This paper proposes MULTOPS. MULTOPS enables routers or network monitors to detect ongoing bandwidth attacks using a simple heuristic: a significant, disproportional difference between the packet rate going to and coming from a host or subnet. This is based on the assumption that, during normal operations on the Internet, the packet rate of traffic going in one direction is proportional to the packet rate of traffic going in the opposite direction.
MULTOPS is a tree of nodes that contains packet rate statistics for subnet prefixes at different aggregation levels. It dynamically adapts its shape to (1) reflect changes in packet rates, and (2) avoid (maliciously intended) memory exhaustion.
MULTOPS successfully detects bandwidth attacks that create disproportional packet flows between the sender(s) and the receiver. To our knowledge, no such detection mechanism has been proposed yet. Depending on the situation, MULTOPS can point out the source(s) of the attack.
MULTOPS is not a complete solution against bandwidth attacks. However, it enables network devices to maintain statistics to establish whether or not a bandwidth attack may be going on.
Measurements show that the performance of MULTOPS is primarily influenced by the size of the cache and the number of IP source addresses involved in the attack. It is exceedingly difficult to run a MULTOPS-equipped router out of memory.