Article Preview
TopIntroduction
With the high connectivity to the internet, connected devices undergo hundreds of attacks every day (Thonnard et al. 2012; Mahjabin et al. 2017). This intensive and harmful activity can be explained by the emergence of a new profile of hackers. Indeed, in the last years, attacks are performed for lucrative reasons (Al-rimy et al., 2018; Thonnard et al., 2012), which results in a large community of hackers that design and use ingenious attacks and eventually hire or sell them on internet.
Code vulnerabilities continue to be detected every day (Kamble & Bhutad, 2018), which let unsecure both computers and networks. Code vulnerabilities make defense mechanisms ineffective that allow to hackers to easily perform attacks against unsecured computers. The latter, after they are intruded, can be used as bots to perform Distributed Denial of Service (DDoS). The DDoS-for-hire server (Webstresser.org) (Kaspersky Lab, 2018), which is one of the widest DDoS servers, was shut down by the Europol in 2018. When it was inspected, it recorded more than 3600 users which have committed more than 6 million DDoS attacks. So, researchers and professionals in security are called to propose new solutions for the new schemes of attacks, which are now mostly distributed. Typically, the Distributed Denial of Service (DDoS) attack is performed with a large set of compromised computers against a targeted victim. On an isolated computer or network router, such an attack is hard to detect because it seems like an ordinary, or in worst case, an intensive traffic. To efficiently detect such an attack several routers and hosts, forming the network nodes, must collaborate.
To do that, connected routers in a network should exchange security records, mainly those concerning DDoS attacks. Such a way allows to the ensemble of routers to collectively detect if a DDoS attack is conducted or not. Nevertheless, two problems must be addressed and resolved: First, how interconnected nodes efficiently communicate security information without making heavier the network traffic. Second, how the anomalies in the network traffic are detected. It is performed by discriminating normal situations and abnormal ones that are observed during a DDoS attack. Such an issue is hard to deal with because the measures used by the hackers in order to make that attack furtive, which is classically performed by spoofing techniques.
This paper introduces a new collaborative technique for DDoS detection and mitigation that can be used in wide area networks (WAN), or in dynamic networks such as wireless sensor networks (WSN). The proposed technique aims at detecting a DDoS at both network level and host level. It consists of an early detection that starts at the routers in the core of the network. Indeed, a host-based mitigation is usually ineffective because the latter finds itself down if it was reached by the attack. According to the proposed technique, a local detector of traffic anomalies, which works like a classical Behavior-based IDS (Intrusion Detection System) is installed at every router. The latter continuously compute the entropy of the distances travelled by the packets that cross it. Such entropy allows establishing an informational heuristic that allows to notice a DDoS if the computed entropy is low. Based on such entropy the router can decide that a DDoS attack is observed at its location. Each router exchanges its local decision that was computed according to the observed anomalies of the traffic with the routers with which it is directly connected. So, if a router detects an anomaly in the transited traffic, it shares its decision with its neighboring routers. So, the overall decision at a given router will result from its own decision and those of the routers within its neighboring routers.