A DDoS attack works by using multiple exploited machines as a source to attack network traffic. Each of these compromised computers is known as a bot or zombie that collectively establish a Botnet — a malicious network controlled by bot herders or botmasters. The DDoS attack prevents regular traffic from arriving at its desired destination by flooding it with unwanted traffic, like a traffic jam clogging up the highway. Incident response (IR) teams working in a Security Operation Centers (SOCs) perform network traffic analysis to analyze, detect and eliminate DDoS attacks. But before analyzing the network traffic, we need to understand how threat actors exploit vulnerabilities to penetrate a network. 

How does a DDoS attack work?

To carry out an attack, a DDoS attack must gain control of online computers on a network. To this end, each machine is infected by malware in order to turn it into a zombie (or bot).  Once a botnet is developed, attackers establish a connection with victim machines (or bots) usually via a command-and-control (C2) channel. The botnet targets the IP address of each victim in order to send a stream of packets causing the targeted network or server to overflow capacity, resulting in denying services to users on normal traffic.

How dangerous can a DDoS attack be?

According to VeriSign, DDoS attacks are accelerating, with an average increase of 50 million annually. Mirai Botnet, which rose to fame in 2016, incorporated an estimated 380,000 bots. According to a study by Kaspersky Lab, a DDoS attack can cost an organization over $1.6 million — undoubtedly a massive sum for any enterprise.

Performing network traffic analysis

There are several ways to perform network traffic analysis in order to detect DDoS attacks. The following sections describe each method in detail.

A statistical approach for network anomaly detection

A massive amount of traffic is being injected into the network every day. The traffic can either be anomalous or normal, and any traffic that deviates from the normal traffic is considered anomalous. To ensure network resiliency, anomaly detection is indispensable because it prevents cybercriminals from entering and slowing down the network. In a statistical approach, the incident response team analyzes network traffic using the statistical algorithms that identify anomalies in normal traffic patterns. This technique involves statistics filtering and numerical analysis.  During analysis, an anomaly score is generated that must not be higher than the appropriate threshold. If this happens, a security alert is generated by the security tools, such as an Intrusion Detection System (IDS) or a Security Information and Event Management (SIEM) platform.

Gaussian Mixture Model (GMM)

The GMM is used to detect anomalies in wireless sensor networks. This model verifies the behavior of normal traffic using packet train size and packet train length as the parameters.  To verify traffic validity, the characteristics of the traffic are aggregated for a period of time and given to the GMM. If the traffic obeys the model, then it is considered normal. In other cases, it is anomalous. Technically, first and foremost, network security analysts in IR teams create a sensor network and its configuration. After that, cluster formation takes place when a sufficient number of sensor nodes are added to the network. No sooner does communication begin than the traffic verification identifies anomalies in the traffic which is being generated during such communication. As outlined in the book “Network Intrusion Detection and Prevention: Concepts and Techniques,” the GMM not only can detect DDoS attacks effectively, but also offers an efficient response to them.

Multi-Level Tree for Online Packet Statistics (MULTOPS)

This technique is used to identify attacks by exploiting a correlation of outgoing and incoming packet rates at a different level of subset prefix aggregation.  Using this approach, network security analysts will be able to detect the behavior of the DDoS attack using several statistical models such as identifying changes in the number of TCP SYN packets as compared to a TCP FIN (RST) packets. In other words, MULTOPS consists of a tree of nodes that tracks packet-rate statistics for the subnet prefixes at disparate aggregation levels. Contraction and expansion of the tree occur in accordance with the predefined memory size.  Using MULTOPS, network devices can detect the bandwidth of DDoS attacks by a presence of the disproportional difference between packet rates going to the compromised machine and coming from the intruder.

Conclusion

Today’s Security Operation Centers (SOCs) are frequently thrown into chaos due to the fact that cybersecurity threats are accelerating by leaps and bounds, and with great sophistication. DDoS attacks are a growing menace for incident response (IR) teams working in the SOCs. These attacks are very dangerous because they can disrupt critical services to users or interfere with business continuity. IR teams perform network traffic analysis to combat DDoS attacks.  Several techniques used for this purpose include Statistical Approach for Network Anomaly Detection, Gaussian Mixture Model (GMM), and Multi-Level Tree for Online Packet Statistics (MULTOPS).  

Sources

Ali A. Ghorbani, Wei Lu and Mahbod Tavallaee “Network Intrusion Detection and Prevention: Concepts and Techniques,” Springer What is a DDoS attack? What happens during a DDoS attack?, Techworld What is a distributed denial of service attack (DDoS) and what can you do about them?, Norton Anup Bhange, Amber Syad and Satyendra Singh Thakur, “DDoS Attacks Impact on Network Traffic and its Detection Approach,” International Journal of Computer Applications, 2012 Lalitha K V and Josna V R, “Traffic Verification for Network Anomaly Detection in Sensor Networks,” Elsevier Ltd. Anjali M, “Detection of DDoS Attacks based on Network Traffic Prediction and Chaos Theory,” International Journal of Computer Science and Information Technologies, 2014