MAIN PROJECT REVIEW

ON
SMART DDoS DEFENDER
 Gayatri Vidya Parishad College
of Engineering (Autonomous)
Madhurawada , Visakhapatnam – 530048

Under the esteemed guidance of

Dr. K Sandhya Rani Kundra

Associate Professor
Department of Information Technology

Project Team Members

B. Monika - 22135A1201

K. Shanmukh Sai - 21131A1226 J. Raju - 22135A1204

 • Abstract
• Introduction
• Existing System
• Proposed System
• Requirements Specification
CONTENTS • System Architecture
• UML Diagrams
• Implementation
• Sample Code
• Output
• Datasets Used
• Future Scope
• References
 Abstract
• This project focuses on the development of a Distributed Denial-of-Service (DDoS) Protection System .

• The rising use of cloud infrastructure has led to an increased risk of DDoS attacks, which can severely disrupt
the availability of online services by overwhelming the server with malicious traffic.

• Increasing cloud adoption heightens the risk of DDoS attacks, threatening service availability and data
security. We propose a scalable DDoS Protection System designed for real-time detection and mitigation in
Utilizes a multi-layered architecture with machine learning to distinguish between malicious and legitimate
traffic patterns.

• Ensures seamless integration across various cloud platforms while maintaining performance and minimizing
false positives.

• Aligns with industry security standards to safeguard data integrity and service continuity.
 Introduction
• In today’s interconnected digital landscape, Distributed Denial-of-Service (DDoS) attacks pose a
significant threat to the availability and performance of online services.

• These attacks overwhelm target servers, services, or network infrastructures with massive volumes of
malicious traffic, rendering them inaccessible to legitimate users.

• With the increasing adoption of web-based applications and cloud-hosted services, safeguarding systems
against such attacks has become critical for ensuring uninterrupted service delivery and user satisfaction.
DDoS attacks are orchestrated by exploiting multiple compromised devices, often distributed globally, to
generate malicious traffic.

• This results in substantial challenges for detecting, mitigating, and recovering from such attacks.

• The complexity is further amplified by the similarity between attack patterns and legitimate traffic surges,
which requires advanced detection mechanisms to differentiate between normal and malicious activity.
 Existing System
Cloud Service Provider Solutions:
Major cloud service providers offer built-in tools to protect against DDoS attacks:
AWS Shield (Amazon Web Services)
AWS Shield Standard provides basic DDoS protection for all AWS customers at no extra cost.
Key Features: Rule-Based Detection , automated application scaling, and attack recovery.
Azure DDoS Protection (Microsoft Azure)
Azure DDoS Protection Standard analyzes traffic and uses adaptive tuning to protect cloud infrastructure.
It integrates with Azure Monitor for reporting.
Key Features: Traffic rate limiting, Rule-Based Detection , and telemetry for attack diagnosis.
Google Cloud Armor (Google Cloud)
Cloud Armor protects applications hosted on Google Cloud against DDoS and application-layer attacks.
Key Features: Rate limiting, WAF (Web Application Firewall), and real-time monitoring.
 Proposed System
The Smart DDoS Detection and Mitigation System is designed to proactively identify and mitigate Distributed Denial-of-Service (DDoS)
attacks on cloud-hosted web applications. The system ensures high availability by dynamically analyzing incoming traffic, detecting malicious
IPs, and blocking them using automated mitigation mechanisms. The core components include an Nginx server as a load balancer, a traffic
capturing system, a detection server, and an automated mitigation mechanism.
1.Attack Simulation
The attacking client uses hping3 to generate DDoS traffic towards the web servers.
The Nginx server acts as a load balancer, distributing incoming traffic to backend web servers using a round-robin algorithm.
The Nginx server itself can also be targeted in an attack, necessitating additional
security measures such as rate limiting and failover mechanisms.
2. Traffic Capturing
The Nginx server captures incoming network traffic using tcpdump.
The captured traffic is stored in .pcap files within a designated directory called pcaps.
Each .pcap file is limited to 5MB in size to ensure efficient processing.
3. Traffic Analysis and Detection
A Python worker running on the Nginx server continuously monitors the pcaps directory.
The worker fetches newly created .pcap files and forwards them to the detection server.
4. Detection Server
The detection server is implemented using FastAPI and receives .pcap files for analysis.
The server utilizes pyflowmeter to extract network flow attributes from the .pcap files.
Approximately 80 network attributes are analyzed to identify potential DDoS attack patterns.
A trained Random Forest model processes the extracted features and detects malicious IP addresses exhibiting
DDoS attack characteristics.
The server returns a list of detected attacking IPs to the Python worker.
5. Mitigation Mechanism
Upon receiving the list of attacking IPs, the Python worker on the Nginx server takes immediate action.
It utilizes iptables to block the identified malicious IP addresses, preventing further attack traffic from
reaching the web servers.
Additional security measures are implemented to protect the Nginx load balancer from becoming an attack
target.
 Requirements Specification

The system utilizes various software components to achieve efficient DDoS detection and mitigation:
1. FastAPI (Detection Server): A high-performance Python web framework used to handle traffic
analysis requests and detect DDoS attack patterns.
2. Nginx (Load Balancer): Acts as a reverse proxy and load balancer, distributing incoming traffic
among backend servers while also being a potential target for attacks.
3. Scikit-learn (Detection Model): Implements machine learning techniques, specifically a Random
Forest classifier, to analyze network traffic and detect anomalies indicative of a DDoS attack.
4. Grafana (Visualization): Provides real-time monitoring and visual dashboards for analyzing
attack patterns and traffic trends.
5. Docker (Containerization): Ensures smooth deployment and scalability by containerizing
different components of the system.
6. hping3 (Attack Simulation): Generates synthetic DDoS traffic to test the effectiveness of the
detection and mitigation mechanisms.
7. tcpdump (Traffic Capture): Captures incoming and outgoing network packets, saving them
in .pcap files for analysis.
8. PyFlowMeter (PCAP Analysis): Extracts flow-based network attributes from .pcap files to
enable accurate attack detection.
9. iptables (Traffic Blocking): Dynamically blocks malicious IPs once identified by the detection
server, preventing further attack traffic from reaching the web servers.
System Architecture
 System Architecture Explanation
Attack Initiation : The attacking client sends a Distributed Denial-of-Service (DDoS) attack to the
system.
Traffic Handling :Nginx Load Balancer receives incoming traffic and distributes it to backend servers.
Traffic Capture: tcpdump Traffic Capture collects network packets for further analysis.
Storage of Traffic Data: The captured traffic is stored as PCAP (Packet Capture) files.
Fetching PCAP Files: The stored PCAP files are fetched for analysis.
Sending PCAP for Analysis: The PCAP files are sent to a FastAPI-based Detection Server for
processing.
Network Attribute Extraction: The system extracts network attributes using pyflowmeter, a network
flow feature extractor.
Malicious IP Prediction:A Random Forest Machine Learning Model is used to predict whether the
IPs are malicious.
Malicious IP Response: The model returns a list of malicious IPs.
Detection Server Sends Ips: The FastAPI Detection API sends detected malicious IPs to the mitigation
system.
Blocking Malicious Ips: The system blocks the malicious IPs to prevent further attacks.
 Backend Web Server

Application Purpose:
This is a FastAPI-based server with Prometheus integration for monitoring.
Prometheus Integration:
We use prometheus_fastapi_instrumentator to collect real-time metrics from this FastAPI service
Dynamic Server Identification:
The endpoint fetches the SERVER_NUMBER from environment variables, allowing the system to
identify different server instances
Deployment Context:
This type of API is used in load-balanced architectures where multiple servers handle incoming requests
 Machine Learning Model- Random Forest Classifier

Exploratory Data Analysis (EDA) – Visualized protocol, packet length, and flag distributions.
Feature Selection – Removed redundant features.
Data Preprocessing – Splitting, encoding, and transforming.
Model Training – Evaluated Random Forest, KNN, Extra Trees, and MLP Classifier.
Performance Comparison – Plotted ROC curves and accuracy.
Model Saving – The best model (Random Forest) was saved.
Role of the Orchestration server

The orchestration server ensures that data flows correctly between all components.
It automates decision-making (blocking malicious IPs).
It enables real-time detection and mitigation of DDoS attacks.
Key Components of the Orchestration Server:
Python Worker: Manages communication between components, fetches data, and updates
security rules.
FastAPI Detection API: Provides an interface for receiving and analyzing traffic.
iptables: Implements firewall rules to block attackers.
 UML Diagrams
Class Diagram:
Use Case Diagram:
Sequence Diagram:
SAMPLE CODE
OUTPUT
 Datasets Used

https://www.kaggle.com/datasets/dhoogla/cicddos2019/data

Distributed Denial of Service (DDoS) attack is a menace to network security that aims at exhausting the target
networks with malicious traffic. Although many statistical methods have been designed for DDoS attack detection,
designing a real-time detector with low computational overhead is still one of the main concerns. On the other hand,
the evaluation of new detection algorithms and techniques heavily relies on the existence of well-designed datasets.
In this paper, first, we review the existing datasets comprehensively and propose a new taxonomy for DDoS attacks.
Secondly, we generate a new dataset, namely CICDDoS2019, which remedies all current shortcomings. Thirdly, using
the generated dataset, we propose a new detection and family classificaiton approach based on a set of network
flow features. Finally, we provide the most important feature sets to detect different types of DDoS attacks with their
corresponding weights.
 Future Scope

The future of SMART DDoS DEFENDER lies in AI-driven automation, proactive defense, and seamless integration
with emerging technologies. Advanced AI models, including deep learning and reinforcement learning, will enhance
anomaly detection and zero-day attack prevention using behavioral analytics and federated learning for decentralized
security.

To move beyond reactive mitigation, autonomous threat response will enable proactive defense, while blockchain-based
security will ensure secure traffic validation. AI-driven honeypots will evolve dynamically, capturing attacker behaviors for
better threat intelligence. IoT and edge computing security will become crucial as networks expand, while 5G and multi-
cloud protection will safeguard high-speed, distributed architectures.

Real-time AI-powered threat intelligence will enable global cybersecurity collaboration, with AR dashboards and voice-
enabled security assistants streamlining monitoring and response. Regulatory compliance will be reinforced through
explainable AI (XAI) and automated compliance audits to meet global data privacy standards like GDPR.

Industry-specific applications will include critical infrastructure security for smart cities, finance, healthcare, and cloud
gaming. With these innovations, SMART DDoS DEFENDER will evolve into a self-learning, adaptive, and highly
scalable cybersecurity solution, ready to tackle the next generation of cyber threats
 References
• Dr. Mahdi Rabbani, “Enhancing Generalizability in DDoS Attack Detection Systems through Transfer Learning
and Ensemble Learning Approaches,” https://www.unb.ca/cic/datasets/ddos-2019.html?utm source.
• Aiken Kazin, PhD student in Mathematics, Almaty, Kazakhstan,
https://www.kaggle.com/datasets/aikenkazin/ddos-sdn-dataset.
• Iman Sharafaldin, Arash Habibi Lashkari, Saqib Hakak, and Ali A. Ghorbani, “Developing Realistic Distributed
Denial of Service (DDoS) Attack Dataset and Taxonomy,” iIEEE 53rd International Carnahan Conference on
Security Technology, Chennai, India, 2019.
• L. Breiman, “Random forests,” Machine learning, vol. 45, no. 1, pp. 5– 32, 2001.
• Asha Varma Songa & Ganesh Reddy Karri , “An integrated SDN framework for early detection DDoS attacks in
cloud computing ,”Journal of cloud computing 13, Article Number: 64(2024).
• J. Nazario, “DDoS attack evolution,” Network Security, vol. 2008, no. 7, pp. 7–10, 2008
• S. M. Specht and R. B. Lee, “Distributed denial of service Taxonomies of attacks, tools, and countermeasures,” in
Proceedings of the 17th International Conference on Parallel and Distributed Computing Systems, 2004, pp. 543–
550.
• J. Lemon, “Resisting SYN flood DoS attacks with a SYN cache,” in Proceedings of the BSD Conference 2002 on
BSD Conference, 2002, p.10.
• U M Shahil, Deekshitha,Nuzga Anam M, Mustafa Basthikodi,” DDoS Attack in Cloud Computing and its
Preventions,” J ETIR vol 6, Issue 5 , 2019.
• Thakkar, A.; Lohiya, R. A review of the advancement in intrusion detection datasets. Procedia Comput. Sci. 2020,
167, 636–645.
THANK YOU