Use of IP addresses for high rate flooding attack detection

Ahmed, Ejaz, Mohay, George M., Tickle, Alan, & Bhatia, Sajal (2010) Use of IP addresses for high rate flooding attack detection. In Proceedings of 25th International Information Security Conference (SEC 2010), Springer, Brisbane, Queensland.

View at publisher


High-rate flooding attacks (aka Distributed Denial of Service or DDoS attacks) continue to constitute a pernicious threat within the Internet domain. In this work we demonstrate how using packet source IP addresses coupled with a change-point analysis of the rate of arrival of new IP addresses may be sufficient to detect the onset of a high-rate flooding attack. Importantly, minimizing the number of features to be examined, directly addresses the issue of scalability of the detection process to higher network speeds. Using a proof of concept implementation we have shown how pre-onset IP addresses can be efficiently represented using a bit vector and used to modify a “white list” filter in a firewall as part of the mitigation strategy.

Impact and interest:

4 citations in Scopus
5 citations in Web of Science®
Search Google Scholar™

Citation counts are sourced monthly from Scopus and Web of Science® citation databases.

These databases contain citations from different subsets of available publications and different time periods and thus the citation count from each is usually different. Some works are not in either database and no count is displayed. Scopus includes citations from articles published in 1996 onwards, and Web of Science® generally from 1980 onwards.

Citations counts from the Google Scholar™ indexing service can be viewed at the linked Google Scholar™ search.

Full-text downloads:

417 since deposited on 08 Sep 2010
18 in the past twelve months

Full-text downloads displays the total number of times this work’s files (e.g., a PDF) have been downloaded from QUT ePrints as well as the number of downloads in the previous 365 days. The count includes downloads for all files if a work has more than one.

ID Code: 34395
Item Type: Conference Paper
Refereed: Yes
Keywords: IP addresses, bit vector, bloom filter, cumulative sum
Subjects: Australian and New Zealand Standard Research Classification > TECHNOLOGY (100000) > COMMUNICATIONS TECHNOLOGIES (100500) > Computer Communications Networks (100503)
Divisions: Past > QUT Faculties & Divisions > Faculty of Science and Technology
Past > Institutes > Information Security Institute
Copyright Owner: Copyright 2010 [please consult the authors]
Deposited On: 08 Sep 2010 21:51
Last Modified: 29 Feb 2012 14:20

Export: EndNote | Dublin Core | BibTeX

Repository Staff Only: item control page