See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/388198538

DDOS PROTECTION SYSTEM ANALYSIS

Article · January 2025

CITATIONS READS

0 67

4 authors, including:

Kalpana Sri Keerthana Rajangam

Sri Shakthi Institute of Engineering and Technology Sri Shakthi Institute of Engineering and Technology
1 PUBLICATION 0 CITATIONS 1 PUBLICATION 0 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Keerthana Rajangam on 21 January 2025.

The user has requested enhancement of the downloaded file.

DDOS PROTECTION SYSTEM
ANALYSIS
Sabitha K1, Athisha L2, Kalpana Sri K3, Kaniga K4,
Keerthana R5

1) Assistant Professor, Department of Computer Science and Engineering (Cyber Security) Sri Shakthi Institute of
Engineering and Technology, Coimbatore, Tamil Nadu, India.
2) Department of Computer Science and Engineering (Cyber Security)
Sri Shakthi Institute of Engineering and Technology, Coimbatore, Tamil Nadu, India.
3) Department of Computer Science and Engineering (Cyber Security)
Sri Shakthi Institute of Engineering and Technology, Coimbatore, Tamil Nadu, India.
4) Department of Computer Science and Engineering (Cyber Security)
Sri Shakthi Institute of Engineering and Technology, Coimbatore, Tamil Nadu, India.
5) Department of Computer Science and Engineering (Cyber Security)
Sri Shakthi Institute of Engineering and Technology, Coimbatore, Tamil Nadu, India.

1. sabithacys@siet.ac.in
2. athishaloganathan23cys@srishakthi.ac.in
3. kalpanasrikannan23cys@srishakthi.ac.in
4. kanigakalaiarasan23cys@srishakthi.sc.in
5. keerthanarajangam23cys@srishakthi.ac.in

Received: ; Revised: ; Accepted: ; Published:

Abstract - A Distributed Denial of Service (DDoS) attack disrupts service availability by devastating a server or network
with massive volumes of traffic, often from several sources, making it difficult or impossible for genuine users to access the
service. Given the increasing complexity and diversity of DDoS attacks, traditional methods often struggle to exactly detect
and mitigate these attacks, especially when new or complex patterns emerge. This paper introduces a DDoS protection
system focused not only on detecting and mitigating active threats but also on analysing past attack patterns to predict
potential future threats. By investigating traffic behaviour, attack signatures, and other indicators, our system identifies
patterns and generates understandings on the types of attacks that may be likely to occur. This proactive approach allows
users to take preventive measures, enhancing their overall defence against DDoS threats. Our solution exploits advanced
techniques, including machine learning and behavioural analysis, to study historical traffic data and developing patterns in
real-time. This enables the system to differentiate between normal traffic flows and signs of an imminent attack.
Additionally, we benchmark our system against leading DDoS protection tools to showcase its advantages in terms of
predictive accuracy, detection speed, and response efficacy. Our findings specify that our approach significantly outstrips
existing solutions, offering an enhanced level of protection that shifts from reactive defence to a more proactive and pre-
emptive security model. This research ultimately demonstrates how analysing historical attack data can help predict future
threats, equipping users with an effective and forward-looking tool to safeguard their online services from the growing risk
of DDoS attacks.
Keywords – Distributed Denial of Facility, Domain Name System, Internet Control Communication Protocol,
Interruption Detection System, Time to Living, User Datagram Protocol.

1. Introduction
DDoS attack is a distributed type of attack mode in which an attacker controls a large number of attacks
machines and sends out DoS attack instructions to the machine. In the newest Internet security report, DoS
attack remain one of the major cybersecurity intimidations. The low-priced pricing and "pay-as-you-go"
intensive availability to computational features and resource on demand make cloud-based services a
frightening competitor to the conventional IT solutions available in previous ages. The use of cloud computing
is gaining popularity Fastly. Whether completely or largely governments and companies have been moved their
IT infrastructures onto the cloud. Cloud-based Organization offers various advantages compared to traditional,
on-site conventional infrastructures.

Fig 1. DDoS Attack

The removal of expenditures associated with operation and impairment, as well as the convenience of
materials on request, are only a few of the advantages. However, there are many concerns that cloud consumers
have, and the research addresses these problems. The majority of these inquiries Centre on protection working
concept and informational data. Many security-related attacks can be prevented in conventional IT systems that
don’t use cloud computing. Focused cloud-based crimes are already using their transformation. Many securities
vulnerability in cloud computing are unique compared to their precursors in non-cloud computing
environments because data and business logic are stored on an external cloud server that lacks accessible
misunderstanding. The denial-of-service (DoS) attack is one technique that has been in the attention currently.

Fig 2. Analyzing DDoS algorithm

2
 Denial-of-service occurrences are directed at the server rather than the people it supports. DoS
attackers attempt to flood live servers by pretend to be someone is not truthful users to excess the service's
capacity to grip incoming investigations.

1.1 DDoS ATTACK TYPES

Hundreds of DDoS attacks have been reported so far all over the world and the number is still
increasing every day. Many techniques are being used to presentation a DDoS attack. However, we
can put all sorts of DDoS attacks under the following three broad categories.

• Volumetric Attack: The aim is to overcome the target with traffic in order to consume hardware or
network resources, with bandwidth being the primary concern. Flooding and enhancement/reflection
attacks fall under the category of volumetric attacks. Flooding attacks use high volumes of traffic to
try and use up all available bandwidth, understanding power, or other network resources [1]. In
contrast, likeness attacks take advantage of take-off flaws, where the attacker sends traffic to the
target from multiple devices via establish requests [2]. Strengthening occurrences make latest requests
that result in larger responses, such as repeatedly asking a Domain Name System (DNS) server for the
entire DNS database and ultimately bringing down the DNS server. This type of attack includes UDP
floods, ICMP floods and several other misrepresentation packets floods.

• Protocol Attack: This type of threat aims to take advantage of holes in network protocols and
consume connection state tables that few network devices create [3]. This also includes SYN floods,
Smurf
DDoS, Disjointed packet attacks, Chime of Death, and etc.

• Layer – 7 (Application Layer) Attack: Application layer protocols like HTTP and SSL have
vulnerabilities that are utilized. When secure coding strategies are overlooked, submission code itself
can be vulnerable. Since there is no need to create a lot of traffic, these attacks are the too much
Dangerous. Attacks at the application layer are especially challenging to identify since they are covert
and use genuine traffic [4]. includes GET/POST deluges, low-and-slow stabbings, attacks on Apache,
Windows or OpenBSD vulnerabilities, and etc.

2. Literature survey
As an alternative of the substance of the packets, the volume of packets used in DDoS attacks
positions the biggest hazard. The degradation of common network protocols is the primary issue with these
wounds. Modern network topology have an issue with immersing DDoS attacks. We have studied more than
50 papers to analyze and find out some of the best deterrence and analyzing techniques to discuss in this
review paper. P. Ferguson et. al (1998) proposed Network access Clarifying mechanism where a router does
not accept any such packet whose source IP address is not defined [5]. The network is protected from packets
with false sources thanks to access filtering. The firewalls that are a part of a network have an border that is
connected to both the internal and internet networks. Firewalls can block an attacker from incognito their
attack as a host on the same network by applying entrance filtering to the internet border and dropping all
packets with internal network source addresses.

3
 A sort of filtering called outlet filtering is used on packets from the internal interface that are escaping
the network. The firewall does not accept all the packets with source addresses that are not on the local network
during egression filtering. Applying these techniques to the network will assistance in uncomfortable DDOS
attacks that employ IP deceiving. TFN does not provide encode between the attacker and masters or between
the master and demonstrator programs; instead, it uses a command line interface to simplify communication
between the attacker and the control master program [6]. Using ICMP echo reply packets, the control masters
and slaves communicate with one another. Attacks like Smurf, SYN Flood, UDP Flood, and ICMP Overflow can
be applied.

Jin et al (2003), recognized the ability of attackers to caricature any byte in a packet [7]. The Time to Live
(TTL) field, on the other hand, is more challenging to furnace; as a output, forged packets are more likely to
travel through fewer hops than those from original networks. As a result, the authors developed a method to
determine the TTL values of packets from real networks, and the system only allows packets from sources with
the forecast TTL value (s). However, this mitigation mechanism does not guarantee the fake positive/negative
rates, for incidence, it cannot account for situations like route modifications.

DDoS attacks are the most unhelpful kind of attack, according to Yang Xiang (2011) [8]. To identify the
low frequency DDoS attack, two new approaches, generalized confusion and information distance approaches,
are taken into cooperation. In this study, Shannon randomness and the Kull back-Liebler distance were also
examined and compared to the novel techniques. To increase the detection rate, the extensive entropy and
information distance metrics' alpha values were altered. It would be simple to difference between authentic
traffic and characteristic traffic with the aid of these two new systems of measurement. In the end, the attacker's
source is originated using the IP trace back approach. By looking at the attacker, this technique can be used to
disturb the attack. Therefore, this research demonstrates how the suggested technique is used to identify attack-
related low-rate traffic and further lower the attack rate.

Saman Taghavi (2013) discussed DDOS flooding assault because it is a difficult problem to prevent in
terms of network security [9]. In this kind of attack, forces are prepared to attack. An attacker hires a variety of
computers, sometimes known as zombies or botnets. All rented computers engage in a coordinated attack. To
stop DDOS flooding attacks, the proper system is needed. This essay's goal is to learn more about DDOS
flooding issues and the different solutions available. The study is disturbed with taking into account Previous
against DDOS Disintegration therapy attacks. The primary goal of this study is to provide a survey of classic
and modern treatment techniques

In (2013) brief the method for analysing Denial of Services [10]. The detection is based on metrics that
account for inconsistency. To determine how the assault has affected the network, the Increasing Sum technique
has been used. This method operates both in networks with high and low bandwidth. The major goal of this
work is to demonstrate how the cumulative sum algorithm produces superior detection results while using less
network resources. The background traffic from the scenario in the article was used to finish the entire project.
A pattern of matching detection strategy has been put up by Ahmad San Morino (2013) as a means of awe-
inspiring the limitations of the previous DDoS stabbing analysing methods [11]. Traffic passing across the
network is examined based on the prearranged pattern, making it easy to determine whether a packet is hateful
or not malicious. Since this method of detection simply uses already-existing routers and adjustments, it has the
advantage of requiring very small infrastructure. It does not make advantage of cutting-edge equipment like
multi-core CPU technology. In this study, three topologic environments with three segments are listed.

Hu et al (2013), presented a Distributed IDS System [12] The network attack has come across by this
IDS method using Event Processing Engine. The components of this engine consist a sub-controller, an event
bus, an event channel, and hyper-controlled hyper-responsibility controller's is to escorted the sub controller
and find out any malicious traffic flow that was buffered from an event channel and moved to via the event
bus. Skowyra [13] put out a Learning-IDS that is based on the programmable (SDN) nature of the technology

4
and has the suppleness to alter network state in response to harmful intent. Gioti et al. (2014), flexible a popular
entropy-based trick to successfully founded DDoS, port-scan assaults, and worm transmission [14]. The flow-
related traffic attributes that are used to identify irregularities include the source and destination IP addresses
as well as the source and destination ports. Already determined verges on changes in the haphazardness values
have been used to detect the presence of irregularities

Belyaev et al. presented a new Load Corresponding technique to increase the server's period of survival
in the face of a DDoS attack [15]. The load associating algorithm begins to take superiority over the routing table
when the server is under attack or hateful. To distribute attack traffic, the Bellman-Ford method is used to define
the shortest pathways routes to the endpoint servers. Material. (2016), learned about DDoS attack types with
new attacks on virtual machines and hypervisors in the cloud computing environment [16]. The authors also
include popular network defensive strategies and cloud computing against DDoS attacks.

3. Idea Proposed
The idea proposed in this paper is to develop a DDoS protection system that syndicates real-time
monitoring with predictive analytics to proactively identify potential DDoS threats. Unlike traditional DDoS
defense systems, which are often sensitive and respond only after an attack has been detected, our approach
aims to prediction potential attacks by analyzing past traffic patterns, attack trends, and doubtful behavior.
This enables early warning and preparation, reducing the impact of attacks and enhancing system flexibility.
Traffic Analysis and Behavior Modelling:
o The system continuously monitors incoming network traffic to capture data on normal traffic
patterns and identify unconventionalities that might indicate malicious intent.

1. Using historical data, the system builds profiles of typical user behaviors, differencing between genuine
and potentially malicious traffic patterns.
Machine Learning for Pattern Recognition:
o A machine learning model is trained to identify known attack signatures and patterns that
often head DDoS events.
o The system can detect irregularities by comparing current traffic characteristics with learned
patterns, enabling it to do in advance potential threats before they fully manifest. Threat
Prediction and Attack Forecasting

2. Based on analysis of recent traffic behavior, the system predicts the probability of specific types of DDoS
attacks occurring.
4. DDoS Analysis
This architecture must deed advanced techniques for traffic analysis, irregularity detection, and attack
response to safeguard continuous service obtainability and maintain data integrity.

4.1. Objectives
DDoS attacks can overwhelm cloud resources, making genuine access to services challenging and, at
times, impossible. To address this, there is a need for a vigorous DDoS Protection System designed specifically
for cloud environments. The system should participate a scalable architecture that can detect and mitigate DDoS
attacks in real-time without peace making the performance of genuine traffic.

4.2. DDoS Overview

The main aim of this project is to develop a vigorous DDoS Protection System specifically designed for
cloud architecture. This system will use a multilayered approach, combining real-time traffic monitoring,
machine learning-based irregularity detection, and automated mitigation policies. This project aims to provide
a complete DDoS analysing solution that enhances cloud security, minimizes downtime, and safeguards service

5
dependability. The tool will be designed to integrate perfectly with existing cloud infrastructure, making it
adaptable to various cloud providers and deployment environments.

4.3. Purpose of DDoS attack

There could be many various reasons or intensions to launch DDoS attacks, however, we are briefly
relating below some of the most important and prevalent DDoS attack types.

1. Ransom: This is most possible and recurring motive of attackers. DDoS attacks are generally followed
by a payment demand from the attacker. However, a ransom note that an attack may occasionally also
be sent.

2. Business Quarrel: DDoS assaults can be intentionally used by business organizations to shut down
opposing websites and online activities.

5. Design and Implementation

Fig 1. DDoS Work flow

• Internet: Incoming traffic flows from the internet.

• Preprocessing: Initial processing or filtering is applied to incoming data.
• Intrusion Detection System (IDS): The IDS is answerable for analyzing the traffic and
• classifying it as one of three types:
• Signature-Based: Uses a database of known attack signatures to detect threats.
• Normal: Predictable as genuine or safe traffic.
• Behavior Based: Detects indiscretions by linking traffic behavior against established patterns.

6
6. Result Analysis

These establish presentation Metrix, scalability, comparative A, Efficiency of the Architecture, Tool
integration and Automation, simulations.

7. Conclusion and Future work

DDoS attacks are currently a major threat and work against the convenience of cloud services. With each
developed mechanism against DDoS attacks, a better-quality attack appears. Mechanisms to analysed DDoS
attacks are not always effective on their own.

Combining different mechanisms to build hybrid mechanisms, in particular with different cloud computing
layers, is highly suggested. It is extremely important to examine the effects of these different types of DDoS
attacks on the cloud system.

In this paper, we examined the effect of different types of DDoS attacks on the cloud environment.
Finally, we developed a project to analyze the attacks and helps to prevent before the attack happens.

We have developed only for limited sources and need to insert and execute more features to contrivance in
real time applications.

7. References

[1] S.T. Zargar, J. Joshi, D. Tipper, “A Survey of Defense Mechanisms Against Distributed Denial
of Service (DDoS) Flooding Attacks”, IEEE Communications Surveys & Tutorials, 15 (4)
(2013), pp. 2059-2068, 10.1109/SURV.2013.031413.00127

[2] D. Dittrich, “The Tribe Flood Network Distributed Denial of Service attack tool,” University
of Washington, October 21, 1999.

[3] A. Furfaro, G. Malena, L. Molina, A. Parise, “A Simulation Model for the Analysis of DDoS
Amplification Attacks” Conference on Modeling and Simulation (2015), pp. 266-273

7
[4] K.S. Bhosale, M. Nenova, G. Iliev, “The Distributed Denial of Service attacks (DDoS)
prevention mechanisms on application layer”, Conference on Advanced Technologies, Systems and
Services in Telecommunications, IEEE (2017), pp. 136-138

[5] A. Praseed, P.S. Thilagam, “DDoS Attacks at the Application Layer: Challenges and Research
Perspectives for Safeguarding Web Applications”, IEEE Communications Surveys & Tutorials, 21 (1)
(2019),pp668-679, 10.1109/COMST.2018.2870658

[6] P. Ferguson et. al., “Network Ingress Filtering: Defeating Denial of Service Attacks which
employ IP Source Address Spoofing”, Technical report, The Internet Society, 1998.

[7] Cheng Jin, Haining Wang, and Kang G. Shin. 2003. Hop-Count Filtering: An Effective Defense
against Spoofed DDoS Traffic. In Proceedings of the 10th ACM Conference on Computer and
Communications Security (CCS ’03), 30–41. 10.1145/948109.948116.

[8] Yang Xiang, Ke Li, and Wanlei Zhou, Low-Rate DDoS Attacks Detection and Traceback by
Using New Information Metrics, IEEE TRANSACTIONS ON INFORMATION FORENSICS AND
SECURITY, VOL. 6, NO. 2, JUNE 2011

[9] Saman Taghavi Zargar, Joshi, Member, IEEE, and David A Survey of Defense Mechanisms
Against Distributed Denial of Service (DDoS) Flooding Attacks, IEEE COMMUNICATIONS
SURVEYS & TUTORIALS, ACCEPTED FOR PUBLICATION (2013)

[10] Ilker Ozcelik, Yu Fu, Richard R. Brooks DoS Detection is Easier Now, 2013 Second GENI
Research and Educational Experiment Workshop.

[11] Ahmad Sanmorino1, Setiadi Yazid2, DDoS Attack detection method and mitigation using
pattern of the flow , 2013 International conference of Information and communication technology
(ICoICT)

[12] Y.-L. Hu and W.-B. Su, \"Design of EventBased Intrusion Detection System on OpenFlow
Network\" in 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks
(DSN), 2013.

[13] R. Skowyra, \"Software-Defined IDS for Securing Embedded Mobile Devices\" in IEEE High-
Performance Extreme Computing Conference (HPEC), 2013.

[14] Giotis A, Ahmed L., “A Source-end Defence against flooding denial of Service Attacks”, In
IEEE Transactions on Dependable and Secure Computing”, Vol. 2, pp. 219-228, 2014.

8
[15] Masdari, M.; Jalali, M. “A survey and taxonomy of DoS attacks in cloud computing. Security.
Commun. & Networking”, 2016, 9, 3724– 3751; SCN-15-0746.R1.

[16] M. Belyaev and S. Gaivoronski, \"Towards Load Balancing in SDN-Networks During,\" in

International Science and Technology Conference (Modern Networking Technologies) (MoNeTeC),
Moscow, 2014.

9
 9

View publication stats