A DDoS Detection Method Over Radio Interfaces Based on Multiple Physical Layer Attributes

With the rapid development of Internet of Things (IoT) technologies, increasing number of IoT devices are connected to the wireless network. Random access (RA) is the necessary initial step in establishing a connection. However, the RA process is vulnerable to various attacks due to the openness of the wireless environment. Distributed denial of service (DDoS) is one of the leading attacks significantly violating the usability of wireless networks. Traditional security methods are set up after the RA process and thus can neither detect the RA-oriented attacks nor protect RA from being attacked. In this paper, we consider a typical RA-oriented DDoS attack in which a large number of preambles are illegally occupied to prevent the normal access of legitimate users. We propose a DDoS detection method based on multiple physical layer attributes. The time advance (TA) calculated from the preamble sequences and the carrier frequency offset (CFO) extracted from the preamble signals are jointly utilized to describe the characteristics of different accessing devices. A density-based spatial clustering of applications with noise (DBSCAN) based algorithm is proposed. Simulation results show that the proposed method can detect DDoS attacks with a false alarm rate of 0.6% and a miss detection rate of 0% within 1s. Compared with different benchmarks, the method shows better time efficiency and higher identification accuracy. It can reduce the access failure rate by 40% when the attack situation is relatively mild and can reduce the access failure rate by 61% when the attack situation is relatively serious.