Detecting a Distributed Denial-of-Service Attack Using Speed Test Data: A Case Study on an Attack with Nationwide Impact

Abstract: This thesis presents a case study that investigates a large Distributed Denial of Service (DDoS) attack and how it affected speed tests observed by the crowd-based speed test application Bredbandskollen.  Furthermore, the thesis also investigates the possibility of using crowd-based speed tests as a method to detect a DDoS attack. This method has very low overhead which makes it an interesting complement to other methods. This thesis also shows that there was a significant deviation in the number of measurements during the DDoS attack considered in the case study compared to the year average. Furthermore, the measurements of the peak day of the attack had a higher average download speed than the year average. Whereas the higher download speed observation at first may appear non-intuitive, we briefly discuss potential explanations and how such positive anomalies could potentially be used to detect attacks. Detecting DDoS attacks early can lead to earlier recognition of network problems which can aid Internet Service Providers (ISPs) in maintaining the availability of their networks.