Skip to Main Content
Wireless broadband networks are most vulnerable to denial-of-service attacks where attackers can disrupt legitimate communication between hosts in a network by flooding unwanted traffic between legitimate hosts. This paper proposes DDDOST, a novel approach for filtering flooding attack, the most severe denial-of-service attack that occurs at the transport layer of the internet. Flooding attack at the transport layer affects the transmission control protocol's three-way handshake process, thereby denying the services of TCP. It also denies the services of user datagram protocol. The main objective of this approach is to install local and global monitoring agents at various points in the network in order to monitor and filter real-time TCP traffic and UDP traffic thereby allowing legitimate traffic to flow in the network during attack traffic filtration process and to avoid buffer overflow at the monitoring agents. DDDOST consists of a novel agreement mechanism and a novel detection algorithm and it works taking the clock values of each node into account for effective detection of the attack which has not been used in the existing defense mechanisms. All nodes within a network are permitted to have a synchronized clock value. In the agreement mechanism, the IP address spoofing is prevented which forms the gateway for flooding attacks and once IP spoofing is prevented, the detection mechanism is carried out in detecting and filtering flooding attacks. This distributed defense mechanism reduces the burden on a single global monitoring agent thereby introducing local monitoring agents at various points in the network. The performance results show that this approach effectively and accurately detects and filters DOS attacks within a short period. The performance of this proposed mechanism has been measured in terms of time delay and false positive ratio and it is compared with existing defense mechanisms and it is found to be effective over existing defense mechanisms.