Detection of UDP and HTTP Anomalies on Real Time Traffic Based on NIDS using OURMON Tool

UDP traffic has recently been used extensively in flooding-based distributed denial of service (DDoS) attacks, most notably by those launched by the Anonymous group. the use of this criterion to classify UDP traffic with the goal of detecting malicious addresses that launch flooding-based UDP DDoS attacks. We conducted our experiments on real time network traffic including large corporations (edge and core), ISPs, universities, financial institutions, etc. In addition, we also conducted experiments on ourmon tool of our own. All the experiments indicate that proportional packet rate assumption generally holds for benign UDP traffic and can be used as a reasonable criterion to differentiate DDoS and non-DDoS traffic. We designed and implemented a prototype classifier based on this criterion and discuss how it can be used to effectively thwart UDP-based flooding attacks.