AMON-SENSS: Scalable and Accurate Detection of Volumetric DDoS Attacks at ISPs.

Distributed Denial of Service (DDoS) attacks continue to be a severe threat to the Internet, and have been evolving both in traffic volume and in sophistication. While many attack detection approaches exist, few of them provide easily interpretable and actionable network-level signatures. Further, most tools are either not scalable or are prohibitively expensive, and thus are not broadly available to network operators. We bridge this gap by proposing AMON-SENSS, an open-source system for scalable, accurate DDoS detection and signature generation in large networks. AMON-SENSS employs hash-based binning with multiple bin layers for scalability, observes traffic at multiple granularities, and deploys traffic volume and traffic asymmetry change-point detection techniques to identify attacks. It proactively devises network-level attack signatures, which can be used to filter attack traffic. We evaluate AMON-SENSS against two commercial defense systems, using 37 days of real traffic from a mid-size Internet Service Provider (ISP). We find that our proposed approach exhibits superior performance in terms of accuracy, detection time and network signature quality over commercial alternatives. AMON-SENSS is deployable today, it is free, and requires no hardware or routing changes.