Forensic-Aware Anti-DDoS Device

When defending DDoS and other types of network attack, most products or service providers perform the protection by dropping the attack traffics. It cures the symptoms but not the disease. To help eliminate network attack, a more proactive approach is to trace back the attack source and stop the attack before it starts. Collecting the attack data is essential in attack trace-back. In this paper, we propose a live capture device to record the attack efficiently without disturbing the original network performance. The device is also integrated with anti-DDoS technique so that forensic data collection when be performed even under DDoS attacks. We made use of a network bridge and utilized packet capturing functionality provided by Linux, plus our packet storing mechanisms to build the forensic aware data collection device. The anti-DDoS protection uses machine learning to extract features of attacks, and then use a customized Bloom filter to defend attacks based on selected features. We implemented and tested the performance of the proposed technique in a lab environment.