Testing of DDoS Protection Solutions

Lukas Malina, Petr Dzurenda, Jan Hajny

malina@feec.vutbr.cz, dzurenda@phd.feec.vutbr.cz, hajny@feec.vutbr.cz

Faculty of Electrical Engineering and CommunicationBrno University of Technology

Brno, Czech Republic

Abstract

Distributed Denial of Service (DDoS) attacks invade networks and web servicesevery day. Many current research projects and activities try to design various DDoSprotection solutions. Nevertheless, there are more and more advanced DDoSattacks that are ingenious and powerful which may cause that many of thesecomprehensive DDoS protection solutions are not so efficient and do not fullymitigate advanced DDoS attacks. Accordingly, it is important to test DDoSprotection solutions and reveal their limitations and bottlenecks prior to employthem into networks. This work deals with DoS and DDoS detection techniquesand presents the testing procedures of DDoS protection solutions. We describestate of the art in detection techniques of current DDoS attacks. The techniques arebased on signature and anomaly detection. Other alternative approaches are alsoevaluated and their advantages and drawbacks are discussed. Besides these detectiontechniques, we survey the DDoS protection solutions and special DDoS protectionappliances and evaluate them.

Further, we introduce two testing procedures for observing the behaviour ofnetwork security and DDoS protection appliances during the DDoS attacks. Thefirst testing procedure is based on a software DDoS generator that runs oncommon server or personal computer. The paper also presents various softwareDDoS generators and their specifications. The second testing procedure uses theprofessional stress tester Spirent Avalanche which enables to generate various typesof DDoS attacks. This stress tester is able to mix legitimate traffic with DDoSattacks and emulates various communication protocols and services. We evaluatethese testing procedures and present our experimental results of both approaches.We focus on the performance and modularity of these testing procedures and therange of possible DoS/DDoS attacks that can be generated.

Keywords: DoS Attacks, DDoS Attacks, DDoS protection, DDoS detection,network, security, tests.

1 Introduction

Internet services, websites and web applications are frequently used by many clientsevery day. These services must work correctly and must be available for users whouse them. Nevertheless, the Internet connection enables to various attackers to hitthese services and cause economic damages caused by the malfunction orinterruption of these services. Distributed denial of service attacks become veryfrequent nowadays. Generally, a Denial of Service (DoS) attack is realized by onehost. Distributed DoS attacks are sent by more hosts or bots that are controlled byan attacker. These attacks usually flood services at target devices connected to theInternet. The basic principle of DDoS attacks is depicted in Figure 1. In the figure,the combination of flood DDoS and amplification flood DDoS attacks is shown.More information about types of DDoS attacks can be found in the paper [ 1 ].

Figure 1: The principle of DDoS attacks (Flood and Amplification attacks).

DoS/DDoS attacks are threats especially for highly-profiled web services and sitesof financial institutions, government and large corporations. Many of theseinstitutions use data centers that are very often targets for sophisticated andpowerful attacks. There are many solutions, techniques and appliances that try tomitigate DoS/DDoS attacks. The testing of these solutions and devices providesimportant information about the defense of the sites and services. The test outputscan help to better configure the employed devices and fix the bottlenecks in thesecurity solutions. There are many test appliances that can provide this testing.Nevertheless, these appliances are usually expensive. Therefore, owners of websitesand services are not able to test their security solutions and perform the stress teststo detect bottlenecks and the limits of their sites.

In this paper, we present some state of the art DDoS detection techniques (Section2) and protection solutions and appliances (Section 3). Then, we describe popularDDoS testing tools and appliances (Section 4). The main contribution of this workcan be found in Sections 5 - 7 where we introduce the DDoS testing procedureswhich are based on software DDoS generator (Section 5) and hardware appliance(Section 6). Section 7 discusses the pros and cons of these two procedures andcompares them.

2 DDoS/DoS Detection Techniques

In this section, we describe basic DDoS/DoS detection techniques that try to detectDoS/DDoS attacks in data traffic or in a network. The detection can help tomitigate the damage effects of the attack. The detection must be fast, precise andshould produce a minimum number of false positive alerts. The detectiondevices/tools are often called Intrusion Detection Systems (IDS). The study andbasic classification of IDS devices is presented in the work [ 2 ]. Generally, theDDoS/DoS detection techniques can be divided on two approaches: signaturedetection and anomaly detection. Nevertheless, we add the hybrid and alternativedetection techniques.

2.1 Signature detection techniques

The signature detection methods are based on the basic knowledge of DDoSattacks’ patterns. These signatures/patterns are usually observed by security experts.Then, the patterns are implemented into security network devices and IDS. Thesedevices must monitor packets and recognize the patterns of incoming DDoSattacks. This type of the detection is fast but is effective only against already knownDDoS attacks. There are many DoS/DDoS attacks (e.g. TCP mixed flag attacks,

X-mas tree attacks) that can be easily detected by this technique. On the otherhand, the signature detection techniques are not able to recognize unknownDoS/DDoS attacks. The more details about signature detection techniques can befound in papers [ 3 ] and [ 4 ].

2.2 Anomaly detection techniques

This type of the detection method detects and classifies attacks by anomalies causedin network traffic. There are attacks such as flooding attacks that use a largeamount of TCP-SYN, UDP or ICMP packets. This increase can be observed as ananomaly in the normal network traffic. The classic anomaly detection techniquescan be based on the observation of the dynamic statistical properties in networktraffic, e.g., time to live, IP header information and other data. Some of thesetechniques are described in papers [ 5 ], [ 6 ], [ 7 ]. The paper [ 8 ] presents thepossibility of using Artificial Intelligence (A.I.) tools, e.g., neural networks andgenetic algorithms, to detect unusual network traffic and the classification of DDoSattacks.

A.I. methods are able to learn how normal network traffic looks like, and then, themethods can detect and classify anomalies in the traffic. The main disadvantage ofthe anomaly detection methods is a larger number of false positive alarms. Theanomaly detection methods are usually slower than signature detection methodsdue to the observation of larger samples of data from the network traffic.Nevertheless, these methods might detect unknown and new types of DDoS/DoSattacks.

2.3 Hybrid and alternative detection techniques

These detection techniques are usually based on hybrid or alternative approaches.The hybrid solutions that employ anomaly and signature methods have usuallyhigher computational and memory complexity. Nevertheless, these hybridtechniques can combine advantages of signature and anomaly detection methods.On the other hand, some trade-off between anomaly and signature detectiontechniques must be set.

As a hybrid approach, Blazek et al. [ 9 ] propose a method based on statisticalanalysis on the data from different network layers. Their method provides a self-learning process, the small delay of the attack detection and scalable computationalcomplexity. The paper [ 10 ] presents an alternative detection technique that isbased on a time series analysis. This method provides a proactively DDoS detectionby the correlation between victim’s traffic and attacker’s traffic. Key variables

(patterns) are extracted from the both traffics. Extracted variables can be calculatedby statistical tools, e.g., Granger Causality Test, Auto Regressive Model and so on.Observed deviations from the normal profile then cause attack alarms.

3 DDoS/DoS Protection Solutions and Appliances

The section presents DDoS protection solutions and some DDoS protectionappliances and their evaluation. Firstly, we describe common security devices basedprotection strategies. Secondly, we present some special anti-DDoS appliances andfinally, we describe cloud based DDoS/DoS protection solutions.

3.1 Common network security devices based protection

Network security devices such as firewalls, Intrusion Detection Systems (IDSs),load balancing mechanisms and routers can be employed into comprehensiveDDoS protection solutions. Nevertheless, these devices have not been designed toprotect against DDoS attacks. Their imperfections are described in the paper [ 11 ].For example, routers with configured Access Control Lists (ACLs) can defendagainst simple and known DDoS attacks based on nonessential and unwantedprotocols but they are not able to block many attacks that spoof IP addresses.Further, firewalls are designed to control access into and from private networks.Nevertheless, firewalls can be easily saturated in their CPU and memory usages bystrong flood DDoS attacks. Firewalls usually do not employ antispoofing andanomaly detection mechanisms.

IDSs provide usually signature-based application layer detection but they are notdesigned for the DDoS mitigation. Besides these network security devices, theredundant links and load balancing mechanisms are employed to keep legitimateconnections when client networks are under DDoS/DoS attacks. The cooperationof these security devices and mechanisms has to be set and maintained. On theother hand, this task is not so easy if the network employs the devices from variousvendors. Further, some large and sophisticated DDoS attacks can overcome thesesecurity devices based protections.

3.2 Special appliances based protection

The special DDoS/DoS protection appliances offer one single-box solutions thatcan be plugged into networks or data centers to protect the services against thevarious types of DDoS/DoS attacks. These special anti-DDoS appliances are

usually very computationally and memory powerful. They have good technicalsupport and can mitigate some unknown and large DDoS/DoS attacks.

Some of common DDoS/DoS protection appliances are shortly described in thefollowing text:

Radware DefensePro – these series of appliances provide DDoS/DoSmitigation by network-wide protection methods (behavioral analysis, SYNprotection, TCP/UDP scanning), server protection methods (connectionlimit, server-cracking protection, HTTP mitigation), signature-basedprotection methods and access control list. The models of Defense Prox4420, which are designed mainly for service providers and clouds, are ableto work with network throughputs up to 300 Gbps (model 3004420). Theseries x420 and x412 provide network throughputs up to 40 Gbps(12 Gbps respectively) and are designed for large data centers, e-commerceand enterprises. The less performed series x016 and x06 are mainly formedium sized data centers, e-commerce and Internet gateways withnetwork throughputs between 200 Mbps – 3 Gbps.

Check Point DDoS Protector appliances – these appliances block knownand unknown DDoS/DoS attacks. The several models of this DDoSprotection family are offered for large data centers (X420), datacenters(X412) and enterprises (X06). The most powerful appliance X420 is ableto inspect and protects up to 40 Gbps network traffic. The dedicatedhardware acceleration is employed to defend against DDoS/DoS floodattacks with rate up to 25 million packets per second (X420). Thetechnical specification of these appliances claims that detection andprotection against attacks is in less than 18 seconds. The Check PointDDoS Protector appliances family protects against TCP, UDP, ICMP,IGMP and Fragment DDoS attacks by using a behavioral (anomaly)detection and against known DDoS attacks by using filters(signature/pattern detection). Further, the appliances are able to protectagainst application based DDoS/DoS attacks that run on HTTP, DNSprotocols.

FortiDDoS – these DDoS attack mitigation appliances provide Layer 3, 4and 7 DDoS flood mitigation, packet inspection and anomaly detectiontechniques. This solution does not use any signature files. The packetinspection is based on techniques such as predictive behavioral analysis,heuristic analysis, granular deep packet inspection, continuous adaptiverate limiting and stateful monitoring for specific attack vectors. FortiDDoSappliances are offered in several models. The most powerful model

(2000B) is able to inspect bidirectional traffic up to 24 Gbps. The DDoSattack mitigation response time is less than 2 seconds according to thetechnical specification of the appliances.

RioRey RG-Series – these appliances provide DDoS protection against25 classes of DDoS attacks such as TCP, HTTP, UDP or ICMP basedattacks. The most powerful model (RG40) is able to work with 200 Gbpsbandwidth throughput in an off-ramp hairpined mode, and for in-lineapplications, throughput is 100 Gb/s. The solution inspects up to32 million packets per second. Detection and mitigation DDoS attacks isautomatic and does not use traffic patterns. DDoS detection time is 30 -90 seconds and mitigation takes 90 – 120 seconds. The solution usessource and destination IP White and Black lists.

Juniper DDoS Secure – these appliances provide fine-grained DDoSmitigation. DDoS Secure protects against flood and application-layerDDoS attacks by using methods such as heuristic analysis and inspection,dynamic and self-learning thresholds. The model 1200-SR/LR is able towork with 10 Gbps bandwidth throughput, and a cluster solution canwork up to 160 Gb/s throughput.

Generally, special appliances developed by IT network security companies areusually focused on large data centers and e-commerce clients. The main advantageof these appliances is their single-box usage and high performance that is demandedin these large scale networks. The cons of these special appliances are theirexpensive costs (tens thousands euros) and the restricted expansion of theprotection solution if clients extend their data centers or networks.

3.3 Cloud based protection

Nowadays, there are many cloud based DDoS protection providers who offerDDoS/DoS protection as a service. This service is especially used by small-mediumbusinesses and enterprise-level companies who cannot afford the special anti-DDoSappliances. When a DDoS/DoS attack is detected at the client side, whole in-bound traffic is redirect to a cloud DDoS protection technology, more precisely,the nearest cloud center of the provider, which employs DDoS filtering techniquesto remove the DDoS traffic and route the legitimate traffic back to the client.

The cloud DDoS protection services and providers such as Incapsula, Defense.net,Prolexic DDoS Mitigation Services, Verising DDoS Protection Services,CloudFlare Enterprise, Nexusguard and others rent their services usually for oneyear per thousands to tens thousands euros. Nevertheless, using the cloud based

DDoS protection services can be less expensive for certain types of clients(small/medium high-profiled ecommerce companies) than employing the specialanti-DDoS appliances. On the other hand, the detection and mitigation of theDDoS/DoS attacks take longer time due to the routing.

4 DDoS/DoS Testing Tools and Appliances

In this section, we describe existing DDoS/DoS testing appliances and tools.Testing the protection of appliances and network devices against DoS and DDoSattacks can be realized by generating these attacks by SW tools and HW devices.Besides these software tools and hardware appliances, there are many DDoS onlinetests that are provided as a service by many web sites, e.g. ipstresstest.com,iDDos.net, redwolfsecurity.com, IONBooter.com. Nevertheless, we focus solely onspecial HW appliances and SW tools that can be used in our laboratoryDoS/DDoS test procedures. These devices and tools which can be appropriate forcertain laboratory testing are described in the following subsections.

4.1 Software DDoS/DoS generators/testers

Software DDoS generators and program tools are usually easy to acquire. Thesetools can be often open source and can be downloaded for free. The tools can bestarted on common computers and servers which are plugged to a target which istesting.

Some popular software DDoS/DoS generators and tools are shortly described inthe following text:

Low Orbit Ion Canon (LOIC) – this open source tool, which is writtenin C#, provides stress testing and can generate various flooding HTTP,TCP and UDP attacks. LOIC is easy to use due to the graphic interfaceand enables DDoS attacks when is used by multiple users.

XOIC – this tool is similar to LOIC. The tool provides DoS attacks basedon TCP, UDP, ICMP and HTTP protocols that is efficient against smallwebsites.

DDOSSIM – this program, which is written in C++, enables to simulateseveral zombie hosts having random IP addresses. The tool generatesDDoS attacks such as TCP-connection-based attacks, Application layer-based DDoS attacks, HTTP DDoS attacks, SMTP DDoS attacks andTCP flood attacks on random ports. DDOSSIM runs on Linux systems.

PyLoris – this tool, which is written in Python, can be used for testingservers. The tool provides a simple graphic interface and enables togenerate various DoS attacks based on protocols such as HTTP, FTP,SMTP, IMAP and Telnet to hit the concrete service.

OWASP DOS HTTP POST – this tool performs DoS attacks based onthe HTTP protocol. The tool has been developed by OWASP (Open WebApplication Security Project) group to provide a L7 DoS testing tool forwebsites.

SlowLoris – this DoS tool enables to generate only one type of a slowdenial of service attack. The tool poisons a HTTP server due to theholding the connections open by sending partial HTTP requests. Thistool, which is programmed in Perl, does not provide TCP/UDP DoSattacks and other flood attacks.

R-U-D-Y – this DoS tool enables to create HTTP POST-based DoSattacks. The tool generates low and slow attacks which generate only fewconnections but keeps the connections open for long time period.

Tor’s Hammer – this program, which is written in Python, uses HTTPPOST-based DoS attacks. The attacks can be sent anonymously via TORnetwork.

Others – there are many tools that can be used for testing or for hacking,such as GoldenEye HTTP Denial Of Service Tool, DAVOSET, HULK(HTTP Unbearable Load King).

Many of described software DDoS/DoS tools focus solely on testing web serverssuch as OWASP DOS HTTP POST tool, SlowLoris, R-U-D-Y, Tor’s Hammer,HULK. Some tools such as LOIC, XOIC, DDOSSIM and PyLoris can be used totest other services such as SMTP, FTP and can be used to flood servers and testtheir limits.

4.2 Hardware DDoS/DoS generators/testers

There are appliances that can serve as hardware DDoS generators. These appliancesmainly serve as powerful stress testers, traffic and protocol emulators and enable totest the network devices or whole network segments and solutions. Theseappliances are usually based on multi-core processors, strong memory and networkinterfaces with high throughput. These hardware based DDoS testers are verypowerful and can generate large traffic and DDoS attacks. The main disadvantageof these appliances is their cost.

Common hardware DDoS generators and appliances are shortly described in thefollowing text:

Spirent Avalanche 3100 B – this appliance enables to generate 16 types ofDoS/DDoS attacks (L2/L4), 3500+ L7 application attacks and mix theseattacks into the normal traffic. Avalanche 3100B, which is depicted inFigure 2, provides 10 Gbps fiber interfaces and generates up to 300 000HTTPS requests per second or 30 million concurrent connections. Theappliance emulates various protocols at the layers 4 – 7 and can simulatereal behavior of the website clients. Avalanche 3100B is able to generatea large traffic with DoS/DDoS attacks to test servers, sites or wholenetwork parts. Moreover, the emulation of the client and server sides canbe performed in the same time. Therefore, the appliance is able to testnetwork defense devices, firewalls, routers and so on. There is also anattack designer component which is the part of this tester and enables toadd own attacks.

Ixia Xcellon-Ultra XT – this appliance emulates various protocols at thelayers 4 – 7 (clients and servers). The performance of the appliancedepends on the type of the hardware chassis. For example, the strongesttype XT80-V2 provides 8 x 10 GE ports and is able to generate 3 millionHTTP connections per second and 400 000 SSL connections per second.The appliance also can emulate well-known DDoS attacks.

Figure 2: Spirent Avalanche 3100 B stress tester.

5 Software Based DDoS/DoS Testing Procedure

In this section, we present our proposal of a software based DDoS/DoS testingprocedure. We describe chosen testing topology with chosen devices and the detailsof the procedure. Then, we present the performance results of this procedure.

5.1 Testing topology and procedure description

The testing topology consists of two switches (Cisco Catalyst 2960 and LinksysEG008W), a server/pc which generates DoS traffic – a SW DoS generator,a control terminal, service/site clients (a voluntary node which emulates clients orrouted real clients’ traffic) and a tested device. This testing topology which is basedon the software DoS generator is depicted in Figure 3.

Figure 3: Testing topology with software-based DoS generator.

The most important part is the SW DoS generator node. We use a server withLinux OS (Debian 7.4). This device must have two network interfaces with highthroughput (at least 1 Gbps). The first interface is used for configuration andremote control. The second interface is used for sending the DoS traffic to a testeddevice. The generator can employ any existed software DDoS testers that aredescribed in Section 4.1 but we use a simple script to generate DDoS/DoS attacks.The implemented DoS tester program which generates DoS attacks is written inPython. The program provides 5 types of DoS attacks, namely TCP-SYN DoSattack, TCP-RST DoS attack, TCP Xmas DoS attack, UDP flood attack and ARPDoS attack.

The hardware of the SW DoS generator node should be powerful (strong CPU andmemory) to generate a large number of packets. Tested device can be a webserver,a firewall, a router and so on. If we want test webservers or other services, weshould emulate website/service clients’ traffic by a client emulator application andmix it with DoS traffic by using highly performed switch (Switch 2) to get realresults. If we test a firewall or a router performance and DoS mitigation functions,we can generate DoS attacks directly (Switch 2 is not needed). The control terminalis used for remote control and configuration of the nodes and devices in the testingtopology via Switch 1.

5.2 Testing the performance results

We test our procedure with two differently powerful hardware nodes (HW1: CPUIntel Xeon E5310 @1,6 GHz RAM 2GB / 333MHz, , HW2: CPU Intel XeonE3440 @2,53 GHz RAM 8GB / 1 333MHz). Figure 4 shows how the hardwarespecification of the SW DoS generator is important. The more powerful deviceHW2 is able to generate more DDoS packets than device HW1 (HW2 around204000 – 255000 packets per second and HW1 around 171000 – 238000 packetsper second). The most packets can be generated by using the ARP flood attack.Nevertheless in practice, the number of packets can be limited by network interfaceused (1 Gbps in this measurement).

Figure 4: Comparison of software-based DoS generator performancewhich runs on different hardware platforms.

6 Appliance Based DDoS/DoS Testing Procedure

In this section, we present an appliance based testing procedure. We describe thetesting topology and details of this procedure. Then, we show some exampleresults.

6.1 Testing topology and procedure description

The testing topology consists of one switch (Cisco Catalyst 2960), a test appliancewhich generates normal traffic and DDoS/DoS traffic, a control terminal anda tested device. This testing topology which is based on DDoS/DoS test applianceis depicted in Figure 5.

Figure 5: Testing topology with DDoS/DoS test appliance.

The most important part of this procedure is the test appliance. We use SpirentAvalanche 3100B stress tester. This tester which is shortly described in Section 4.2is used for generating DDoS/DoS traffic and normal traffic from emulated clientsor servers. The tester provides 16 types of DDoS/DoS attacks. Furthermore, thereis an attack designer component which can be used to implement the new attacksfor testing purposes. The advantage is that the emulations of the client andserver/service sides are in one single device. The tester is able to generate moreattacks at one time and mix them with emulated traffic to get more real results.Thus, we can test a wide range of network security devices and network services.The control terminal is used for remote control and configuration of the testappliance and the tested device in the topology via Switch 1. The connectionbetween the test appliance and tested devices should have high throughput (e.g. 10Gbps fiber interfaces). The example of results with tested device Firewall ASA 5510during SYN flood attacks is depicted in Figure 6.

Figure 6: Throughput of Cisco Firewall ASA 5510 with DDoS SYN flood attacks.

6.2 Testing the performance results

Spirent Avalanche 3100 B has several interfaces with 10 Gbps and 1 Gbpsthroughput. The appliance by using 1 Gbps interface is able to generate hugenumber DDoS packets (up to several million) per second until the link saturation.By using one 10 Gbps interface, this appliance is able to generate around 7.5million DDoS packets (SYN flood) per second. Avalanche 3100 B is able to mixthe normal and DDoS traffic. Further, we can configure many options of DDoSattacks (rate, delay, iterance, duration and so on) and test more DDoS attacks inone test scenario.

7 Evaluation of Testing Procedures

In the following text, we evaluate both presented procedures and describe theiradvantages and drawbacks.

The main advantages of the software based DDoS testing procedure usually are lowcosts and easy-to-deploy in various networks. Nevertheless, the disadvantages ofthis procedure usually are a less number of DDoS/DoS attacks, limited setup of theattacks, clients/servers emulation has to be done at another device and theperformance of DDoS traffic depending on server’s HW specifications.

The main advantages of the appliance based DDoS testing procedure usually area sufficient number of DDoS/DoS attacks, advanced setup of the attacks,clients/servers emulation in the same device, mixing the normal and DDoS traffic,

strong performance of the attacks due to strong HW specifications of theappliances and technical support. On the other hand, the main disadvantage of theappliance based DDoS testing procedure usually is higher cost of the main testappliance.

The software based DDoS testing procedure is suitable for testing the small andmedium sized networks and devices employed in these networks. The appliancebased procedure is more suitable for testing the medium and large sized networksand for professional testing the various security network devices that must becomprehensively tested.

8 Conclusions

In this paper, we described and evaluated the basic DDoS/DoS detectiontechniques (anomaly, signature and hybrid) and three DDoS/DoS protectionapproaches (security network devices based, Anti-DoS appliance based and cloudbased). The cloud based DDoS mitigation solutions are more appropriate for smalland medium sized networks due to modest costs, a high percentage of the DDoSmitigation and solid detection and mitigation response times (minutes).Nevertheless, the anti-DDoS/DoS appliance based protection solutions are usuallymore costly than cloud based protection solutions but they should be employ inhigh-profiled large e-commerce and data centers due to faster DDoS/DoS detectionand mitigation and the higher frequency of attacks.

The paper also describes some common hardware and software based DDoS/DoSgenerators and testers and their specifications and two DDoS/DoS testingprocedures are presented. The software based testing procedure is able to test somebasic DoS/DDoS attacks and flood less performed network devices to get theirlimits. For example, the DDoS SYN attack is generated up to 208 000 packets persecond. The appliance based testing procedure is able to test this DDoS SYN attackup to 7.5 million packets per seconds if Avalanche 3100B with 10 Gbps interface isemployed. For the professional testing of larger networks and some special securitydevices, the appliance based procedure is more appropriate than software basedprocedure due to their performance and configuration options.

Acknowledgements

Research described in this paper was financed by the National SustainabilityProgram under grant LO1401, by the Czech Science Foundation under grant no.14-25298P and the Technology Agency of the Czech Republic projectTA0301081. For the research, infrastructure of the SIX Center was used.

References

[ 1 ] Dzurenda, P., Martinasek, Z., Malina, L.: Network Protection AgainstDDoS Attacks. International Journal of Advances in Telecommunications,Electrotechnics, Signals and Systems 4, no. 1, pp. 8-14, 2015.

[ 2 ] Alenezi, M., and Reed, M.: Methodologies for detecting DoS/DDoS attacksagainst network servers, in ICSNC 2012, The Seventh InternationalConference on Systems and Networks Communications, pp. 92-98, 2012.

[ 3 ] Peng, T., Leckie, C., Ramamohanarao, K.: Survey of network based defensemechanisms countering the DoS and DDoS problems, ACM ComputingSurveys (CSUR), vol. 39, p. 42 pages, 2007.

[ 4 ] Kompella, R. R., Singh, S., Varghese, G.: On scalable attack detection in thenetwork, in Proceedings of the 4th ACM SIGCOMM Conference on InternetMeasurement. ACM Press, New York, pp. 187-200, 2004.

[ 5 ] You, Y., Zulkernine, M., Haque, A.: Detecting flooding-based DDoSattacks, pp. 1229-1234, 2007.

[ 6 ] Talpade, R., Kim, G., Khurana, S.: NOMAD: Traffic-based networkmonitoring framework for anomaly detection," in Fourth IEEE Symposiumon Computers and Communications, pp. 442-451, 1999.

[ 7 ] Kim, Y., Jo, J. Y., Suh, K. K.: Baseline profile stability for network anomalydetection, International Journal of Network Security, vol. 6, No.1, pp. 60–66, 2008.

[ 8 ] Jalili, R., Imani-Mehr, F., Amini, M., Shahriari, H. R.: Detection ofdistributed denial of service attacks using statistical pre-processor andunsupervised neural networks, in Information Security Practice andExperience. Springer, pp. 192–203, 2005.

[ 9 ] Blazek, R. B., Kim, H., Rozovskii, B., Tartakovsky, A.: A novel approach todetection of denial-of-service attacks via adaptive sequential and batch-sequential change-point detection methods, pp. 220-226, 2001.

[ 10 ] Cabrera, J. B. D. et al.: Proactive detection of distributed denial of serviceattacks using mib traffic variables-a feasibility study, pp. 609-622, 2001.

[ 11 ] Defeating DDOS Attacks, Cisco Systems, Inc., white paper, pages 11, 2004.