Efficient Filtering of Pulsing DDoS using Incremental Clustering

The Low-rate Distributed Denial-of-Service (LDDoS) attack is a network attack technique which can be harmful but stealthy. One type of the LDDoS attack, called pulsing DDoS attack, leverages the adaptive nature of the TCP congestion control mechanism. Pulsing DDoS attacks can suppress legitimate TCP traffic by sending fewer packets than traditional flooding DDoS attack. With a short period burst traffic, the pulsing DDoS attack aims to interrupt the target network temporarily and thus packet drop occurs, which makes the users unable to access the network. This kind of attack is crafty and hard to be detected efficiently by existing defensive approaches. In this thesis, we propose an efficient LDDoS defense mechanism using incremental clustering. Instead of keeping per-flow state, which is too heavy-weight for core routers, we classify flows according to the amount of traffic they sent during the congestion periods. Groups with larger flows get a lower priority and will be blocked ealier during congestion. With such, we increase the probability of small TCP traffic to pass the link and block the huge flows which most of them are malicious. In addition, we record the data which is necessary for the clustering and other related work in Bloom filters to keep up with high-speed per-packet processing.