This document proposes a method to distinguish between flash crowds and DDoS attacks on web servers. It introduces a new metric called "flow strength" to detect suspicious traffic and group it as either a probable flash crowd (G2) or probable DDoS attack (G1). The document also analyzes a case study of a website called JNTUHJAC that was engaging in cybercrime and resembled a Distributed Denial-of-National Service (DDoNS) attack by deceiving users into registering. It emphasizes the importance of differentiating normal traffic from attacks to allow for appropriate defense responses.
This document proposes a method to distinguish between flash crowds and DDoS attacks on web servers. It introduces a new metric called "flow strength" to detect suspicious traffic and group it as either a probable flash crowd (G2) or probable DDoS attack (G1). The document also analyzes a case study of a website called JNTUHJAC that was engaging in cybercrime and resembled a Distributed Denial-of-National Service (DDoNS) attack by deceiving users into registering. It emphasizes the importance of differentiating normal traffic from attacks to allow for appropriate defense responses.
This document proposes a method to distinguish between flash crowds and DDoS attacks on web servers. It introduces a new metric called "flow strength" to detect suspicious traffic and group it as either a probable flash crowd (G2) or probable DDoS attack (G1). The document also analyzes a case study of a website called JNTUHJAC that was engaging in cybercrime and resembled a Distributed Denial-of-National Service (DDoNS) attack by deceiving users into registering. It emphasizes the importance of differentiating normal traffic from attacks to allow for appropriate defense responses.
This document proposes a method to distinguish between flash crowds and DDoS attacks on web servers. It introduces a new metric called "flow strength" to detect suspicious traffic and group it as either a probable flash crowd (G2) or probable DDoS attack (G1). The document also analyzes a case study of a website called JNTUHJAC that was engaging in cybercrime and resembled a Distributed Denial-of-National Service (DDoNS) attack by deceiving users into registering. It emphasizes the importance of differentiating normal traffic from attacks to allow for appropriate defense responses.
Download as PPTX, PDF, TXT or read online from Scribd
Download as pptx, pdf, or txt
You are on page 1/ 13
AN APPROACH TO DISTINGUISH THE CONDITIONS
OF FLASH CROWD VERSUS DDOS ATTACKS AND
TO REMEDY A CYBER CRIME
AUTHORS N. Srihari Rao Prof. K. Chandra Sekharaiah Prof. A. Ananda Rao PRESENTED BY: UNDER THE GUIDANCE OF SHRUTI BRAHMA Dr. K.Chandra Sekharaiah Sir 20SS1A0548 ABSTRACT
Flash crowds are sudden increases in legitimate traffic to a web server due to popularity or famous events, while Distributed DoS (DDoS) attacks are attacks that overwhelm the server with large amounts of traffic, preventing legitimate users from accessing the site. Distinguishing between these two types is crucial as defense systems respond differently. A proposed system uses flow strength as a metric to assign suspicion marks to flows, grouping them as probable Flash Crowd or probable DDoS attack flows. This technique is intuitive, functional, and can be tested in a simulation environment. Some cyber crimes are considered "Beyond DDoS Attacks" and a remedy is suggested. 1. Introduction
Internet is very much popular now-a-days and has many facets in current society. Originally it was brought to use for good reasons like information sharing, resource sharing, distributed data processing etc. But, in parallel many evil forces have come up to exploit Internet for malicious reasons. The Distributed DoS (DDoS) attacks fall under the evil category, whichmainly focus on denying access to web servers from distributed and legitimate users. The evil strength of this attack comes from attacking agents which are distributed throughout the Internet. It becomes very difficult to design defense systems to counter attacks from these types of systems 1.1 Motivation
DDoS attacks are increasingly being deployed against many different web sites now-a-days. Whatever may be the reasons for these attacks, the outcomes are going to have serious and dire consequences on the owners and users of particular web sites. In parallel, there is going to be a natural problem from occurrence of flash crowd traffic on web servers. distinguishing Flash Crowd traffic from DDoS attacks becomes a high necessity so that deal with this problem. 2. Related Work
Researchers in the field have leveraged a range of methodologies and features to
distinguish legitimate and illegitimate traffic. Various methods include pattern recognition, traffic analysis, and machine learning to categorize traffic patterns. Statistical measures like traffic rates, source/destination analysis, and entropy have been employed. 2.1 Flow Strength Metric
Flow Strength is a unique metric designed to measure the intensity of
data flows in network traffic. By assessing the intensity of flows, we can differentiate normal traffic, Flash Crowds, and DDoS attacks. Flow Strength values above a specified threshold are indicative of Flash Crowds or DDoS attacks.The formula for calculating Flow Strength involves analyzing packet rates, sizes, and their deviations. 2.2 Beyond DDoS Attacks - Problem Scenario
• The JNTUHJAC website was involved in a cybercrime where they
deceived JNTUH students and faculty into registering on their site. The victims included 37 graduate students, 15 postgraduates, 1 student, and no teaching or non-teaching faculty members. • This malicious website's actions resembled a Distributed Denial-of- National Service (DDoNS) attack. As a result, Indian Government services were abused and discredited, denying actual citizens access to these services. The attack differed from traditional DDoS attacks 3. Attack Analysis
The JNTUHJAC website, considered a criminal site, witnessed a
substantial increase in registrants, causing a Distributed Denial-of- NationalService (DDoNS) attack. Initially, it had few registrants, resembling a normal event. Over time, the web owner (Actual Attacker) continuously attracted registrants, potentially leading to a significant and intensified DDoNS Attack. If not addressed by responsible organizations like JNTUH University Authorities, Faculty, and Students, this cybercrime could expand. A screenshot in Figure 10 depicted the sharp increase in registrants. This scenario underscores the critical need for proactive measures to prevent such incidents. 4. Testing the Case Study - JNTUHJAC
• The case study discusses the discovery of criminal activities on the
JNTUHJAC website and the necessity for national departments to address this issue. It highlights the abnormal nature of the website's activities compared to regular web traffic. The "rate of increase in registrants over time" metric is introduced, categorizing it as a "Flash Crowd" when below a threshold and a "probable DDoS Attack condition" when high. The need for DDoS defense and the potential cybercrimes committed by the website are stressed, urging organizations to provide solutions. 6.Conclusion • In conclusion, the text emphasizes the research significance of distinguishing between Flash Crowd (FC) events and DDoS attacks on web servers. It introduces a metric, flow strength, to detect suspicious traffic, grouping it into malicious (G1) and non-malicious (G2) flows. Future research aims to further differentiate between DDoS attack and Flash Crowd conditions. • The text also discusses a cybercrime case study and offers potential solutions. It highlights the significance of values like respect for one's mother and motherland, emphasizing the responsible use of technology for personal, societal, and national development. CITATION DETAILS
International Journal of Computer Engineering & Technology (IJCET)
