Detecting Pulsing Denial-of-Service Attacks With Nondeterministic Attack Intervals

This paper addresses the important problem of detecting Pulsing Denial of Service (PDoS) attacks which send a sequence of attack pulses to reduce TCP throughput. Unlike previous works which focused on a restricted form of attacks, one considers a very broad class of attacks. In particular, the attack model admits any attack interval between two adjacent pulses, whether deterministic or not. It also includes the traditional flooding-based attacks as a limiting case (i.e., zero attack interval). The main contribution is Vanguard, a new anomaly-based detection scheme for this class of PDoS attacks. The Vanguard detection is based on three traffic anomalies induced by the attacks, and it detects them using a CUSUM algorithm. The paper has prototyped Vanguard and evaluated it on a testbed.