Some domain knowledge of DDoS attack--(traffic model for stable service is more effective) unstable service uses the traffic cost detection algorithm, when the attack occurs, the proportion of each protocol in the network has changed obviously.

In the past, many firewalls detected DDoS attacks based on a pre-set traffic threshold, exceeding a certain threshold, and generating an alarm event.The finer ones may set different alarm curves for different flow characteristics ., so that when an attack occurs suddenly, such as a SYN Flood, the SYN message in the network will exceed the threshold, indicating that a SYN flood attack has occurred.

But when the message rate in the network itself is the curve, the curve itself is constantly oscillating, how to detect anomalies on such a curve? How do I detect attacks based on thresholds? What is the point of a real attack?


This attack is almost indistinguishable from the naked eye. If it weren't for that point of time, it would be hard to find it out of the curve. You have to zoom in to see it.


All of the above attacks, the human eye can be found out, basically because people in the observation curve when the curve of the smooth and uneven junction very sensitive.The first requirement of the attack detection algorithm is to detect fluctuations, sawtooth, and spikes that can be observed by the human eye.

In addition to the above detection methods, there is another category, which isThe historical traffic is viewed as a whole, and then judged by the peak of traffic at this time.

This method learns historical traffic, generates traffic models for business access, and compares the current traffic and models of the business to a DDoS attack when there are significant deviations. This method is more effective for businesses with stable traffic. But in our actual internet business, we found that the detection effect is very low, especially the cloud computing environment, the daily business is different, so the detection efficiency is low.


It seems that to achieve a high-precision detection system, there are several conditions:
1. Collect network traffic of target IP
2. Store the indicators of interest and depict them as curves
3, the attack detection of the curve, when necessary alarm notify the operation and maintenance personnel

If it is to be quantified, it is mainly two indicators:
1, false alarm rate: in all the generated alarms, how many represent a real attack
2, Sensitivity: In all real attacks, how many detected systems found

In order to reduce the rate of false cleaning, we further put forward a kind of alibeavera detection algorithm based on flow component, and the fast DDoS attack detection is realized by combining the millisecond-level spectrometer.

The actual algorithm may have more than n formulas, functions and processes, I am not a theoretical worker, here only a simple example to illustrate:
Below you can see athe normal condition of the HTTP service and the incoming traffic component when the attack is under way. Normal clutch: In the protocol level, SYN, ACK, Fin, Rst, ICMP and other messages in a certain range of proportion. No matter how large the traffic, as long as the business does not change, in fact, the total proportion is similar.


And when we look at the time when the business is being attacked, we can find that when the attack occurs, the proportion of certain components will rise sharply, perhaps someone will challenge me, the attacker can also fully simulate the normal business request to interact with the server, so that your detection algorithm is useless,But the truth is, the attackers need real real IP, and real interactions can expose themselves more quickly, though not as real as normal business interactions.



Conclusion: This is a typical synflood attack. By comparing the normal situation with the ingress traffic component of the attack, you can see that the attack occurred when the networkThe proportion of each protocol has changed significantly。

Excerpt from: https://xianzhi.aliyun.com/forum/mobile/read/77.html

Some domain knowledge of DDoS attack-(traffic model for stable business more effective) unstable business uses the traffic cost detection algorithm, the attack occurs when the network of the various protocols accounted for a significant change