Key points are not available for this paper at this time.
Distributed Denial of Service (DDoS) attacks are rapidly escalating in scale and sophistication, posing critical threats to modern cloud infrastructures. Recent reports from Cloudflare show unprecedented attack volumes, 20·5 M attacks in Q1 2025, and sophisticated patterns such as low-rate stealth or bursty bots, underscoring the need for timely, automated threat intelligence. Traditional defenses – static IDS signatures or threshold rules – remain reactive and incur high false-alarm rates. To address these gaps, we propose a real-time ML framework for proactive DDoS defense. We built a unified labeled dataset from public (CIC-IDS2017 DDoS and CIC-DDoS2019) and proprietary, pfSense traffic captures, enriched with MISP threat indicators. In a comparative supervised evaluation, we trained multiple classifiers (SVM, Random Forest, XGBoost) via cross-validated grid search, using accuracy, precision, and recall as key metrics. The architecture routes all traffic through a pfSense gateway into a Wazuh analytics node, with OpenSearch and Grafana, for streaming feature extraction and prediction. Results show all models achieved near-perfect detection (≈99. 99% accuracy, 100% precision/recall) on test data. XGBoost slightly outperformed the others and maintained > 99. 9~\% accuracy even under 15, 000 events/sec load and was thus selected for deployment. The pipeline sustained inference latency < 50\, ms, enabling timely alerts and automated mitigation. These findings demonstrate that ML-based threat intelligence can greatly enhance DDoS mitigation with minimal false alarms. In addition, we draw inspiration from fault tolerance to protect and improve the availability of the watchmen themselves, by replicating threat intelligence, distributing them geographically, and require them to reach consensus to filter spurious alerts, or worse, compromise of individual instances of the servers on which they execute. Future work will close the loop to automated enforcement, such as dynamic firewall updates, adapt models to evolving attack patterns, and advancing proactive cloud security.
Thaqi et al. (Wed,) studied this question.