For this dataset, we built the abstract behaviour of 25 users based on the HTTP, HTTPS, FTP, SSH and email protocols. 2016) to profile the abstract behaviour of human interactions and generates naturalistic benign background traffic in the proposed testbed (Figure 2). We have used our proposed B-Profile system (Sharafaldin, et al. Generating realistic background traffic was our top priority in building this dataset.
It also includes the results of the network traffic analysis using CICFlowMeter-V3 with labeled flows based on the time stamp, source, and destination IPs, source and destination ports, protocols and attack (CSV files).
This attack can be carried in two ways, i.e., using a hardware switch known as a lag switch or by a software program that runs on the network and hogs the bandwidth of other users.ĬICDDoS2019 contains benign and the most up-to-date common DDoS attacks, which resembles the true real-world data (PCAPs). This attack is mostly used in online gaming where the players want to slow down/ interrupt the movement of other players to outmaneuver them. The UDP-Lag attack is that kind of attack that disrupts the connection between the client and the server. This attack is initiated by sending repeated SYN packets to the target machine until server crashes/ malfunctions. On the other hand, the SYN flood also consumes server resources by exploiting TCP-three-way handshake. As a result, the available bandwidth of the network gets exhausted, system crashes and performance degrade. These UDP packets are sent to random ports on the target machine at a very high rate. UDP flood attack is initiated on the remote host by sending a large number of UDP packets. TCP based exploitation attacks include SYN flood and UDP based attacks include UDP flood and UDP- Lag. These attacks can also be carried out through application layer protocols using transport layer protocols i.e., TCP and UDP. The packets are sent to reflector servers by attackers with the source IP address set to the target victim’s IP address to overwhelm the victim with response packets. There are certain attacks that can be carried out using either TCP or UDP like DNS, LDAP, NETBIOS and SNMP.Įxploitation-based attacks: Are those kinds of attacks in which the identity of the attacker remains hidden by utilizing legitimate third-party component. As Figure 1 shows, in this category, TCP based attacks include MSSQL, SSDP while as UDP based attacks include CharGen, NTP and TFTP. These attacks can be carried out through application layer protocols using transport layer protocols, i.e., Transmission control protocol (TCP), User datagram protocol (UDP) or through a combination of both.
The packets are sent to reflector servers by attackers with source IP address set to target victim’s IP address to overwhelm the victim with response packets. Reflection-based DDoS: Are those kinds of attacks in which the identity of the attacker remains hidden by utilizing legitimate third-party component. The rest of this sub-section has been explained the detailed taxonomy of DDoS attacks and illustrated in Figure 1, in terms of reflection-based and exploitation-based attacks. Hence, we have analyzed new attacks that can be carried out using TCP/UDP based protocols at the application layer and proposed a new taxonomy. There is a need to identify new attacks and come up with new taxonomies. Although all have done a commendable job in proposing new taxonomies, the scope of attacks has so far been limited.
There are a number of survey studies that have proposed taxonomies with respect to DDoS attacks. Finally, we provide the most important feature sets to detect different types of DDoS attacks with their corresponding weights. Thirdly, using the generated dataset, we propose a new detection and family classification approach based on a set of network flow features. Secondly, we generate a new dataset, namely CICDDoS2019, which remedies all current shortcomings. In this paper, we first review the existing datasets comprehensively and propose a new taxonomy for DDoS attacks. Although many statistical methods have been designed for DDoS attack detection, designing a real-time detector with low computational overhead is still one of the main concerns. On the other hand, the evaluation of new detection algorithms and techniques heavily relies on the existence of well-designed datasets. Distributed Denial of Service (DDoS) attack is a menace to network security that aims at exhausting the target networks with malicious traffic.