Traffic Redirection Attack Protection System (TRAPS)

Distributed Denial of Service (DDoS) attackers typically use spoofed IP addresses to prevent exposing their identities and easy filtering of attack traffic. This paper introduces a novel mitigation scheme, TRAPS, whereby the victim verifies source address authenticity by performing reconfiguration for traffic redirection and informing high ongoing-traffic correspondents. The spoofed sources are not informed and will continue to use the old configuration to send packets, which can then be easily filtered off. Adaptive rate-limiting can be used on the remaining traffic, which may be attack packets with randomly-generated spoofed IP addresses. We compare our various approaches for achieving TRAPS functionality. The end-host approach is based on standard Mobile IP protocol and does not require any new protocols, changes to Internet routers, nor prior traffic flow characterizations. It supports adaptive, real-time and automatic responses to DDoS attacks. Experiments are conducted to provide proof of concept.

[1]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[2]  Daniel Massey,et al.  On design and evaluation of "intention-driven" ICMP traceback , 2001, Proceedings Tenth International Conference on Computer Communications and Networks (Cat. No.01EX495).

[3]  Charles E. Perkins,et al.  Route Optimization for Mobile IP , 1998, Cluster Computing.

[4]  Ratul Mahajan,et al.  Controlling high bandwidth aggregates in the network , 2002, CCRV.

[5]  Ross J. Anderson,et al.  The XenoService { A Distributed Defeat for Distributed Denial of Service , 2000 .

[6]  Vrizlynn L. L. Thing,et al.  ICMP Traceback with Cumulative Path, an Efficient Solution for IP Traceback , 2003, ICICS.

[7]  George M. Weaver,et al.  Trends in Denial of Service Attack Technology CERT ® Coordination Center , 2001 .

[8]  Kevin J. Houle,et al.  Trends in Denial of Service Attack Technology , 2001 .

[9]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[10]  Dawn Xiaodong Song,et al.  Pi: a path identification mechanism to defend against DDoS attacks , 2003, 2003 Symposium on Security and Privacy, 2003..

[11]  Charles E. Perkins,et al.  Mobility support in IPv6 , 1996, MobiCom '96.

[12]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[13]  Craig Partridge,et al.  Hash-based IP traceback , 2001, SIGCOMM.

[14]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM '02.

[15]  Charles E. Perkins,et al.  IP Mobility Support for IPv4 , 2002, RFC.

[16]  Paul Ferguson,et al.  Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.

[17]  Jun Li,et al.  SAVE: source address validity enforcement protocol , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[18]  Aurobindo Sundaram,et al.  An introduction to intrusion detection , 1996, CROS.

[19]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[20]  ShenkerScott,et al.  Controlling high bandwidth aggregates in the network , 2002 .

[21]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[22]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[23]  Dawn Xiaodong Song,et al.  Advanced and authenticated marking schemes for IP traceback , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[24]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[25]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[26]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[27]  Angelos D. Keromytis,et al.  SOS: secure overlay services , 2002, SIGCOMM 2002.