In these experiments we test four different attack scenarios:
- Constant rate attack - The maximum rate is achieved immediately and maintained until the attack is stopped.
- Pulsing attack - The attack rate oscillates between the maximum rate and zero. The duration of active and inactive period is the same - 100 seconds.
- Increasing rate attack - The maximum rate is achieved gradually over 300 seconds and is maintained until the attack is stopped.
- Gradual pulse attack - The maximum rate is achieved gradually over 300 seconds, maintained for 20 seconds, and then gradually decreased to zero over 10 seconds. The inactive period lasts for 40 seconds and then the attack starts again.
Each scenario is tested over different runs with maximum attack rate varying from 100KBps to 2MBps.
During each run legitimate traffic is interleaved with the attack traffic in the following fashion:
- At 0, 5, 626, 627, 628 and 629 seconds a legitimate connection is started between one client (sanitized adress 1.1.139.239) and the victim (sanitized address 1.1.236.8).
- At 25 seconds the UDP flood attack is started
- At 625 seconds the attack is stopped
- Trace gathering process is stopped at 729 seconds
The attack is performed through UDP packets, fixed length of 1KB. Source address is spoofed using addresses from same subnet (prefix length is 24). Source and destination ports are randomly spoofed. Since legitimate communication is conducted through SSH protocol, all TCP traffic is legitimate and all UDP traffic is the attack traffic.
Constant rate attack
Pulsing attack
Increasing rate attack
Gradual pulse attack