A new metric for flow-level filtering of low-rate DDoS attacks

Low-rate distributed denial-of-service (LDDoS) attacks dramatically reduce transmission control protocol throughput by exploiting the vulnerability in the transmission control protocol congestion control mechanism. The current study proposes a new metric called mean Internet Protocol (IP) packet delay variation (mipdv) to detect LDDoS flows and a filtering method called ipdv-based LDDoS filtering (ILF) using mipdv. Receiving first seven packets from a flow is sufficient to calculate the mipdv metric. Subsequently, mipdv can be recalculated for each received packet. This makes the detection of LDDoS flows possible in a short time (in a few tens of milliseconds in most cases). Ns2 simulations were conducted to evaluate the performance of ILF. Experimental results show that ILF detects LDDoS flows in a very short time with very high accuracy. Copyright (C) 2015 John Wiley & Sons, Ltd.