Detecting distributed denial of service attack traffic at the agent machines

Due to financial losses caused by Distributed Denial of Service (DDoS) attacks, most defence mechanisms have been deployed at the network where the target server is located. We believe this paradigm should change in order to tackle the DDoS threat in its basis: thwart agent machines participation in DDoS attacks. Our proposal consists of developing an agent to monitor the packet traffic rate (outgoing packets / incoming packets). Our first deployment is based upon characterizing TCP connections; normal TCP connections can be characterized by the ratio of the sent packets to the received packets from a given destination [1]. Preliminary results have shown that the traffic ratio values usually present larger values at the beginning of the run when there are not enough packets to make a decision on whether or not traffic is legitimate. A low value for threshold allows for faster attack detection, but it also increases the number of false-positives.