TDSC: Two-Stage DDoS Detection and Defense System Based on Clustering

Distributed Denial-of-Service(DDoS) attack continues to be one of the most serious problems in the Internet. Without advance warning, DDoS attack can knock down the targeted server in a short period of time by exhausting the computing and communicating resources of the victim. In this paper, we propose a two-stage DDoS detection and defense system called TDSC. In the first stage, we divide the input flows into 4 parts and use the cluster size distribution analysis to detect the attack. Since we use cluster analysis as the basic detection algorithm, TDSC can separate the DDoS attacks from the legitimate flash crowd easily. In the first stage, we also extract traffic features of the attack from the cluster containing most of the DDoS traffic. With the DDoS attack features output by the first stage, TDSC can filter the attack traffic out in the second stage. We test the effectiveness of TDSC on the MIT Lincoln Laboratory 2000 LLS DDOS 1.0 Dataset(a.k.a. MIT LLS DDOS 1.0 Dataset). Results show that TDSC can detect the DDoS attack in 6 seconds and extract the features which can describe the attack traffic accurately. And with the traffic features calculated by the first stage, TDSC can filter out 99.89% of the attack traffic in the second stage.