A Novel DDoS Attack Defending Framework with Minimized Bilateral Damages

Distributed Denial of Service (DDoS) attacks are one of the most damaging threats against Internet based applications. Many of the DDoS defense mechanisms may unintentionally deny a certain portion of legitimate user accesses by mistaking them as attackers or may simply not block enough traffic to adequately protect the victim. Other better performing systems have not yet to reach adoption because of designs that require a substantial investment into the Internet infrastructure before offering much effectiveness. This paper proposes Heimdall, a novel traffic verification based framework to protect legitimate traffic from bilateral damages. Based on a proof-of-work technique and application of distributed hash ID, aside from protecting established connections, our system can validate new initial request for communication and open valid channels between users and the protected server. Through intensive simulation experiments on the ns-2 network simulator, we verified that Heimdall scheme can effectively protect legitimate communications and filter out malicious flows with very high accuracy.

[1]  István Vajda,et al.  Protection against DDoS Attacks Based on Traffic Level Measurements , 2004 .

[2]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[3]  Kai Hwang,et al.  MAFIC: adaptive packet dropping for cutting malicious flows to push back DDoS attacks , 2005, 25th IEEE International Conference on Distributed Computing Systems Workshops.

[4]  Kai Hwang,et al.  Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[5]  Kai Hwang,et al.  Differential Packet Filtering Against DDoS Flood Attacks , 2003 .

[6]  Zhang Shu,et al.  Denying Denial-of-Service Attacks: A Router Based Solution , 2003, International Conference on Internet Computing.

[7]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[8]  Antonio Challita,et al.  A Survey of DDoS Defense Mechanisms , 2004 .

[9]  Jelena Mirkovic,et al.  Attacking DDoS at the source , 2002, 10th IEEE International Conference on Network Protocols, 2002. Proceedings..

[10]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[11]  Peter Reiher,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.

[12]  Elaine Shi,et al.  Portcullis: protecting connection setup from denial-of-capability attacks , 2007, SIGCOMM '07.

[13]  Dawn Xiaodong Song,et al.  StackPi: New Packet Marking and Filtering Mechanisms for DDoS and IP Spoofing Defense , 2006, IEEE Journal on Selected Areas in Communications.

[14]  Angelos D. Keromytis,et al.  WebSOS: protecting web servers from DDoS attacks , 2003, The 11th IEEE International Conference on Networks, 2003. ICON2003..