The effects of DDoS attacks on flow monitoring applications

R. Sadre; Anna Sperotto; Aiko Pras

doi:10.1109/NOMS.2012.6211908

The effects of DDoS attacks on flow monitoring applications

R. Sadre, Anna Sperotto, Aiko Pras

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

17 Citations (Scopus)

9 Downloads (Pure)

Abstract

Flow-based monitoring has become a popular approach in many areas of network management. However, flow monitoring is, by design, susceptible to anomalies that generate a large number of flows, such as Distributed Denial-Of-Service attacks. This paper aims at getting a better understanding on how a flow monitoring application reacts to the presence of massive attacks.We analyze the performance of a flow monitoring application from the perspective of the flow data it has to process. We first identify the changes in the flow data caused by a massive attack and propose a simple queueing model that describes the behavior of the flow monitoring application. Secondly, we present a case study based on a real attack trace collected at the University of Twente and we analyze the performance of the flow monitoring application by means of simulation experiments. We conclude that the observed changes in the flow data might cause unwanted effects in monitoring applications. Furthermore, our results show that our model can help to parametrize and dimension flow-based monitoring systems.

Original language	Undefined
Title of host publication	Proceedings of the 2012 IEEE Network Operations and Management Symposium (NOMS 2012)
Place of Publication	USA
Publisher	IEEE
Pages	269-277
Number of pages	9
ISBN (Print)	978-1-4673-0267-8
DOIs	https://doi.org/10.1109/NOMS.2012.6211908
Publication status	Published - Apr 2012
Event	13th IEEE/IFIP Network Operations and Management Symposium, NOMS 2012 - Maui, United States Duration: 16 Apr 2012 → 20 Apr 2012 Conference number: 13 http://noms2012.ieee-noms.org/

Publication series

Name
Publisher	IEEE Computer Society
ISSN (Print)	1542-1201

Conference

Conference	13th IEEE/IFIP Network Operations and Management Symposium, NOMS 2012
Abbreviated title	NOMS 2012
Country/Territory	United States
City	Maui
Period	16/04/12 → 20/04/12
Internet address	http://noms2012.ieee-noms.org/

Keywords

METIS-289689
IR-81678
CR-C.2.3
EWI-22240
EC Grant Agreement nr.: FP7/257513

Access to Document

10.1109/NOMS.2012.6211908

http://eprints.eemcs.utwente.nl/secure2/22240/01/paper.pdf

Cite this

@inproceedings{a26dd1bb617f49e28d4361e5ff995a73,

title = "The effects of DDoS attacks on flow monitoring applications",

abstract = "Flow-based monitoring has become a popular approach in many areas of network management. However, flow monitoring is, by design, susceptible to anomalies that generate a large number of flows, such as Distributed Denial-Of-Service attacks. This paper aims at getting a better understanding on how a flow monitoring application reacts to the presence of massive attacks.We analyze the performance of a flow monitoring application from the perspective of the flow data it has to process. We first identify the changes in the flow data caused by a massive attack and propose a simple queueing model that describes the behavior of the flow monitoring application. Secondly, we present a case study based on a real attack trace collected at the University of Twente and we analyze the performance of the flow monitoring application by means of simulation experiments. We conclude that the observed changes in the flow data might cause unwanted effects in monitoring applications. Furthermore, our results show that our model can help to parametrize and dimension flow-based monitoring systems.",

keywords = "METIS-289689, IR-81678, CR-C.2.3, EWI-22240, EC Grant Agreement nr.: FP7/257513",

author = "R. Sadre and Anna Sperotto and Aiko Pras",

note = "10.1109/NOMS.2012.6211908 ; 13th IEEE/IFIP Network Operations and Management Symposium, NOMS 2012 ; Conference date: 16-04-2012 Through 20-04-2012",

year = "2012",

month = apr,

doi = "10.1109/NOMS.2012.6211908",

language = "Undefined",

isbn = "978-1-4673-0267-8",

publisher = "IEEE",

pages = "269--277",

booktitle = "Proceedings of the 2012 IEEE Network Operations and Management Symposium (NOMS 2012)",

address = "United States",

url = "http://noms2012.ieee-noms.org/",

}

TY - GEN

T1 - The effects of DDoS attacks on flow monitoring applications

AU - Sadre, R.

AU - Sperotto, Anna

AU - Pras, Aiko

N1 - Conference code: 13

PY - 2012/4

Y1 - 2012/4

N2 - Flow-based monitoring has become a popular approach in many areas of network management. However, flow monitoring is, by design, susceptible to anomalies that generate a large number of flows, such as Distributed Denial-Of-Service attacks. This paper aims at getting a better understanding on how a flow monitoring application reacts to the presence of massive attacks.We analyze the performance of a flow monitoring application from the perspective of the flow data it has to process. We first identify the changes in the flow data caused by a massive attack and propose a simple queueing model that describes the behavior of the flow monitoring application. Secondly, we present a case study based on a real attack trace collected at the University of Twente and we analyze the performance of the flow monitoring application by means of simulation experiments. We conclude that the observed changes in the flow data might cause unwanted effects in monitoring applications. Furthermore, our results show that our model can help to parametrize and dimension flow-based monitoring systems.

AB - Flow-based monitoring has become a popular approach in many areas of network management. However, flow monitoring is, by design, susceptible to anomalies that generate a large number of flows, such as Distributed Denial-Of-Service attacks. This paper aims at getting a better understanding on how a flow monitoring application reacts to the presence of massive attacks.We analyze the performance of a flow monitoring application from the perspective of the flow data it has to process. We first identify the changes in the flow data caused by a massive attack and propose a simple queueing model that describes the behavior of the flow monitoring application. Secondly, we present a case study based on a real attack trace collected at the University of Twente and we analyze the performance of the flow monitoring application by means of simulation experiments. We conclude that the observed changes in the flow data might cause unwanted effects in monitoring applications. Furthermore, our results show that our model can help to parametrize and dimension flow-based monitoring systems.

KW - METIS-289689

KW - IR-81678

KW - CR-C.2.3

KW - EWI-22240

KW - EC Grant Agreement nr.: FP7/257513

U2 - 10.1109/NOMS.2012.6211908

DO - 10.1109/NOMS.2012.6211908

M3 - Conference contribution

SN - 978-1-4673-0267-8

SP - 269

EP - 277

BT - Proceedings of the 2012 IEEE Network Operations and Management Symposium (NOMS 2012)

PB - IEEE

CY - USA

T2 - 13th IEEE/IFIP Network Operations and Management Symposium, NOMS 2012

Y2 - 16 April 2012 through 20 April 2012

ER -