Denial of Service (DoS) attacks do not attempt to break into computer systems but aim to the disruption of the normal system operation through overloading network and/or system resources [1]. Their complexity and magnitude is rapidly increasing and their distributed version (DDoS attacks) is becoming a nuisance to modern IT infrastructure and a very challenging detection problem [2]. Various detection solutions are proposed and many intrusion detection tools attempt to identify DDoS attacks mostly through anomaly detection, ie identification of deviations from normal operation patterns. We present an anomaly detection solution that relies on network flow data exported from CISCO Netflow-enabled [3] devices; this work is inspired by and augments the algorithm and set of metrics initially proposed in [4].

The proposed detection algorithm monitors flow data from all interfaces of border routing equipment and calculates specific metrics that are compared against adaptive thresholds that characterize the “normal” network utilization. Metrics are calculated for each pair of input-output interfaces using “number of packets” and “number of flows” counters and their mean values. The detection algorithm generates alarms for specific interface pairs based on a boolean expression combining the metrics and the respective threshold values that adapt to changing traffic patterns. The algorithm reports interface pairs and suspected destination IP addresses affected by the detected DoS/DDoS attack; both IPv4 and IPv6 addresses are identified. We developed a prototype detection tool that implements the proposed algorithm, and ran IPv4 experiments within the Greek Research and Technology Network (GRNet–http://www. grnet. gr) as well as experimented with IPv6 traffic traces (6NET Project [5]) from the Swiss Education and Research Network (SWITCH–http://www. switch. ch).