Available bandwidth estimation and its application in detection of DDoS attacks

Detection of distributed denial of service (DDoS) attacks over the Internet is crucial for many Internet applications, such as electronic commerce, network games, P2P, etc. Based on anomaly detection information, network route selection, quality of service (QoS) provision, and traffic engineering can be performed to bypass the abnormal areas or to immigrate the attack traffic. To detect the DDoS attacks in networks outside manageable areas, we need to send probing packets. This paper first surveys the existing available bandwidth estimation tools (ABETs) and divides them into two categories. Most ABETs can measure the available bandwidth of a path over networks, and provide knowledge about the tight link of the path. This paper then presents a method using the ABETs and the bottleneck localization tools to estimate total available bandwidth inside a network from the network edge without additional cooperation of the edge or core routers. The method continuously measures the network bandwidth. The measurement results are then used to detect whether DDoS attacks appear by a special cumulative sum (CUSUM) algorithm. Simulations verified the efficiency of the network available bandwidth measurement method and the detection algorithm.