Communications Network Research Institute

Detecting Distributed Denial of Service (DDoS) Attacks in Wireless Mesh Network

Yi Ding
PhD Student (November 2009 - present)
Funding Agency: China Scholarship Council


This project develops a new method that combines WLAN Resource Measurement (WRM) techniques with a Bayesian Decision Theory (BDT) to detect DDoS attacks in wireless mesh networks (WMNs). Wireless security plays a significant role in the development of the IEEE 802.11 WLAN standard, i.e. IEEE 802.11i and IEEE 802.11w. However, a hacker can easily attack the network through a protocol flaw or from vulnerabilities in a software application. A DDoS attack usually involves a large number of nodes quickly targeting a single node and the result can be hugely destructive. This requires an efficient, fast and low false alarm detection method to mitigate such as attack.


A WMN is a new network topology which provides broadband wireless Internet services to a large community of users. It resolves the limitations and significantly improves the performance of ad-hoc WLAN networks. It consists of mesh routers (mesh nodes) which form the wireless backbone and mesh clients access the network through mesh routers. It is characterized by a multi-hop, multi-channel, self-organization, and auto-configuration structure as shown in Figure 1.These features brings many advantages for the client, such as robustness, low cost, easy to deploy, flexible wireless service and higher bandwidth to mobile users.

Figure 1
Figure 1: The WMN Topology

Vulnerabilities and Threats to WMNs

WMNs are vulnerable to attack due to the absence of trusted central authority and the open nature of the wireless medium. Malicious nodes can easily intrude on the network and launch a jamming attack, eavesdrop on the communications and inject malicious packets. It can cause the trust relationship to change among nodes due to the dynamic topology and multi-hop routing. Because of the mesh nodes’ lower price, it has limited memory and computational capacity. The node gateways provide access to the wired Internet for the whole network and usually become the primary target for the hacker. Once the gateway is attacked, it can no longer provide normal service as the performance of the whole network will be compromised.

There are different kinds of attacks that can be encountered in a WMN. At the PHY layer, there are signal jamming and device tampering. At the MAC layer, there are MAC spoofing, Virtual Jamming and DoS Attack. At the network layer, there are blackhole, grayhole, wormhole, rushing attack and so on. However, the DoS attack is the most serious attack and exists at the MAC layer and network layer. Therefore, this work will focus on detecting the DoS attack and DDoS Attack.

DoS Attack and DDoS Attack.

A Denial of Service (DoS) attack means that attacker uses legitimate requests to consume a large amount of network resources to prevent the legitimate users from accessing the network resources such as bandwidth, processing time or service.

Figure 2
Figure 2: The DDoS Attack Model

Distributed Denial of Service (DDoS) attack makes use of a large population of compromised clients to attack the network by UDP flooding attack, TCP-SYN flooding attack and so on. It is much more serious and difficult to detect than the DoS attack because of its “distributed” nature and numerous attackers. It is difficult to trace back due to the large number of controlled clients. The diversification of attack modes and sophisticated attack techniques in different type of network and different layer make the existing security mechanism hard to prevent invasion.

We define a successful DDoS attack as follows: A hacker makes use of the flaws of wireless products to control two or more victims to prevent the legitimate traffic stream from reaching the Gateway and starves the legitimate users in the WMN of network resources.

A successful DDoS attack is shown in Figure 2. It consists of the following elements:

A successful DDoS attack exhibits the following characteristics:

Detection of DDoS Attack in WMNs

DDoS attacks are very harmful for the WMNs because they can rapidly consume network resources. However, DDoS attacks are difficult to detect quickly with high accuracy due to three challenging factors:

In order to detect the DDoS attack with improved performance, we propose a combination detection method where the Wireless Resource Management (WRM) technique is combined with Bayesian Decision Theory (BDT). The operation of the WRM specifically targets the operation of the contention-based MAC mechanism in the IEEE 802.11 WLANs where every station must compete for accessing to the medium.

Under the WRM framework the channel capacity may be categorised according to three values:

The Cmax and Cmin values represent the maximum and minimum bandwidth that a station in the medium can achieve, Cavail describes the current availability for this station. The relationship between these three values is:

Cmin < Cavail < Cmax

Before DDoS attack, every station can access the network resource fairly and normally even in the saturation case. However, when DDoS attack occurs, the malicious nodes will gain much more bandwidth with high Cavail, Cmax, Cmin values. The legitimate nodes will gain their required bandwidth with low Cavail, Cmax, Cmin values and the mesh routers will experience lower Cavail value.

Using this classification and the characteristic features of a DDoS attack, we intend to use the Cmin, Cavail and Cmax values at the mesh nodes to measure the appropriate threshold for distinguishing between the cases of normal and abnormal operation.

Detection Flow-chart

The DDoS detection algorithm is divided into the several steps as shown in Figure 3:

  1. Collection - We use a probe node to locally monitor, capture the frames, filter the control frames such as RTS, CTS packets and collect the information from the mesh nodes in WMNs.
  2. Analysis – Using this captured frame information, the contention, average access time and load time can be measured and load time calculated.
  3. Calculation – The Cmin value, Cavail value and Cmax value for every node are calculated using the WRM technique and are recorded as a set: O{Cmin, Cavail, Cmax}.
  4. Record & Construction - Record the normal flows from the mesh nodes with their Cmax, Cmin, Cavail values in initial period and determine the DDoS threshold according to Bayesian Decision Theory.
  5. Determination – If the flows parameters are not matched to the threshold, then an abnormal traffic scenario is detected.
  6. Confirmation – Check the address and contents of packets or other characters to validate the DDoS attack as most DDoS attacks use forged address and contents.
  7. Update – If the abnormal flow is not determined to be a DDoS attack, then update the detection threshold.
Figure 3
Figure 3: Flow-chart of the DDoS algorithm

Data Collection & Calculation

Two methods are used to implement this algorithm: In an experimental testbed where we use a PC with a wireless Netgear card and libpcap driver to monitor the network, filter the control frames like RTS, CTS frame and collect the packet information such as load time, access time, free time shown in Figure 4. Using NS2 simulation, the trace file can provide the complete information of packers. Then calculate the Cmax, Cavail and Cmin values by using the WRM technique.

Figure 4
Figure 4: Testbed Implementation of the DDoS Detection Mechanism

Simulation Setup

Figure 5
Figure 5: An example of random topology in NS2 (5attackers, 3 neighbours)

Table 1
Table 1: The parameters of normal traffic and DDoS traffic

Figure 6 shows the dramatic changes in throughput for mesh clients when DDoS attack happens. The throughput of mesh clients decreases close to zero, and the attacker nodes can gain the higher throughput which illustrates the fast and destructive of DDoS attack.

Figure 6
Figure 6: The throuhput performance of DDoS attack, 5 clients, 5 attacker, attack time: 30s-100s

We choose a 10 second interval in the DDoS Before Attack (BA) period, DDoS During Attack (DA) period and DDoS After Attack (AA) period to draw a Probability Distribution Function (PDF) graph shown in Figure 7. The red line corresponds to the DA value, the green line corresponds to the BA values and the blue line corresponds to the AA value. It indicates that Cmax, Cavail, Cmin values undergo a significant change during the DA period.

Figure 7
Figure 7: The Cmax, Cavail, Cmin values in the BA, DA, and AA periods in a scenario of 5 neighbors

New DDoS Metric

We propose a new metric called DDoSmetric which has two forms:

equation 1


equation 2

In a 1,000 random topologies simulation test, we calculate these two values with different numbers of neighbors and different numbers of attacks: 1 to 5 neighbours, 1 to 10 attackers with 5 neighbours, choose 10 second in the DDoS Before Attack (BA) period and DDoS During Attack (DA) period. The DDoSmetric1 and DDoSmetric2 values are drawn in a PDF graph for the BA period and AA period in Figure 8 where the red line represents the DA value and the green line represents the BA value.

Figure 8
Figure 8: DDoSmetric1 (top) and DDoSmetric2 (bottom) in scenario of 5 neighbors

Figure 8 shows that the performance of the two DDoSmetric values in DA period and BA period where it can be observed that DDoSmetric1 is much more distinct than DDoSmetric2 as a feature when attack level is higher and node density is lower. On the contrary, in the scenario of higher density and lower attack level, DDoSmetric2 is more dominant.

Bayesian Decision Theory

We choose Bayesian Decision Theory(BDT) to calculate the threshold for classifying the attack patterns and normal patterns.

In DDoS detection algorithm, we use the δ symbol to represent DDoSmetric. The likelihood ratio function is described in formula (3), the likelihood ratio Λ(δ) is used to establish a detection threshold:

equation 2

This formula is equal to:

equation 2

The δ(DDoS) value can be calculated by above formula for obtaining the δ value which set as decision threshold for δ(DDoS) value in different node density and different attackers(as shown in Figure 9).

Figure 9
Figure 9: the likelihood ratio function Λ(δ) and δ value in different scenarios (top: 1-10 attackers; bottom: 1-5 neighbors)

A good detection mechanism should not only realise successful detection, but also requires a low false alarm rate for reducing the overload and computational complexity. A Loss Pass Filter(LPF) was used to remove the noise from the measurements.

The detection successful rate has been shown to reach 99% in all scenarios of 2-5 neighbors with 5 attackers and 1 to 10 attackers with 3 neighbors. Some results are shown in Table 2.

Table 2
Table 2: Detection results in various scenarios

Determining the Performance and Efficiency of the Detection Algorithm

Now, some important parameters for determining the effectiveness of the detection scheme are proposed and defined:

A good detection algorithm needs low FPR, FNR, and a small Tr, so our goal is to minimize the FPR and FNR and minimizing Tr as far as possible with an efficient algorithm.