TCP/IP header classification for detecting spoofed DDoS attack in Cloud environment

Spoofing of IP is a key attribute of Distributed Denial of Service (DDoS) attack that consumes Cloud resources and network bandwidth within a short period of time. This is costly to both the providers and users of Cloud. Cloud computing offers a metered service, which uses pay-per use. Therefore providing a high available Cloud will improve the Cloud provider´s reputation and financial proceeds. To the Cloud users, it solely depends on the provider for its resources therefore it must always be available as contained in the service level agreement (SLA). The goal of this paper is to analyse and compare the TCP/IP packet header features of incoming traffic that identifies remote hosts according to their Operating System. This is used to detect the true source of a packet during spoofed DDoS attack. Our solution further analyses the observed final TTL value in both active and passive stage of the OS fingerprints to cater for false negative during detection. We demonstrated our proposed solution on a Xen Cloud Platform Test bed.