Skip to Main Content
Recently, the detection of distributed denial of service (DDoS) and the discovery of DDoS attacking signature used the mean of traffic measurement analysis at protocol level. This technique is not suited to find the signatures of DDoS attack, which is formless. Also, DDoS is in general the combination of different forms of denial of service (DoS). As a result, it is difficult to find the exact signature of attack. Moreover, it is very difficult to distinguish the difference between an unusual high traffic which is caused by the attack, and the flash crowds which normally occur when a huge number of users use the target machine at the same time. In fact, this difference should only be observed from analyzing the data in the packet header. In this paper, we propose to discover the DDoS attacking signature by analyzing the TCP/IP packet header against the well defined rules and conditions, and distinguish the difference between normal and abnormal traffic. We here observe three groups or delegates of DDoS attacking, i.e., ICMP flood, UDP flood and TCP SYN flood, and present convincing preliminary experiments.