A Low-rate DoS Detection Based on Rate Anomalies

Low-rate Denial-of-Service attacks are stealthier and trickier than traditional DDoS attacks. According to the characteristic of periodicity and short burst in LDoS flows, a detection measure against LDoS attacks based on rate anomalies has been proposed. In the period when the router packet loss-rate is abnormal caused by the attack pulse, the rate of attack flow is large, while in other time the rate of attack flow is close to 0. In the view point of the periods that the packet loss is abnormal, we can find that the attack flow rate is far higher in these periods than the average rate, while the normal flow is lower to the average rate. In this paper, we proposed a measure that observes the flow rate in the periods that the packet loss rate is abnormal, computing the difference of the rate in these periods and the average rate. If it is beyond a certain threshold, treats the flow as a malicious flow and filters the flow with corresponding method.