DDoS Attack Identification
three or more cells in a constellation , as per cells 1 , 2 , and 3 below , the location estimate can be reduced to a 78M diameter circle .
If multiple DDoS perpetrator UEs affect the same cell site at the same time , they may be clustered together in a van or building that can be investigated by law enforcement . In this case , a time series of cell site and timing advance changes can be observed and compared for each suspect DDoS perpetrator UE . If cell site and timing advance changes for multiple DDoS perpetrator UEs coincide , then these perpetrator UEs are likely in the same moving vehicle or building .
If suspect DDoS perpetrator UEs are stationary for a considerable time , then the radio network can force handovers while observing timing advice values between neighboring cells in a constellation such as C1 , C2 , and C3 in Figure 4-1 below .
This technique can also be enhanced by the angle of arrival data where beamforming radios are deployed . If all perpetrator UEs align with the same 78M diameter circle , they , and their operator , are likely in the same location .
Figure 4-1 : Timing Advance ( TA ) for DDoS location fingerprinting .
In Section 3.1 , we describe radio noise pattern observation as a means to detect and classify the presence of over-the-air DDoS attacks and perpetrator UEs from cell sites . In Section 3.2 , we
IIC Journal of Innovation 67