|
| Flash events | DDoS attacks |
|
| Park et al. [6] have described flash crowd as a situation in which a large number of legitimate users simultaneously access a computer server causing traffic peaks which subsequently partially or sometimes completely disrupt the services. | Kumar et al. [2] have stated DDoS as an intentional attempt to compromise the network services by injecting meticulously crafted attack traffic through a number of zombies, daemons, agents, slaves, and so forth that are distributed around the world. |
|
| The number of clients is more as compared to normal state and they follow almost the same distribution as that of normal state. | The DDoS attacks generate a lot of volume through either small number of zombies generated at high rate or large number of zombies generated at the same rate as that of legitimate clients. The first case is easily detected by volume based approaches as proposed by Gil and Poletto [17] and Barford et al. [13] and simple entropy based approaches as suggested by Kumar et al. [2] and Feinstein et al. [8], but the second case remains mostly indiscriminate if the volume generated is the same as that of legitimate or flash traffic. |
|
| The traffic in FEs has much less number of unique traffic clusters as compared to source addresses as observed by Jung et al. [3] and Krishnamurthy and Wang [4]. In most of the discrimination schemes as used by Yu et al. [16], for discrimination of FE from DDoS, the number of new traffic clusters is not taken into account whereas in practical scenarios still there can be the possibilities of new traffic clusters generating the flash traffic. | The new traffic clusters are more as compared to FEs. Even the sophisticated attacks are launched using those machines and networks which are comparatively passive at the moment of usage and one network or machine does not generate much traffic so as to escape from the local intrusion detection systems. So new traffic clusters are bound to be more if some degrading impact has to be caused to the victim server. In most of the schemes as used by Park et al. [6] and Yu et al. [16] discrimination between FE and DDoS the old traffic clusters are not considered at all. |
|
| The request rate per client during FEs decreases as compared to normal state as the overload at servers results in drops and timeouts which force request rates to be dropped at clients due to congestion and flow control signals. | The zombies normally do not follow congestion and flow control signals as they are run by automated scripts but the sophistication of attackers and abundant availability of zombies on Internet suggest that attacks can be even launched by a large number of zombies following congestion and flow control signals specially in case of nonspoofed attacks. |
|
| The study of web traces may suggest particular pattern of link access during FEs. However, deep packet inspection results in large overheads. | Traditionally web servers are overloaded by accessing the same set of links or sometimes a particular host repeatedly accessing a set of links which do match legitimate access patterns. But an intelligently coded request sequence in zombies can follow any patterns. |
|
