Differential Packet Filtering Against DDoS Flood Attacks

We present a new packet filtering scheme, which is traffic-smart to defend against network worms and flood attacks. The scheme prevents malicious hackers from orchestrating DDoS flooding attacks on any IP-based public network. All packets from each IP source are counted and timed during their life cycles. Special IP counters and timers are used to support the filtering process. This new approach mitigates flood attacks through adaptive filtering with differential quality of services provided to good and bad packets. We show the implementation requirements of the schemes on network routers or firewalls. Through an example traffic and filter setting, we demonstrate the advantages of the differential packet filtering. An improvement factor of 45% was achieved, compared with the static routing without discrimination between good and bad packets.

[1]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[2]  Steven M. Bellovin,et al.  ICMP Traceback Messages , 2003 .

[3]  Gonzalo Navarro,et al.  A Pattern Matching Based Filter for Audit Reduction and Fast Detection of Potential Intrusions , 2000, Recent Advances in Intrusion Detection.

[4]  Zachary Eyler-Walker,et al.  Engineering Issues for an Adaptive Defense Network , 2001 .

[5]  Robert Stone,et al.  CenterTrack: An IP Overlay Network for Tracking DoS Floods , 2000, USENIX Security Symposium.

[6]  A. L. Narasimha Reddy,et al.  Mitigation of DoS attacks through QoS regulation , 2004, Microprocess. Microsystems.

[7]  Micah Adler Tradeoffs in probabilistic packet marking for IP traceback , 2002, STOC '02.

[8]  MirkovicJelena,et al.  A taxonomy of DDoS attack and DDoS defense mechanisms , 2004 .

[9]  Brett Wilson,et al.  Autonomic Response to Distributed Denial of Service Attacks , 2001, Recent Advances in Intrusion Detection.

[10]  Udo W. Pooch,et al.  Adaptation techniques for intrusion detection and intrusion response systems , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[11]  Kai Hwang,et al.  NetShield: Protocol Anomaly Detection with Datamining Against DDoS Attacks , 2003 .

[12]  Abhay Parekh,et al.  A generalized processor sharing approach to flow control in integrated services networks-the single node case , 1992, [Proceedings] IEEE INFOCOM '92: The Conference on Computer Communications.

[13]  Heejo Lee,et al.  On the effectiveness of probabilistic packet marking for IP traceback under denial of service attack , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[14]  Abhay Parekh,et al.  A generalized processor sharing approach to flow control in integrated services networks: the single-node case , 1993, TNET.