An approach to detect DDoS attack with A.I.


The DDoS attack is one of the most powerful hacking techniques over the internet. The base weapon that the hacker uses during these types of attacks is network trafficking to take down or crash websites. There are various subcategories of this attack, each category defines the way a hacker tries to intrude into the network. In this research, we have discussed an approach to detect the DDoS attack threat through A.I. model with over 96% accuracy. We have classified 7 different subcategories of DDoS threat along with a safe or healthy network.


Distributed denial-of-service(DDoS) attacks target websites and online services. The objective of this attack is to jam the network or server with overwhelming traffic. It achieves effectiveness by utilizing multiple compromised systems as sources of attack traffic. There are different subcategories of DDoS attack based on the layer of the network connection they attempt to attack, with respect to the OSI model. Some of the subcategories that we classified through our research are SYN Flood, UDP Flood, MSSQL, LDAP, Portmap, NetBIOS.

Machine Learning and Deep Learning are one of the most common backbones of A.I. till day. We use these methodologies to solve problems in various domains with accuracy close to human performance. Once again we have tested the limits of A.I. in detecting threats in the domain of cybersecurity through this research. In this research, we did a thorough analysis of the logs generated during a DDOS attack, used supervised and unsupervised techniques for detection of threat, and finally used deep learning to achieve over 96% accuracy for classification of different types of DDoS threats along with the safe connection.

Data Pre-Processing

Processing the data was one of the first challenges faced by us. The data had 88 attributes or features. Processing such huge data within limited RAM memory was a really challenging task for us. So we downgraded the data type of the attributes, and hence reducing the memory usage of the data frame. Data-types of float64 are downgraded to float32, int64 to int32, int32 to uint32 and so on. We successfully reduced almost 42% of the initial size. Our data frame still had attributes or features with the maximum value close to infinite, so we also handled those data in the pre-processing stage.

#deep-learning #data-science #cybersecurity #infosec #machine-learning

What is GEEK

Buddha Community

An approach to detect DDoS attack with A.I.
Angela  Dickens

Angela Dickens


DDoS attacks have evolved, and so should your DDoS protection

The proliferation of DDoS attacks of varying size, duration, and persistence has made DDoS protection a foundational part of every business and organization’s online presence. However, there are key considerations including network capacity, management capabilities, global distribution, alerting, reporting and support that security and risk management technical professionals need to evaluate when selecting a DDoS protection solution.

Gartner’s view of the DDoS solutions; How did Cloudflare fare?

Gartner recently published the report Solution Comparison for DDoS Cloud Scrubbing Centers (ID G00467346), authored by Thomas Lintemuth, Patrick Hevesi and Sushil Aryal. This report enables customers to view a side-by-side solution comparison of different DDoS cloud scrubbing centers measured against common assessment criteria. If you have a Gartner subscription, you can view the report here. Cloudflare has received the greatest number of ‘High’ ratings as compared to the 6 other DDoS vendors across 23 assessment criteria in the report.

The vast landscape of DDoS attacks

From our perspective, the nature of DDoS attacks has transformed, as the economics and ease of launching a DDoS attack has changed dramatically. With a rise in cost-effective capabilities of launching a DDoS attack, we have observed a rise in the number of under 10 Gbps DDoS network-level attacks, as shown in the figure below. Even though 10 Gbps from an attack size perspective does not seem that large, it is large enough to significantly affect a majority of the websites existing today.

#ddos #attacks #gartner #trends #network #neural networks

Chando Dhar

Chando Dhar


Deep Learning Project : Real Time Object Detection in Python & Opencv

Real Time Object Detection in Python And OpenCV

Github Link:

Blog Link:

I’m on Instagram as @knowledge_doctor.

Follow Me On Instagram :

Like My Facebook Page:

#python project #object detection #python opencv #opencv object detection #object detection in python #python opencv for object detection

Justyn  Ortiz

Justyn Ortiz


Mitigating a 754 Million PPS DDoS Attack Automatically

On June 21, Cloudflare automatically mitigated a highly volumetric DDoS attack that peaked at 754 million packets per second. The attack was part of an organized four day campaign starting on June 18 and ending on June 21: attack traffic was sent from over 316,000 IP addresses towards a single Cloudflare IP address that was mostly used for websites on our Free plan. No downtime or service degradation was reported during the attack, and no charges accrued to customers due to our unmetered mitigation guarantee.

The attack was detected and handled automatically by Gatebot, our global DDoS detection and mitigation system without any manual intervention by our teams. Notably, because our automated systems were able to mitigate the attack without issue, no alerts or pages were sent to our on-call teams and no humans were involved at all.

Attack Snapshot - Peaking at 754 Mpps. The two different colors in the graph represent two separate systems dropping packets.

During those four days, the attack utilized a combination of three attack vectors over the TCP protocol: SYN floodsACK floods and SYN-ACK floods. The attack campaign sustained for multiple hours at rates exceeding 400-600 million packets per second and peaked multiple times above 700 million packets per second, with a top peak of 754 million packets per second. Despite the high and sustained packet rates, our edge continued serving our customers during the attack without impacting performance at all

The Three Types of DDoS: Bits, Packets & Requests

Attacks with high bits per second rates aim to saturate the Internet link by sending more bandwidth per second than the link can handle. Mitigating a bit-intensive flood is similar to a dam blocking gushing water in a canal with limited capacity, allowing just a portion through.

Bit Intensive DDoS Attacks as a Gushing River Blocked By Gatebot

In such cases, the Internet service provider may block or throttle the traffic above the allowance resulting in denial of service for legitimate users that are trying to connect to the website but are blocked by the service provider. In other cases, the link is simply saturated and everything behind that connection is offline.

Swarm of Mosquitoes as a Packet Intensive DDoS Attack

However in this DDoS campaign, the attack peaked at a mere 250 Gbps (I say, mere, but ¼ Tbps is enough to knock pretty much anything offline if it isn’t behind some DDoS mitigation service) so it does not seem as the attacker intended to saturate our Internet links, perhaps because they know that our global capacity exceeds 37 Tbps. Instead, it appears the attacker attempted (and failed) to overwhelm our routers and data center appliances with high packet rates reaching 754 million packets per second. As opposed to water rushing towards a dam, flood of packets can be thought of as a swarm of millions of mosquitoes that you need to zap one by one.

Zapping Mosquitoes with Gatebot

Depending on the ‘weakest link’ in a data center, a packet intensive DDoS attack may impact the routers, switches, web servers, firewalls, DDoS mitigation devices or any other appliance that is used in-line. Typically, a high packet rate may cause the memory buffer to overflow and thus voiding the router’s ability to process additional packets. This is because there’s a small fixed CPU cost of handing each packet and so if you can send a lot of small packets you can block an Internet connection not by filling it but by causing the hardware that handles the connection to be overwhelmed with processing.

Another form of DDoS attack is one with a high HTTP request per second rate. An HTTP request intensive DDoS attack aims to overwhelm a web server’s resources with more HTTP requests per second than the server can handle. The goal of a DDoS attack with a high request per second rate is to max out the CPU and memory utilization of the server in order to crash it or prevent it from being able to respond to legitimate requests. Request intensive DDoS attacks allow the attacker to generate much less bandwidth, as opposed to bit intensive attacks, and still cause a denial of service.

Automated DDoS Detection & Mitigation

So how did we handle 754 million packets per second? First, Cloudflare’s network utilizes BGP Anycast to spread attack traffic globally across our fleet of data centers. Second, we built our own DDoS protection systems, Gatebot and dosd, which drop packets inside the Linux kernel for maximum efficiency in order to handle massive floods of packets. And third, we built our own L4 load-balancer, Unimog, which uses our appliances’ health and other various metrics to load-balance traffic intelligently within a data center.

In 2017, we published a blog introducing Gatebot, one of our two DDoS protection systems. The blog was titled Meet Gatebot - a bot that allows us to sleep, and that’s exactly what happened during this attack. The attack surface was spread out globally by our Anycast, then Gatebot detected and mitigated the attack automatically without human intervention. And traffic inside each datacenter was load-balanced intelligently to avoid overwhelming any one machine. And as promised in the blog title, the attack peak did in fact occur while our London team was asleep.

So how does Gatebot work? Gatebot asynchronously samples traffic from every one of our data centers in over 200 locations around the world. It also monitors our customers’ origin server health. It then analyzes the samples to identify patterns and traffic anomalies that can indicate attacks. Once an attack is detected, Gatebot sends mitigation instructions to the edge data centers.

#ddos #security #gatebot #attacks #syn #ack #network layer

DDoS Attacks Skyrocket as Pandemic Bites

The first half of 2020 saw a significant uptick in the number of distributed denial-of-service (DDoS) attacks compared to the same period last year — a phenomenon that appears to be directly correlated to the global coronavirus pandemic.

Neustar’s Security Operations Center (SOC) saw a 151 percent increase in DDoS activity in the period, including one of the largest and longest attacks that Neustar has ever mitigated – that attack came in at 1.17 terabits-per-second (Tbps), and lasted five days and 18 hours.

“These figures are representative of the growing number, volume and intensity of network-type cyberattacks as organizations shifted to remote operations and workers’ reliance on the internet increased,” the company noted in its first-half status report, released on Wednesday.

#web security #coronavirus #covid-19 #cyberattacks #ddos #denial of service #healthcare #internet usage #neustar #pandemic #trend report #volumetric attacks #work from home

Rusty  Shanahan

Rusty Shanahan


What is DDoS attack ?

Distributed Denial of Service (DDoS) attacks are becoming more

frequent and the size of these attacks is increasing rapidly on every

year. This increases the load on the networks of Internet Service

Providers (ISPs) and many Cloud computing providers. Cloud

computing is an emerging technology and adopted by many Cloud

providers. But, there are many issues and one of them is Distributed

Denial of Service(DDOS). Distributed Denial of Service (DDoS) attack

is the most prominent attacks in this area of computing. DDoS is the

single largest threat to internet and internet of things. The frequency

and sophistication of Distributed Denial of Service attacks (DDoS)

on the Internet are rapidly increasing. In this article, we conduct an

up-to-date review of essential Cloud Network threats and present

a methodology for evaluation of existing security proposals. Based

on this, we introduce a comprehensive and up-to-date survey of

proposals intended to make the Network Infrastructure highly

secure and introducing new methods for detection and mitigation

of routing instabilities and these generic countermeasure model

can be used to prevent secondary victims and to prevent DDoS

attacks. These taxonomies define varies similarities and different

patterns in Dos and DDoS attacks, configuration, functional tools, to

assist in further improvement on Network Infrastructure security and

proposed a solution to countering DDoS attacks.

D- DoS attacks can be classified further as the primary target is

to congest the network with a massive amount of the bandwidth

Utilization and it could cause the network abruption to the victim


Image for post

Attack Classifications: (Figure 1) Besides, these classifications, all

forms of attacks fall under these two functions.

Connection-based attack: This type of attacks can be carried out

through an established connection of any client and server by using

certain connection-oriented protocols.

Connection-less attack: An attack that doesn’t require a standard

protocol-based session. Connection-less meant to be formally

established before a server can send the “data packets” — typically a

basic unit of communication information which is transferred over a

digital network to a client.

**Volumetric Attack: **The Specific goal of this type of attack is to

cause the congestion traffic while sending the data packets over the

line and it would cause a bandwidth to overwhelm the scenario. Especially,

most of the attacks are executed using botnets. botnet is a group of

agent handlers in a DDoS attack which provides the attacker with the

ability to wage a much larger and more wild attack than a DoS attack

while remaining anonymous on the Internet. It is measured by the

number of received bits per second (bps).

Protocol Attack: In general, this type of attack focal point is

on actual web/DNS/FTP servers, core Routers and switch, firewall

devices and LB (load balancers) to disrupt the well-established

connections, and also causing the exhaustion of their limited number

of concurrent sessions on the device. It is measured by the number of

received packets per second (PPS).

Application Layer Attack: It is also known as Connection-oriented

attacks. Application attacks occur in the Layer 7 of an OSI Model.

Most of the Applications are under vulnerable scenarios by consisting

of many loopholes. This specific type of attack is pretty much hard to

detect because these sophisticated threats are generated from the

limited number of attack machines, on top of that it’s only generating

low traffic rate which appears to be legitimate for the victim to realize.

It is measured by the number of received requests per second (RPS).

#technology #security #cloud-computing #computer-sciecne #ddos-attack #cloud