HDS: A Hierarchical Scheme for Accurate and Efficient DDoS Flooding Attack Detection

As the scale of Distributed Denial of Service (DDoS) flooding attacks has increased significantly, many detection methods have applied sketch data structures to compress the IP traffic for storage saving. However, due to the large IP address space, these methods need to flush the sketch frequently to reduce the hash collisions. Besides, few of them can be applied to detect attacks in the high-speed network where sampling is usually adopted. This paper proposes a hierarchical system named HDS for efficient and continuous DDoS flooding attack detection in high-speed networks. Rather than directly processing the IP traffic, HDS uses sketches to track sampled traffic at different levels of aggregation: interface level, area level, and host level. Then traffic classifiers are trained for each level for attack detection. The main advantage of our approach is that each detection level only tracks a small set of traffic, which can identify the attack victim fastly and hardly causes hash collisions. Experimental results on the real-world 10Gbps network traffic datasets show that HDS can effectively detect various DDoS flooding attacks with high accuracy and identify the victim within an average of 10s when the sampling rate exceeds 1/2048.