VicSifter: A Collaborative DDoS Detection System with Lightweight Victim Identification

Flooding based Distributed Denial of Service (DDoS) attacks can cause very serious security problem by exhausting computing and bandwidth resources of victims. To mitigate these destructive attacks, it is crucially important to detect the occurrence of DDoS attacks and identify their targets as early as possible. In this paper, we propose a collaborative DDoS detection system, called VicSifter, which can detect ongoing DDoS attacks and identify victims at an early stage with good scalability and low overhead. VicSifter is deployed over multiple nodes with two kinds of functions: local anomaly detection and collaborative victim identification. The anomaly detection method is performed locally and is lightweight to save computation by measuring passing packets in a sketch. The collaborative victim identification is triggered only when a local anomaly is detected by employing our distinctive elimination mechanism. The mechanism can significantly reduce the number of packets to be processed by each node, making our system scalable for high-speed network links. We evaluate the performance of VicSifter by using real-world data traffic, mixing the real DDoS attack traces with captured campus gateway traffic. The results show that our system has high accuracy in the early detection of DDoS attacks and timely identification of targeted victims. Our system can outperform other existing methods with less space requirement, and thus achieving good system scalability.