| High volume DDoS attacks continue to cause serious financial losses and damage to company reputations, despite years of research in preventing and mitigating them. Many proposed techniques for handling these attacks assume that the attack has already been detected and its traffic properly characterized; yet, existing methods of detecting and characterizing such attacks have not been widely adopted, for various reasons. We describe a scalable real-time DDoS monitoring system that leverages modern big data technologies to effectively analyze high volume DDoS attacks. Evaluated on multiple large-scale traffic datasets that capture recent real-world DDoS attacks and synthetic traffic based on sophisticated attack characteristics, our approach detects and characterizes these attacks quickly and accurately. Furthermore, we show that our monitoring system 1) clearly justifies its decisions resulting from explainable analysis of input traffic volume metrics, thus increasing monitoring transparency and facilitating the diagnosis and debugging of monitoring performance for network security teams 2) leverages identified attack characteristics to separate benign from malicious traffic and send helpful defense recommendations, the identified attack characteristics and malicious traffic traces, to downstream DDoS traffic filtering systems. |
PDF Full Text Request