi-cloud environments, based on multi-region consistency in Time-to-Live (TTL) parameters. Unlike traceback techniques that depend on Internet Service Provider cooperation and fine-grained routing-layer visibility, the new method operates without external dependencies. It monitors distributed cloud vantage points. By collecting and correlating TTL values across regions, the model formulates spatial consistency, deviation, and agreement patterns, reflecting properties of the underlying attacks at infrastructure level.
The newly developed multi-region TTL-based attribution model formalises cross-region relationships and integrates them into a quantitative measurement for attribution and severity inference, as well as providing a more stable basis for inferring shared infrastructure properties. A prototype environment based on a simulation-driven experimental setup with real-world data from StopDDoS PCAP datasets has been developed to test and evaluate the new model.

Date of Award	18 May 2026
Original language	English
Awarding Institution	University of Portsmouth
Supervisor	Shikun Zhou (Supervisor), David Sanders (Supervisor) & Nicholas John Savage (Supervisor)