Available online at www.sciencedirect.

com
Available
Available online
online at www.sciencedirect.com
at www.sciencedirect.com

ScienceDirect
Procedia
Procedia Engineering
Engineering 20100 (2017)
(2017) 000–000
417–427
Procedia Engineering 00 (2017) 000–000 www.elsevier.com/locate/procedia
www.elsevier.com/locate/procedia

3rd
3rd International
International Conference
Conference “Information
“Information Technology
Technology and
and Nanotechnology“,
Nanotechnology“, ITNT-2017,
ITNT-2017, 25-27
25-27
April 2017, Samara, Russia
April 2017, Samara, Russia
Rank
Rank distribution
distribution for
for determining
determining the
the threshold
threshold values
values of
of network
network
variables
variables and
and the
the analysis
analysis of
of DDoS
DDoS attacks
attacks
a,∗ a a
A.
A. M.
M. Sukhov
Sukhova,∗,, E.
E. S.
S. Sagatov
Sagatova ,, A.
A. V.
V. Baskakov
Baskakova
a Samara National Research University, 34, Moskovskoe shosse, Samara, 443086, Russia
a Samara National Research University, 34, Moskovskoe shosse, Samara, 443086, Russia

Abstract
Abstract
This paper analyzes network attacks using rank distribution data. Rank distributions for a number of variables generated by a
This paper analyzes network attacks using rank distribution data. Rank distributions for a number of variables generated by a
single IP address are compared for normal and anomalous network states. The investigated network variables include the number
single IP address are compared for normal and anomalous network states. The investigated network variables include the number
of active flows, the rate of incoming TCP, UDP and ICMP traffic, as well as the frequency of references to a web server (for a
of active flows, the rate of incoming TCP, UDP and ICMP traffic, as well as the frequency of references to a web server (for a
given port). Experimental data were obtained during experiments performed involving a real bandwidth DDoS attack on a popular
given port). Experimental data were obtained during experiments performed involving a real bandwidth DDoS attack on a popular
Internet portal. The rank distribution collected under normal network conditions enables the determination of threshold values
Internet portal. The rank distribution collected under normal network conditions enables the determination of threshold values
for major network variables; exceeding these thresholds should therefore lead to the identification of attacking IP addresses and
for major network variables; exceeding these thresholds should therefore lead to the identification of attacking IP addresses and
subsequent blocking of their access.
subsequent blocking of their access.
c 2017 The Authors. Published by Elsevier Ltd.

©c 2017
2017 The
TheAuthors.
Authors.Published
PublishedbybyElsevier
ElsevierLtd.
Ltd.
Peer-review under responsibility of the scientific committee of the 3rd International Conference “Information Technology and
Peer-review under responsibility of the scientific committee of the 3rd International Conference
Conference “Information
“Information Technology
Technology and
and
Nanotechnology.
Nanotechnology”.
Nanotechnology.
Keywords: Bandwidth DDoS attack; threshold values for major network variables; rank distribution in networks
Keywords: Bandwidth DDoS attack; threshold values for major network variables; rank distribution in networks

1. Introduction
1. Introduction
The recent exponential growth in Internet traffic and information sources has been accompanied by a rapid increase
The recent exponential growth in Internet traffic and information sources has been accompanied by a rapid increase
in the number of anomalous network states, which can be caused by both technogenic and human factors. However,
in the number of anomalous network states, which can be caused by both technogenic and human factors. However,
the recognition of anomalous states created by hackers is rather difficult, due to the fact that they mimic the actions of
the recognition of anomalous states created by hackers is rather difficult, due to the fact that they mimic the actions of
ordinary users [18]. As such an anomalous state is thus extremely difficult to detect and block, ensuring the safety and
ordinary users [18]. As such an anomalous state is thus extremely difficult to detect and block, ensuring the safety and
reliability of Internet services requires knowledge regarding the behavior of users [10,19] of a particular resource.
reliability of Internet services requires knowledge regarding the behavior of users [10,19] of a particular resource.
In this paper we will focus on methods that help to prevent DDoS attacks [4,15] (Distributed Denial of Service).
In this paper we will focus on methods that help to prevent DDoS attacks [4,15] (Distributed Denial of Service).
DDoS attacks are those in which a plurality of computers on the Internet begins to send requests to the victim service
DDoS attacks are those in which a plurality of computers on the Internet begins to send requests to the victim service
after an attacker command. When the number of requests exceeds the capabilities of the victim’s servers, new requests
after an attacker command. When the number of requests exceeds the capabilities of the victim’s servers, new requests
from these users are no longer serviced and become unavailable. In this case the victim is exposed to financial losses.
from these users are no longer serviced and become unavailable. In this case the victim is exposed to financial losses.
The research investigating attack recognition described in the present paper is based on a unified mathematical
The research investigating attack recognition described in the present paper is based on a unified mathematical
approach. A number of important network variables generated by a single external IP address when accessing the
approach. A number of important network variables generated by a single external IP address when accessing the
specified server or LAN are identified, including the number of active flows, the rate of incoming TCP, UDP and
specified server or LAN are identified, including the number of active flows, the rate of incoming TCP, UDP and

∗ A. M. Sukhov. Tel.: +7-927-785-67-48.

∗ A. M. Sukhov. Tel.: +7-927-785-67-48.
E-mail address: amskh@yandex.ru
E-mail address: amskh@yandex.ru
1877-7058 c 2017 The Authors. Published by Elsevier Ltd.
1877-7058  c 2017 The
© TheAuthors.
Authors.Published
Publishedby Elsevier Ltd. Ltd.
by Elsevier
Peer-review under responsibility of the scientific committee of the 3rd International Conference “Information Technology and Nanotechnology.
Peer-review underresponsibility
Peer-review under responsibility of the
of the scientific
scientific committee
committee of theof
3rdthe 3rd International
International Conference
Conference “Information
“Information TechnologyTechnology and
and Nanotechnology.
­Nanotechnology".
10.1016/j.proeng.2017.09.666
418 A.M. Sukhov et al. / Procedia Engineering 201 (2017) 417–427
2 A. M. Sukhov, E.S. Sagatov, A.V. Baskakov / Procedia Engineering 00 (2017) 000–000

ICMP traffic, as well as the frequency of references to a web server (for a given port), with the network infrastructure
enabling the measurement of values for these variables.
After finding these values for the analyzed variables over an arbitrary time period, the next step is to build a rank
distribution. To do this, the values are arranged in descending order, with an analysis of network states carried out by
comparing the corresponding distributions. Such a comparison is particularly useful when the distributions for normal
and abnormal network statuses are shown on the same graph, making it easy to define the boundary between the two
states.
Experiments investigating a DDoS attack on an online service can be carried out with the help of simulation under
laboratory conditions. However, the value of the results obtained using this method is much lower than that of data
produced after a DDoS attack on a commissioned commercial service, since emulators cannot fully reproduce a real
computer network. In addition, for a full understanding of the principles and methods of DDoS attacks, the researchers
involved require corresponding experience. Therefore, the present authors anonymously agreed to hold a real DDoS
attack on a specially prepared web service, with network traffic data and statistics collected by NetFlow during the
attack. The study of rank distributions for flow number and different types of incoming traffic generated by a single
external IP address enables the definition of threshold values for each variable. Exceeding these values can thus be
defined as a signature of the attacker’s host, making it possible for conclusions to be drawn regarding the effectiveness
of different detection methods and countering techniques.
The paper is organized as follows: Section 2 provides an overview regarding the design of new network variables
to analyze network attacks, as well as finding threshold values for these variables; Section 3 is devoted to the use of
rank distributions for the analysis of online processes and ways in which to detect network attacks; Section 4 describes
the experimental infrastructure and its testing; Section 5 provides an analysis of incoming traffic during bandwidth
DDoS attack; finally, Section 6 describes the determination of thresholds for different types of incoming traffic.

2. Review of previous work

Although the idea of determining a threshold value for the detection of abnormal network states was initially
proposed after the first appearance of DDoS attacks some time ago [11], the question remains as to which variables
should be analyzed. In paper [5] a statistical function was sought that could be considered as representing system
entropy, with the behavior of this function thus describing the moment of attack onset. This approach can be used to
detect low-rate attacks with the lowest intensity requests [1].
Paper [22] contains an analysis of attacks on the DNS server carried out using a specially designed detection value
with a calculated threshold. This value is constructed according to the number of requests to the DNS server and
response to these requests for a fixed time interval. Attack detection based on non-standard deviations from normal
behavior is described in paper [23], with anomalous behavior in this case being the deviation of values of critical
network variables from the normal state exceeding three sigma.
Numerous papers are devoted to intrusion detection using the NetFlow data analysis protocol; a fairly complete
survey can be found in [13]. It should be noted that the statistical approach also includes the use of intrusion detection
methods [7,21], with information regarding flows analyzed via simple law of probability theory to reveal the source
of the attack. However, although the statistical approach is simple and provides reliable results, its field of application
is limited to well-studied types of attack.
The Greek authors of paper [17] proposed the use of 5 variables for attack analysis, including the ratio of incoming
to outgoing UDP and ICMP traffic, the number of flows consisting of a single packet, the number of flows with
duration less than 10 milliseconds, and the number of new flows per second. For each of these variables thresholds
were defined, beyond which an attack can be said to have begun. This work is closest to the approach proposed in the
present study.
One of the distinguishing features of the proposed approach is the use of rank analysis of NetFlow data [7,21], with
attack detection based on deviation from the Zipf distribution [26]. We analyzed information regarding completed or
active flows for a certain period; the minimum time of NetFlow statistics collection may vary from one to five minutes.
During normal network operation, a ranked list of the flow number generated by a unique IP address follows a typical
Zipf distribution [12]. Attacker addresses can thus be identified by the exceeding of a threshold for the number of
completed flows [21], with the flow number increasing many times during an attack.
 A.M. Sukhov et al. / Procedia Engineering 201 (2017) 417–427 419
A. M. Sukhov, E.S. Sagatov, A.V. Baskakov / Procedia Engineering 00 (2017) 000–000 3

At present, special attention should be given to the most dangerous type of bandwidth DDoS attacks that overflow
the external channel leading to a separate server, local organization or autonomous system. One of the first analytical
papers focusing on bandwidth DDoS attacks, [8] provides an overview of sources of attack and defense strategies, as
well as providing data on attack power.

3. Rank distribution and recognition of anomalous network states

In 1994, Steve Glassman [9] first described the process of Internet traffic caching using a ranking distribution.
Subsequent work significantly expanded the scope of rank distributions to describe Internet processes such as queries
to search engines, access to DNS servers, and the popularity of individual documents on a website. Nevertheless,
there are currently only a few good reviews [3,12] available regarding the application of rank distributions for the
description of network processes.
Most often, Internet processes are described using the Zipf distribution, which states that
p1
pi = (1)
iα
where p1 is the greatest value of the investigated network parameter, i is the sequence number in the ranked list
(the descending list), and α is the exponent. Therefore, these three values should be used when analyzing an attack.
In order to recognize the onset of an attack and its sources, two rank distributions are compared. One of these
distributions is constructed at the current time and the other at some previous moment; the second point is considered
the normal network state. As mentioned previously, one can analyze the rank distributions for the number of active
flows generated by a single IP address. During attacks, a constant and dramatic increase in the number of flows is
observed, as shown in Fig. 1.
To detect the beginning of an attack the following ratio should be used:
p1
k= (2)
ptr
The question now is how to determine the threshold ptr , which is the denominator in Eq. 2.
To this end, the variation of the greatest value of the investigated network parameter over time p1 (t) is calculated.
In this case it is necessary to collect and process statistics for a significant period, although in order to avoid large
fluctuations such statistics should be collected weekly. The practical implementation of this method will be discussed
in Section 5. It should be noted that threshold ptr can be found based on this calculation. This value will not be
exceeded during normal network operation p1 (t)  ptr and can thus be used to calculate the value of coefficient k in
Eq. 2.
The next question is how to define a set of network parameters for which it is necessary to calculate thresholds.
Network parameter selection depends on the DDoS attack type. If the attack is aimed at the violation of an online
service, such as the denial of web server operation, one should monitor the number of requests to the attacked resource.
If the attack aims to overflow incoming channels, data should be collected for all types of incoming traffic (TCP, UDP,
ICMP), as well as information regarding the number of flows.
However, since in reality the type of attack is not known in advance, threshold values need to be calculated for
many variables. Such a set of variables should include:

• The total number of active flows in the border router;

• The number of active flows generated by a single external IP address;
• Incoming traffic that generates a single external IP address for each type of traffic (TCP, UDP, ICMP);
• The number of requests that generate a single external IP address for each service type (HTTP, FTP, mail, proxy,
ssh, samba, MySQL, etc.).

After thresholds are found for the important network variables, regular calculation of the corresponding values of
the coefficients as defined by Eq. 2 should be carried out. If the value of the corresponding coefficient is much greater
than one, an anomalous network state is likely.
420 A.M. Sukhov et al. / Procedia Engineering 201 (2017) 417–427
4 A. M. Sukhov, E.S. Sagatov, A.V. Baskakov / Procedia Engineering 00 (2017) 000–000

4. Experimental infrastructure

Experiments investigating DDoS attacks on services can be carried out via emulation in the laboratory. However,
the value of the obtained results is much lower than that of data produced after a DDoS attack on a commissioned
commercial service, since emulators cannot fully reproduce a real computer network. In addition, experience of
working with DDoS attacks is required for a full understanding of the principles and methods of network attacks.
Therefore, the present authors anonymously agreed to hold a real DDoS attack on a specially prepared web hosting.
During the attack, network traffic was recorded and NetFlow statistics were collected. The study of rank distributions
for the flow number and different types of incoming traffic generated by a single external IP address allows the setting
of threshold values, the exceedance of which can be classified as a sign of the attacker’s site. It is also possible to
draw conclusions regarding the effectiveness of different attack detection and countering techniques.
Our network infrastructure was established based on a web hosting with a popular Internet portal. A schematic
diagram of the devised network infrastructure is shown in Fig. 1.

Fig. 1. Experimental network infrastructure.

This infrastructure included the following elements:

• NetFlow installed on a Cisco ASR 1001 border router.

• Custom script based on NetFlow, which allocates IP addresses generating flows above the threshold and records
them in the stop list for subsequent blocking.
• A special script that defines the beginning of an attack as a sharp increase in the number of active flows.
• An additional Cisco 2811 router located before the attacked server on which the stop list is installed.
• A 3Com 4500 switch used to duplicate network traffic from the port going to the web server onto the server
with an installed tcpdump network sniffer [24]. All traffic is retained in a file for later analysis.
• A specially formed list of regular visitors, activated at the time of the attack in order to limit visitor numbers to
the attacked site.

A single device was allocated for traffic duplication, since all traffic data were to be collected during the attack for
later analysis, as well as to protect the Web server. Access lists should be loaded from the ISP at a higher level when
entering commercial operation.
Comprehensive laboratory analysis was carried out before testing under the conditions of a real attack. Testing
took place with the participation of 10 bots located both in the enterprise network and beyond.
 A.M. Sukhov et al. / Procedia Engineering 201 (2017) 417–427 421
A. M. Sukhov, E.S. Sagatov, A.V. Baskakov / Procedia Engineering 00 (2017) 000–000 5

An attack based on the number of requests to the web server was performed using the Apache HTTP server
benchmarking tool [6], Low Orbit Ion Cannon [2], and BoNeSi [14]. A further UDP flood attack was also carried
out using Low Orbit Ion Cannon and BoNeSi, while a speed test regarding the filtering of IP addresses was conducted
on the Cisco 2811 router. None of the attacks disabled the equipment, with the Web server continuing to respond to
user requests throughout the tests. It should be noted that the tests were conducted on a commercial service system,
not a laboratory stand. For this reason, it was impossible to fully carry out a large botnet emulation with the real
participation of only a few bots.
As laboratory tests cannot replace the experience gained in a real attack, the authors anonymously requested the
application of the combined DDoS attacks on the Web hosting as described above. Usage statistics for this server
were recorded for a period of five months and are discussed earlier in this article.
Live experience of a real reflection DDoS attack dramatically changed the authors’ opinion regarding the type
and characteristics of the attack. Before the attack, it was planned to carry out remote monitoring of equipment.
However, the first few minutes of the DDoS attacks revealed that control via the attacked communication channel
was impossible, with the start of the DDoS attacks accompanied by a sharp increase (more than a hundred times)
in the number of active flows, which was promptly fixed via script observation. After a few minutes the external
communication channels were overflowed and the web server became inaccessible from the external network. All
other services and servers located in the hosting also became inaccessible; remote control was lost despite the presence
of three external links.

Fig. 2. Download schedule of an external channel during the DDoS attacks.

Thus, control had to be taken via the internal network. Overflow in one of the external channels is illustrated by
the graph shown in Fig. 2, in which the continuous line indicates the maximum permissible load on the channel from
the service provider. This load was significantly exceeded throughout the entire attack.

5. Traffic analysis

Failure of the communication channels then occurred due to an overflow of incoming UDP traffic (DDoS attack
type ”UDP flood”), with the number of bots generating this traffic relatively small at no more than 200. Whereas
approximately half of these bots practically did not change source and destination ports, the other half did so regularly.
Two types of UDP packet were used in the attack. The first type comprised UDP packets of minimal length
(see Fig. 3), which contained one character repeated in all packets. The second type comprised UDP packets of
maximum length, which were filled with random data (see Fig. 4). All packages were labeled as fragments for further
consolidation by the server into one large package (see Fig. 5).
A small number of bots were compensated by the total rate of UDP flows generated by each attacking IP address.
With the observed range of addresses this speed reached 60 Mbps and could have increased if it were not for restric-
tions on the external channel imposed by our ISP. A check on the locations of the bots revealed that most were in
422 A.M. Sukhov et al. / Procedia Engineering 201 (2017) 417–427
6 A. M. Sukhov, E.S. Sagatov, A.V. Baskakov / Procedia Engineering 00 (2017) 000–000

Fig. 3. UDP packets of minimal length.

the US, although correspondence with the botnet management took place in Russian. On the assurances of the botnet
management its power in the attack was used by only 2%. However, only our web hosting with its external channel of
1 Gbps was affected; channels of the external provider with a total capacity in the order of 100 Gbps were not affected.
Unfortunately, our hosting does not have any agreements in place regarding traffic restriction with the ISPs. Simply
prohibiting a certain level of UDP traffic to a server would immediately help solve most problems.
TCP requests (DDoS attack type ”TCP flood”) also participated in the DDoS attack, with the number of bots about
1500. Two types of TCP request were used in the attack: the first in the form of file requests from a web server,
simulating user activity, and the second represented by a plurality of SYN/ACK packets of minimum size. This type
of DDoS attack is known as a ”TCP SYN flood”. These attacks did not cause significant damage due to the presence
of an overflow channel and activation algorithm request limit from the same IP address.
Analysis at the flow level revealed that the beginning of the attack was accompanied by a sharp increase in the num-
ber of active flows in the outer channel of web hosting. Furthermore, the number of completed flows (as mentioned
above) increased by more than two orders of magnitude. This increase was immediately fixed by the monitoring
system. The number of generated flows easily determines individual attacking IP addresses, both active and closed.
Fig. 6 shows a list of addresses ranked per flow number. The top curve describes the moment of attack; the lower
graph shows the typical distribution in the absence of an attack.
A comparison of the two graphs shown in Fig. 6 enables the formulation of a criterion with which to determine the
membership of an IP address in a botnet. All addresses located higher than the most popular web server on the line
representing the normal network state and which do not belong to a user kernel should be attributed to a botnet [20].
For a complete explanation of the bots, a rank distribution should be built for all incoming UDP, ICMP and TCP traffic
generated from a single IP address at the time of the attack. The normal state of the network is used to determine the
cut-off, as carried out in [20]. A cut-off point should be determined for each type of service and traffic in advance,
with the values then recalculated once every six months.
The use of two independent criteria, i.e., the number of flows and volume of incoming traffic (UDP, ICMP or
TCP), allows for the operative (within 5 minutes) compilation of a list of addresses that can then be blocked by filter
equipment.
 A.M. Sukhov et al. / Procedia Engineering 201 (2017) 417–427 423
A. M. Sukhov, E.S. Sagatov, A.V. Baskakov / Procedia Engineering 00 (2017) 000–000 7

Fig. 4. UDP packets with random filling data.

Fig. 5. Fragmented UDP packets.

6. Determination of thresholds for incoming traffic

The threshold level for the number of active streams ptrN that generate a single IP address was defined in a previous
paper [20]. IP addresses above this level must be listed as suspicious for subsequent blocking.
Real-life attacks have demonstrated that it is essential to analyze the incoming speed of the main traffic types that
generate a single IP address. Such analysis should focus on two dependencies: the rate of incoming traffic, divided by
type, and a daily schedule regarding the maximum rate of incoming traffic generated by a single IP address.
In order to construct the required schedules, special scripts were written that were collected and analyzed regarding
the incoming traffic, with each traffic type considered separately. Fig. 7 displays a graph showing the rate of incoming
TCP traffic, depicted as a ranked list on a logarithmic scale. In this case the abscissa represent the sequence number i
of the IP address in the list, with the vertical axis the rate of incoming TCP traffic BTCP
i .
424 A.M. Sukhov et al. / Procedia Engineering 201 (2017) 417–427
8 A. M. Sukhov, E.S. Sagatov, A.V. Baskakov / Procedia Engineering 00 (2017) 000–000

Fig. 6. Comparison of flow numbers during the attack and during normal network state.

Fig. 7. Ranking list for incoming TCP traffic.

The second schedule was constructed based on the time dependence of the maximum rate of TCP traffic with a
single IP address BTCP
1 . This quantity is easy to find from Fig. 7, with the determined relationship illustrated in Fig. 8.
Construction of this schedule then enabled the definition of a threshold for incoming TCP traffic BTCP tr , indicated
in Fig. 8 by the dotted line. When this value is exceeded, the appropriate address should be entered into the list of
suspicious addresses and be subjected to additional verification procedures.
The most careful attention should be given to incoming UDP traffic BUDP i (Fig. 9). This traffic type is considered
the most dangerous, as neither its send nor receive components require confirmation. Attackers can therefore send
UDP traffic to a server in any desired quantity, thereby overwhelming the incoming server channel. The standard
operating rate of UDP traffic is low, being at least an order of magnitude below that of TCP traffic.
The time dependence of the maximum rate of incoming UDP traffic BUDP 1 is shown in Fig. 10. Traditionally, this
schedule is used to determine the threshold level of invasion BUDP tr . It should be noted that during the analyzed attack
this level was exceeded by at least two orders of magnitude, or more than 100 times, for the majority of IP addresses
participating in the attack.
Since UDP traffic during DDoS attacks is a major threat, it is essential to provide for measures enabling rapid
lock-down. One such mechanism for higher routers is the use of an ICMP packet alert. According to the current
standard [16], if a UDP packet arrives at a port that is not listening on any one program, an ICMP packet containing
 A.M. Sukhov
A. M. Sukhov, E.S. Sagatov, et al. / Procedia
A.V. Baskakov Engineering
/ Procedia 20100
Engineering (2017) 417–427
(2017) 000–000 425
9

Fig. 8. Time dependence of the highest rate of incoming UDP traffic generated by a single IP address.

Fig. 9. Ranking list for incoming UDP traffic.

information regarding that port is then sent back. For software-defined networks [25] it is possible to write a script
that will block incoming UDP traffic from the sender to the recipient address after the passage of such a packet. It is
also possible to block all UDP traffic from suspicious addresses. The most important factor to note is that these locks
are active for only a short time, at around 10-15 seconds. A function of iptables can be easily configured to send these
packets.
Unfortunately, existing router and switch software does not allow the analysis of ICMP packets with locking in
terms of the various traffic types received from suspicious addresses. However, the use of a software-defined network
should enable this problem to be solved soon.

7. Conclusions

In order to improve the protection of computer network services, a study was conducted examining the behavior
of users of a large Internet portal. This behavior was characterized by a number of parameters that are bound to user
external IP addresses. Calculation of the rank distribution of such parameters, including the number of active flows
and the speed of the main traffic types, enables the determination of threshold values that are characteristic of attacking
addresses. Exceeding any two thresholds should thus lead to the blocking of that address. Methods were proposed
426 A.M. Sukhov et al. / Procedia Engineering 201 (2017) 417–427
10 A. M. Sukhov, E.S. Sagatov, A.V. Baskakov / Procedia Engineering 00 (2017) 000–000

Fig. 10. Time dependence of the highest rate of incoming UDP traffic generated by a single IP address.

with which to construct the restraining list, which includes attacking IP addresses at the time of DDoS attacks. In
order to check the compiling algorithms a restraining list test attack was carried out using a real botnet, producing the
following conclusions.
Stable operation of the network infrastructure of the web hosting is not possible without two external Internet
communication channels at 10 Gbps. Channels of several Gbps cannot provide the system with fault tolerance for a
DDoS attack.
Top-level providers must install a list of blocked IP addresses. For this, an agreement should be made with each of
the providers, and the process of transferring the stop list automated and performed without administrator intervention.
The stop list should ideally be broadcast to second-level providers, i.e., to providers of providers. Such protection
would avoid difficulties associated with opposing the clear majority of existing botnets. According to our observations,
the transfer of protection to the third level of providers will completely block attacks.
The greatest danger is posed by UDP flood attacks, which are aimed at the overflow of the accessing channel.
Because bandwidth DDoS attacks are often conducted by one or more addresses, the total restriction of UDP traffic
at the upper level of providers would help to avoid channel overflow. Such a method would require consideration of
the speed limit of the UDP stream from a single IP address. The second type of IP address, that leading an attack
using TCP queries, is easily identified via the use of a flow number criterion. Simultaneous application of these two
methods should provide the opportunity to identify the IP addresses of attack servers (bots) for 30 minutes.

Acknowledgements

The reported study was funded by RFBR according to the research project 16-07-00218a and the public tasks of
the Ministry of Education and Science of the Russian Federation (2.974.2017/4.6).

References
[1] B.H. Monowar, D.K. Bhattacharyya, J.K. Kalita, Information metrics for low-rate DDoS attack detection: A comparative evaluation, Contem-
porary Computing (IC3), IEEE on Seventh International Conference, 2014, pp. 8084. DOI: 10.1109/IC3.2014.6897151.
[2] Dice Holdings, Inc. LOIC Free Security& Utilities, http://sourceforge.net/projects/loic/.
[3] S.N. Dorogovtsev, J.F.F. Mendes, Evolution of networks: From biological nets to the Internet and WWW, OUP Oxford, 2013.
[4] C. Douligeris, A. Mitrokotsa, DDoS attacks and defense mechanisms: classication and state-of-the-art, Computer Networks. 44 (2004) 643666.
DOI: 10.1016/j.comnet.2003.10.003.
[5] L. Feinstein, D. Schnackenberg, R. Balupari, D. Kindred, Statistical approaches to DDoS attack detection and response, IEEE Proceedings
DARPA Information Survivability Conference and Exposition. 1 (2003) 303314. DOI: 10.1109/DISCEX.2003.1194894.
[6] The Apache Software Foundation, Apache HTTP server benchmarking tool Apache HTTP Server Version 2.2,
http://httpd.apache.org/docs/2.2/programs/ab.html.
 A.M. Sukhov et al. / Procedia Engineering 201 (2017) 417–427 427
A. M. Sukhov, E.S. Sagatov, A.V. Baskakov / Procedia Engineering 00 (2017) 000–000 11

[7] J. Franois, S. Wang, R. State, T. Engel. BotTrack: tracking botnets using NetFlow and PageRank, Networking. 201 (2011) 1-14. DOI:
10.1007/978-3-642-20757-0 1.
[8] M. Geva, A.Herzberg, Y. Gev. Bandwidth distributed denial of service: Attacks and defenses, IEEE Security & Privacy. 12) (2014) 5461. DOI:
10.1109/MSP.2013.55.
[9] S. Glassman, A caching relay for the World Wide Web, Computer Networks and ISDN Systems 27. 2 (1994) 165173. DOI: 10.1016/0169-
7552(94)90130-9.
[10] H. Hochheiser, B. Shneiderman, Understanding patterns of user visits to web sites: Interactive stareld visualization of www log data, 1999,
http://hdl.handle.net/1903/6009
[11] J. Jiang, S. Papavassiliou, Detecting network attacks in the internet via statistical network trac normality prediction, Journal of Network and
Systems Management. 12(2004) 5172. DOI: 10.1023/B:JONS.0000015698.32353.61.
[12] S.A. Krashakov, A.B. Teslyuk, L.N. Shchur. On the universality of rank distributions of website popularity, Computer Networks. 50 (2006)
17691780. DOI: 10.1016/j.comnet.2005.07.009.
[13] B. Li, J. Springer, G. Bebis, M.H. Gunes, A survey of network ow applications, Journal of Network and Computer Applications. 36 (2013)
567581. DOI: 10.1016/j.jnca.2012.12.020.
[14] Markus-Go, BoNeSi the DDoS Botnet Simulator, http://sourceforge.net/projects/loic/.
[15] Mirkovic, Jelena, P. Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communication Review.
34 (2004) 3953. DOI: 10.1145/997150.997156.
[16] J. Postel, RFC 792: Internet control message protocol, InterNet Network Working Group, 1981.
[17] C. Siaterlis, V. Maglaris, Detecting incoming and outgoing DDoS attacks at the edge using a single set of network characteristics, Proceedings
10th IEEE Symposium on Computers and Communications, 2005, pp. 469475. DOI: 10.1109/ISCC.2005.50.
[18] S. Singh, M. Gyanchandani, Analysis of Botnet behavior using Queuing theory, International Journal of Computer Science & Communication.
1 (2010) 239241.
[19] J.M. Stanton, K.R. Stam, P. Mastrangelo, J. Jolton, Analysis of end user security behaviors, Computers & security. 24 (2005) 124133. DOI:
10.1016/j.cose.2004.07.001.
[20] A.M.Sukhov, E.S. Sagatov, A.V. Baskakov, Analysis of Internet service user audiences for network security problems, IEEE 2nd International
Symposium on Telecommunication Technologies (ISTT), 2014, pp. 214219. DOI: 10.1109/ISTT.2014.7238207.
[21] Sukhov, Andrei M., Dmitry I. Sidelnikov, A. P. Platonov, M. V. Strizhov, and Aleksey A. Galtsev. Active flows in diagnostic of troubleshooting
on backbone links. Journal of High Speed Networks, 18(1) (2011) 69–81. DOI: 10.3233/JHS-2011-0447
[22] C. Sun, B. Liu, L. Shi, Ecient and low-cost hardware defense against DNS amplication attacks, IEEE Global Telecommunications Conference
(GLOBECOM), 2008, pp. 15. DOI: 10.1109/GLOCOM.2008.ECP.397
[23] Z. Tan, A. Jamdagni, X. He, P. Nanda, R.Pi. Liu. A system for denial-of-service attack detection based on multivariate correlation analysis,
IEEE transactions on parallel and distributed systems. 25 (2014) 447456. DOI: 10.1109/TPDS.2013.146
[24] Tcpdump/Libpcap TCPDUMP/LIBPCAP public repository, http://www.tcpdump.org/.
[25] J.A. Wickboldt, W.P. de Jesus, P.H. Isolani, C.B. Both, J. Rochol, L. Z. Granville, Software-dened networking: management requirements and
challenges, IEEE Communications Journal. 53 (2015) 278285. DOI: 10.1109/MCOM.2015.7010546.
[26] G.K. Zipf, Relative frequency as a determinant of phonetic change, Harvard studies in classical philology. 40 (1929) 195.