A methodology to evaluate rate-based intrusion prevention system against distributed denial-of-service (DDoS).

Buchanan, William J; Flandrin, Flavien; Macfarlane, Richard; Graves, Jamie

Authors

Prof Bill Buchanan B.Buchanan@napier.ac.uk
Professor

Flavien Flandrin

Rich Macfarlane R.Macfarlane@napier.ac.uk
Associate Professor

Jamie Graves

Abstract

This paper defines a methodology for the evaluation of a Rate-based Intrusion Prevention System (IPS) for a Distributed Denial of Service (DDoS) threat. This evaluation system uses realistic background traffic along with attacking traffic, with four different DDoS attacks. The evaluation metrics are defined using Snort for: rate of packet loss; time to respond; available bandwidth; latency; reliability; CPU loading; and memory usage. The results show that system is effective in handling a low-throughput DDoS attack, but when a rate of 6 000 pps of malicious traffic is reached, Snort starts to drop malicious and legitimate packets, in at the same rate of loss. It also shows that the IPS operates well up to traffic throughputs up to 1Mbps.

Citation

Buchanan, W. J., Flandrin, F., Macfarlane, R., & Graves, J. (2011). A methodology to evaluate rate-based intrusion prevention system against distributed denial-of-service (DDoS). In Cyberforensics 2011

Conference Name	Cyberforensics 2011
Start Date	Jun 27, 2011
End Date	Jun 28, 2011
Publication Date	2011
Deposit Date	May 27, 2011
Publicly Available Date	Dec 31, 2011
Peer Reviewed	Peer Reviewed
Book Title	Cyberforensics 2011
Keywords	Rate-based Intrusion Prevention System; Distributed Denial of Service; evaluation metrics;
Public URL	http://researchrepository.napier.ac.uk/id/eprint/4432